We have over 100 BF servers in our infrastructure and it’s gona take a while to implement changes on all of them due to a change process we need to follow.
How does this error is impacting us, eg. Is content in external sites updated because of that error, or it’s just inflicting licence update only ?
on your BigFix Server and you can do that just selecting ‘Edit Computer Settings’ > ‘Add’ from Console as MO on the computer.
It is not needed to add the above setting on other systems, but just on the system where you installed BigFix Server.
The error, then, only affects the ability to check for license updates, it doesn’t affect site gathering.
when I spoke about servers I didn’t mean client but server where BF server application is installed to which multiple clients are reporting, thanks for the update about license,
This also seems to be effecting the Enable link in the License Overview dashboard. There was an error enabling the site. It appears your server is not able to connect to the IBM's content servers. Please check the internet connection (including proxy settings) and try again.
I’m supporting BF from over 5 years so believe me I know what’s the difference between server relay and client. So when I say server I have in mind server - not relay, not client but SERVER. And we have over 100 of such.
It is not clear whether the BES services need to be restarted or the server needs to be restarted. I set the setting, and restarted all of the services on the root server, and I am still getting the error.
A completely unrelated cause for this might occur if you are using a web proxy that rewrites the TLS connection. Can you try opening one of those URLs in a browser, and check the certificate that is being shown?
If you have such a proxy, you’d see a certificate issued by your own company, and not our real certificate from Digicert.
If that’s the case, I can find the instructions to add your company’s certificate to the trusted issuers on the server (under BES Server\Reference\ca_certs I believe)
Right, but if it’s using a CA from your company, your browser may be configured to trust it by policy; that wouldn’t affect the BESRootServer trust though.
From the browser, hit the https icon and see who is issuing the certificate.
Our production server is not having this problem, and the cert is from Digicert, unlike the test root server where the cert is from my company. I don’t see any differences in the BES Server\Reference directory between the test and production servers.
Ok that sounds like what I was describing. I’m guessing your production root server has a different proxy configuration,.either on your server or on the proxy itself, so the connection goes through unmodified; but your test server doesn’t have the same config or exception on the proxy.
From your browser’s connection, when you view the certificate, navigate up to your company’s root certificate authority and open the Details for that root certificate. Find the “Copy to File” option and export it as a base64 x509 certificate. Then open it in notepad and copy all of the contents (including the —BEGIN CERTIFICATE— and —END CERTIFICATE— lines)
Then open the ca-bundle.crt in the server’s Reference folder and paste your company’s certificate to the end of it. (Make a backup copy first).
You shouldn’t need to restart any of the services, but you might try restarting GatherDB just to trigger a gather attempt sooner.
Thanks Jason! This is great information. I was able to get the “Copy to File” option by running IE as administrator. Otherwise, “Copy to File” was greyed out.
The problem has been resolved by copying the certificate per Jason’s instructions.