Client on BES Root server can't connect after upgrade to 10.0.8

I upgraded from 10.0.7 to 10.0.8 earlier today, and ever since the BES Client on the BES Root server itself isn’t able to connect to the local relay that runs on that server. It tries to connect with SSL but fails and falls back to HTTP.

The log shows:
RegisterOnce: Attempting secure registration with 'https://127.0.0.1:52311/cgi-bin/bfenterprise/clientregister.exe?RequestType=RegisterMe60&ClientVersion=10.0.8.37&...'
RegisterOnce: Relay does not support secure registration.
RegisterOnce: Registration backing off from SSL, attempting in clear text
Unrestricted mode
Configuring listener without wake-on-lan
Registered with url 'http://127.0.0.1:52311/cgi-bin/bfenterprise/clientregister.exe?RequestType=RegisterMe60&ClientVersion=10.0.8.37&Body=...'
Registration Server version 10.0.8.37 , Relay version 10.0.8.37
Relay does not require authentication.
Client has an AuthenticationCertificate

I read something about the minimum relay level and requiring an SSL connection so I changed it to 9.5.6, afterwards the log shows this:
The BES Client log shows:
RegisterOnce: Relay does not support secure registration.
RegisterOnce: Current deployment 'x-bes-minimum-supported-relay-level' masthead setting does not allow clear text registration.

Now it looks like I’m stuck with the minimum being 9.5.6, I tried setting it to 0.0.0 but it didn’t seem to make a difference. And the client doesn’t connect at it, it’s stuck in a loop trying to connect, failing, trying again and again.

Prior to upgrading, it would connect without a problem:
Registration Server version 10.0.7.52 , Relay version 10.0.7.52
Relay does not require authentication.
Client has an AuthenticationCertificate

REST API scripts that run on the BES Root server aren’t able to connect, either.
The REST API scripts (written in VBScript) reports:
A certificate is required to complete client authentication

I had a look at the top-level relays, they are able to connect to the BES Root with SSL. It’s just the BES Root server connecting to itself that’s having this problem.

{Edit}
I should add that I also have the issue with Web Reports prompting to select a certificate, I’m sure all of these issues are related somehow.
{/Edit}

Any ideas what could be going on here? What to check?

Please look into the following thread - BigFix 10.0.8 | Upgraded from 10.0.5 - with Internal CA SSL Certificate - The BigFix Client on the Root Server showing the following error: Error " RegisterOnce: Relay does not support secure registration."

2 Likes

I saw that article earlier today and used it to be get the BES Client on the root server to register and communicate. However, it doesn’t fix the issue with the REST API scripts or the Web Reports server.

I have a ticket open with support for all of these issues, I’m told that a hotfix is coming.

I found a temporary workaround, I created a self-signed user certificate and installed it in the Personal store for each account that runs REST API scripts but didn’t already have a user certificate. That allowed the script to execute.

This means that BigFix is asking the client for a certificate during the initial connection but doesn’t authenticate it. Kind of silly, IMHO.

About the REST API and Web Reports - Can you please elaborate what steps you took to reproduce the issue?

I want to test it on my Test Server, I’ve just applied the following steps:

In order to continue to use the HTTPS customization for RESTAPI you can implement the following workaround:

On the BigFix server run the following steps:

temporarily set the _BESRelay_HTTPServer_UseSSLFlag client setting value to ‘0’ to disable HTTPS customization for RESTAPI
restart the BigFix server
run the command: “BESAdmin.exe /minimumSupportedRelay=0.0.0”
verify that every affected client takes the new masthead (local client and client directly reporting to the BF server)
restore the _BESRelay_HTTPServer_UseSSLFlag client setting value to ‘1’ to enable HTTPS customisation for RESTAPI
restart the BigFix server

After that on my side -

  • The Certificate I’m using was issued by Company’s CA, not self signed
  • I can use Web Reports with HTTPS certificate through the Browser
  • I can use REST API through the Browser

I have a number of VBscript scripts that connect to the REST API. The connection is pretty simple:

restUsername = "RESTAPI"
restPassword = "password"

Set restReq = CreateObject("MSXML2.ServerXMLHTTP")

restURL = "https://bigfix:52311/api/query?relevance=(ids of it, names of it) of bes computers"
restReq.open "GET", restURL, false, restUsername, restPassword
restReq.send

The account I was running this with initially did NOT have a user certificate in the store, the script would error out with this message: “msxml3.dll: A certificate is required to complete client authentication”

It didn’t make a difference if BESRelay_HTTPServer_UseSSLFlag was set to 0 or 1, or if _BESRelay_HTTPServer_SSLPrivateKeyFilePath and _BESRelay_HTTPServer_SSLCertificateFilePath were defined or not. BigFIx was still expecting the client to present a certificate during the connection process.

The self-signed certificate I created has a random name on it that has no relation to the BigFix server or even the account being used to run the script. BigFix seems to accept ANY certificate, trusted, valid or not.

Yes, I’m seeing that as well. To be clear, I don’t think it’s intended that we ask for a client/user auth certificate here, it’s probably a side-effect of upgrades a library in 10.0.8.

Thanks , I’ll check on my side this option through PowerShell - Invoke-WebRequest and post results

I spent some time searching this morning, and haven’t found a way to ignore the client certificate request with MSXML2.ServerXMLHTTP.

I did find how to send a default certificate, but you have to have the certificate in your personal store. It shouldn’t matter what certificate you send though, since the server ignores it anyway.

My Python-based REST queries using the ‘requests’ library still work seamlessly, without a client certificate. That may not be helpful, I know, but I did want to let you know that if you’re considering porting your REST client to a different language or connection library, there are others that will work, until we provide a server-side workaround.

The https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0102676 has been opened for the certificate issue.
The https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0102545 has been opened for the client registration issue.
The Platform team is developing a plan to help customers that already upgraded to 10.0.8 as well as those that are planning to do that. We’ll provide some updates shortly.

The hotfix mentioned in this post corrected these problems for us.

BigFix 10.0.9 has been released, that addresses this issue.

2 Likes