We’ve got a computer that has an expired certificate and the besclient.exe -update-certificate command isn’t working. Are the results of that command logged anywhere? Or is there a “verbose” mode?
(The local IT has already uninstalled and re-installed the Agent, so there will be no troubleshooting this one.)
Were the clients disconnected/offline for a long period and did not renew their certs?
Were they deleted from the console and/or audit trail cleaner run?
Were their certificates revoked from the console?
Most likely the first one… offline for a long time (or, at least, during the certificate update window). We took no console actions against the device.
Hello @straffin, was the computer with the expired certificate connected to an Authenticating Relay? If so, the procedure to follow to update the certificate is documented at the following link: https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Config/c_client_certificate.html#c_client_certificate__section_mzf_2x2_vtb. If you followed the documented procedure and it didn’t work, then this would need to be further investigated by HCL Support, so next time I would suggest to open a support case. In general, useful debug info for that kind of issue can also be obtained on Relay side by enabling related verbose logging before running the command.
Hello @MatthiasW, for computers with revoked certificates the fact that they get a new ID is expected, while this is not expected when updating an expired certificate.
This has hit our environment as well within the past few months. Not sure exactly how many clients but at least 40 and seems to be growing. We are working on automated workarounds but not ideal since there are some manual steps to target affected machines.
Pretty certain it’s due to clients being offline during the cert renewal window before expiration. Confirmed that case with two of our users who didn’t power up for ~6 months and in that time frame, the cert renewal window had passed. The client log started showing " Client authentication setup failed: current client certificate is expired. A manual certificate update is required for the client to properly work." and running the command on the machien to update the cert worked.
We have a lot of machines that are sometimes offline for months at a time - it’s just the nature of our environment unfortunately.
By executing a database query (provided by HCL), you can verify devices that have not been reporting for an extended period of time but whose certificates are still in the database and are the root of the issue. We had experienced a similar problem previously.
Basically, there are two approaches.
1. Top to down - You can identify and delete these certificates from the database. Additionally, make sure that BESAudit cleaner has “Remove Deleted Certificates” enabled. Before taking any unclear action, you should open a case, as @JasonWalker advised.
2. Down to top: - Before reaching to HCL, I was able to resolve our clients certs issue with below steps.
A. Stop BESClient Sevice
B. Remove Computer ID
C. Reset Reg count to 0
D. delete keystorage folder
E. Start BESClient service
Opened a ticket with support and got mostly to the bottom of it. It’s tied into client certificates expiring and devices not being powered on in time to renew during the renewal window, devices not connecting to VPN for long enough, and some configurations in our BigFix environment that we are reviewing to adjust to improve resiliency.
May I ask - what does the “Remove Delete Certificates” do? In our BES Audit Trail cleaner, that’s one of the few boxes that we don’t have checked off and that was mainly because when we originally set the options, the documentation was sparse and we never returned to it. Now is probably a good time to revisit
Documentation just says
“Remove deleted certificates - The old certificates that were deleted.”
The “Remove Delete Certificates” section covers the options available when you right-click on any machine and choose “Revoke Certificate,” manually remove the client certificate using a database query, or remove devices from the console but leave their client certificate in the database.
If your old client returns with fresh credentials, BigFix won’t let it if the older certificate is still in the database, which could lead to problems. Therefore, it needs to be selected in the BESAdmin tool.