"HTTP Error 60: Peer certificate cannot be authenticated ..." Message After Fresh BigFix Windows Install

mtrain · September 4, 2019, 6:54pm

Hi all …

A fresh install of BigFix 9.5.13.130 on Windows seemed to go just fine, but no new content was obtained, and no computers were subscribed to the BES Support site (and I couldn’t change this value to “all computers”). A view of the besrelay.log on this server displayed this message:

HTTP Error 60: Peer certificate cannot be authenticated with given CA certificates: SSL certificate problem, verify that the CA cert is OK.

I have never seen this before on a fresh install of BigFix. I’m thinking two possibilities here:

Something to do with the proxy? This server uses a proxy to get on the Internet and when tested as part of the install, the test was successful. Maybe this proxy rewrites http calls to https, as forum entry HTTP / SSL Errors with prefetch statement downloads suggests could be the issue? (But I’m not writing my own prefetch statements.)
Something happened to the masthead file. Since this deployment of BigFix is going to be used for the IBM License Metric Tool, and we have not yet deployed any clients, my thought is to start all over again and run through the license generation process. (I did not do this process; it was done prior to my involvement).

Anyone have any suggestions on determining the cause or other recommendations?

–Mark

JasonWalker · September 4, 2019, 8:40pm

Check whether this applies, especially if your proxy is rewriting HTTPS connections. https://www.ibm.com/support/knowledgecenter/en/SSQL82_9.5.0/com.ibm.bigfix.doc/Platform/Config/c_https_gathering.html

mtrain · September 5, 2019, 1:48pm

Will find out and let you know. Thanks Jason! --Mark

mtrain · September 5, 2019, 7:50pm

Hi Jason … we tried applying the two settings and downloading the updated certificate list in the linked document but the error persists. My customer is going to work with his proxy team to determine if there’s something going on that we are unaware of because I think that is what is getting in the way. I’m confident the BigFix install is clean, however.

–Mark

JasonWalker · September 5, 2019, 7:55pm

So if your proxy is rewriting HTTPS connections, they’d be re-signing the stream with their company’s certificate. As far as Bigfix can tell, the HTTPS would be getting signed by the certificate issued to your proxy server (which of course we don’t trust, yet - it looks like a Man-in-the-Middle attack, which is exactly what a HTTPS proxy does).

So you’d need to update BigFix’s ca_bundle to add your internal certificate issuer.

JasonWalker · September 5, 2019, 8:02pm

The instructions on the page talk about updating from a public-trusted ca_bundle.crt, but I see it doesn’t include instructions to add your company’s custom certificate to a bundle. Obtain the CA Root and Issuing Authority certificates, in PEM format (they should be text files and include strings like —BEGIN CERTIFICATE —).

You would just append your certificates to the bundle with notepad, including all the dashes. If you get both an Issuing CA certicate and a Root CA certificate, you’d put the Issuing CA first followed by the Root CA.

mtrain · September 5, 2019, 8:03pm

We don’t know if this proxy is rewriting https connections.

Assuming for the moment that it does, is it as simple as adding their certificate in .pem/.crt format to the ca_bundle by copy/paste?

–Mark

JasonWalker · September 5, 2019, 8:23pm

You’d add the issuer of the proxy’s certificate (which might well be built-in to the proxy itself, or might be issued by a separate internal certificate authority), but yes, if you get it in PEM format so it’s readable in notepad and has the —BEGIN CERTIFICATE---- and ----END CERTIFICATE---- strings, it really is just copy/paste onto the end of the ca_bundle.crt file.

One way to tell whether they’re rewriting (which is likely, given the errors you are seeing) is to open a browser to https://gatherer.bigfix.com/ . The browser may warn about the certificate (due to mismatching the domain name, but BigFix doesn’t care about that part), and when you view the certificate, it should look like this:

If the “Issued By” line has something else, like their own company name, then their proxy is rewriting the HTTPS connections and you’ll need BigFix to trust their issuer certificate. From this same page you would go to the “Certification Path” and select the root authority and any intermediate issuers, and hit “View Certificate” on those -

For the Root and Intermediate certificates (assuming these are custom for your company), you’d switch to the Details tab and then “Copy to File”

Export the certificate as a “Base64-encoded x509”:

When you’re done, each certificate should be plain-text:

C:\>type c:\temp\temp.cer
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----

Copy and paste the full contents, including the ----BEGIN CERTIFICATE---- and ----END CERTIFICATE----- lines into the ca_bundle.crt. Notepad or Notepad++ work for this.

(but as always, make a backup copy of the original ca_bundle.crt before making any modifications)

mtrain · September 5, 2019, 9:05pm

Hi Jason … thanks so much for this … I’ll give this a try and let you know how it went. --Mark

mtrain · September 12, 2019, 8:57pm

Hi Jason (and all) …

We resolved this issue. While it did involve the proxy, it was not an issue where the proxy was rewriting the https connections. It had something to do with their firewall. As it was explained to me, they allowed anonymous access to bigfix.com for the server object and then everything started flowing smoothly. Why the server didn’t simply tell us that, I don’t know.

–Mark