We’ve got a computer that has an expired certificate and the besclient.exe -update-certificate command isn’t working. Are the results of that command logged anywhere? Or is there a “verbose” mode?
(The local IT has already uninstalled and re-installed the Agent, so there will be no troubleshooting this one.)
Indeed we have similar issue one a very Limited number of clients. We are still in analyse with Support.
We have now followed the procedure https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Console/Re-registeringRevokedClient.html#Re-registeringRevokedClient.
One issue with this procedure is that the client gets a new id which is a fact I do not really like.
To have a more verbose information I assume setting client debug logging could be helpful.
Interested in how this is happening.
Were the clients disconnected/offline for a long period and did not renew their certs?
Were they deleted from the console and/or audit trail cleaner run?
Were their certificates revoked from the console?
Most likely the first one… offline for a long time (or, at least, during the certificate update window). We took no console actions against the device.
Hello @straffin, was the computer with the expired certificate connected to an Authenticating Relay? If so, the procedure to follow to update the certificate is documented at the following link: https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Config/c_client_certificate.html#c_client_certificate__section_mzf_2x2_vtb. If you followed the documented procedure and it didn’t work, then this would need to be further investigated by HCL Support, so next time I would suggest to open a support case. In general, useful debug info for that kind of issue can also be obtained on Relay side by enabling related verbose logging before running the command.
Hello @MatthiasW, for computers with revoked certificates the fact that they get a new ID is expected, while this is not expected when updating an expired certificate.
This has hit our environment as well within the past few months. Not sure exactly how many clients but at least 40 and seems to be growing. We are working on automated workarounds but not ideal since there are some manual steps to target affected machines.
Please do open a support case so the team can work with you on finding a root cause…
Pretty certain it’s due to clients being offline during the cert renewal window before expiration. Confirmed that case with two of our users who didn’t power up for ~6 months and in that time frame, the cert renewal window had passed. The client log started showing " Client authentication setup failed: current client certificate is expired. A manual certificate update is required for the client to properly work." and running the command on the machien to update the cert worked.
We have a lot of machines that are sometimes offline for months at a time - it’s just the nature of our environment unfortunately.
By executing a database query (provided by HCL), you can verify devices that have not been reporting for an extended period of time but whose certificates are still in the database and are the root of the issue. We had experienced a similar problem previously.
Basically, there are two approaches.
1. Top to down - You can identify and delete these certificates from the database. Additionally, make sure that BESAudit cleaner has “Remove Deleted Certificates” enabled. Before taking any unclear action, you should open a case, as @JasonWalker advised.
2. Down to top: - Before reaching to HCL, I was able to resolve our clients certs issue with below steps.
A. Stop BESClient Sevice
B. Remove Computer ID
C. Reset Reg count to 0
D. delete keystorage folder
E. Start BESClient service
Thank you for the info! Will open a case up with support.