Started getting these in the BESRelay.log starting Saturday. Looks like one per hour. Anyone else?
Sat, 29 Feb 2020 04:31:51 -0500 - LicenseUpdater (2608) - HTTPS failure on {https://gatherer.bigfix.com/cgi-bin/LicenseServerFrontend.pl}; Message {HTTP Error 60: Peer certificate cannot be authenticated with given CA certificates: SSL certificate verification failed}; retrying using HTTP
Wed, 04 Mar 2020 13:04:09 -0500 - LicenseUpdater (2608) - HTTPS failure on {https://gatherer.bigfix.com/cgi-bin/LicenseServerFrontend.pl}; Message {HTTP Error 60: Peer certificate cannot be authenticated with given CA certificates: SSL certificate verification failed}; retrying using HTTP
Same here in BESRelay.log after upgrading BES v9.5.6.63 to the latest v9.5.14.73 (on Linux with ILMT 9.2.18.0 and DB2 10.5).
Started immediately after upgrade: Tue, 03 Mar 2020 14:41:34 +0100 - LicenseUpdater (3725821696) - HTTPS failure on …
Found a possible solution and replaced an old ca-bundle.crt from Oct, 2015. in /opt/BESServer/Reference/ca-bundle.crt with a fresh one from Jan, 2020. but it didn’t help even after a reboot.
Does anybody know how to set the path to the downloaded set of trusted certificates for a _BESGather_CACert keyword? Maybe in:
BESClient/besclient.config or BESServer/besserver.config ? But, what is a correct syntax?
What is going on is that we finally upgraded the certificate on the license server and fixed a problem that we had before. The old certificate for gatherer.bigfix.com actually still had the old name in the CommonName and we had to workaround that and put special check in place for that name. So now that we actually got a proper certificate the check is failing and you get that error. Don’t worry though there is a fix before we actually fix this in the product itself:
There is a hidden client settings that you can put on the server
Thank you for the response. If we do nothing, does this self correct or will that only happen during a future upgrade; leaving us to implement the workaround you mentioned?
The BES Server on startup does the check and then it does every hour, so if you didn’t see that error on Server startup you already know that is working. Plus you can ask for a LicenseUpdate check from the License Dashboard in the Console.
You would open the Console as MO. You would locate your BES and right-click on it, and choose Edit Computer Settings and click Add. You would then add _BESGather_LicenseCertificateCommonName as the Setting Name and gatherer.bigfix.com as the Setting Value.
Hello Lukasz,
I apologize for the internal communication issue we had.
Support team is now aware of that and we are going to publish a document, that will be available to HCL teams and to customers, containing the explanation of the error and how to recover from it.
I will post the document external link, as soon as it is available.
The positive is that it is vital that this forum remains active as it has been. I come here everyday and post or look for information before going to Support. This is the best forum I’ve ever been on in both content, people, contribution, and functionality of the forum itself.
We have over 100 BF servers in our infrastructure and it’s gona take a while to implement changes on all of them due to a change process we need to follow.
How does this error is impacting us, eg. Is content in external sites updated because of that error, or it’s just inflicting licence update only ?
on your BigFix Server and you can do that just selecting ‘Edit Computer Settings’ > ‘Add’ from Console as MO on the computer.
It is not needed to add the above setting on other systems, but just on the system where you installed BigFix Server.
The error, then, only affects the ability to check for license updates, it doesn’t affect site gathering.
