Hi Emiliano
We have over 100 BF servers in our infrastructure and it’s gona take a while to implement changes on all of them due to a change process we need to follow.
How does this error is impacting us, eg. Is content in external sites updated because of that error, or it’s just inflicting licence update only ?
Hear Hear.
This forum is a shining beacon.
And good spot on the errors and getting the fault acknowledged and the workaround published.
Confirmed the change worked for me as well. This should probably be sticky so everyone finds it.
Lukasz,
to solve the issue, it is just needed to add the Client Setting
_BESGather_LicenseCertificateCommonName = gatherer.bigfix.com
on your BigFix Server and you can do that just selecting ‘Edit Computer Settings’ > ‘Add’ from Console as MO on the computer.
It is not needed to add the above setting on other systems, but just on the system where you installed BigFix Server.
The error, then, only affects the ability to check for license updates, it doesn’t affect site gathering.
Emiliano,
when I spoke about servers I didn’t mean client but server where BF server application is installed to which multiple clients are reporting, thanks for the update about license,
The setting is only needed on the root server itself, not on any relays.
We have just published the KB document about this issue and its resolution. Here it is the link:
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0076680
I’ve pinned a topic on it here
This also seems to be effecting the Enable link in the License Overview dashboard.
There was an error enabling the site. It appears your server is not able to connect to the IBM's content servers. Please check the internet connection (including proxy settings) and try again.
Using the solution in the KB resolved the issue.
Hi Jason
I’m supporting BF from over 5 years so believe me I know what’s the difference between server relay and client. So when I say server I have in mind server - not relay, not client but SERVER. And we have over 100 of such.
It is not clear whether the BES services need to be restarted or the server needs to be restarted. I set the setting, and restarted all of the services on the root server, and I am still getting the error.
The settings should be picked up automatically without requiring any restarting. A couple of question just to get the full picture:
And the dumbest question of all (sorry): are you sure you entered the correct name for the settings and value?
Bigfix Version
Bigfix 10.0.1.41
The Error
Thu, 03 Dec 2020 11:16:34 -0800 - 6764 - HTTP gather for http://sync.bigfix.com/cgi-bin/bfgather/webui-framework?Time=1607022994 was successful. HTTPS connection to {https://sync.bigfix.com/cgi-bin/bfgather/webui-framework?Time=1607022994} was unsuccessful due to {HTTP Error 60: SSL peer certificate or SSH remote key was not OK: SSL certificate problem: unable to get local issuer certificate}; retried using HTTP
Thu, 03 Dec 2020 13:19:14 -0800 - 15168 - HTTP gather for http://sync.bigfix.com/cgi-bin/bfgather/linuxrpmpatching?Time=1607030353 was successful. HTTPS connection to {https://sync.bigfix.com/cgi-bin/bfgather/linuxrpmpatching?Time=1607030353} was unsuccessful due to {HTTP Error 60: SSL peer certificate or SSH remote key was not OK: SSL certificate problem: unable to get local issuer certificate}; retried using HTTP
Thu, 03 Dec 2020 13:19:17 -0800 - 5080 - HTTP gather for http://sync.bigfix.com/cgi-bin/bfgather/softwaredistribution?Time=1607030356 was successful. HTTPS connection to {https://sync.bigfix.com/cgi-bin/bfgather/softwaredistribution?Time=1607030356} was unsuccessful due to {HTTP Error 60: SSL peer certificate or SSH remote key was not OK: SSL certificate problem: unable to get local issuer certificate}; retried using HTTP
The setting
A completely unrelated cause for this might occur if you are using a web proxy that rewrites the TLS connection. Can you try opening one of those URLs in a browser, and check the certificate that is being shown?
If you have such a proxy, you’d see a certificate issued by your own company, and not our real certificate from Digicert.
If that’s the case, I can find the instructions to add your company’s certificate to the trusted issuers on the server (under BES Server\Reference\ca_certs I believe)
The cert is from my company from the firewall.
Right, but if it’s using a CA from your company, your browser may be configured to trust it by policy; that wouldn’t affect the BESRootServer trust though.
From the browser, hit the https icon and see who is issuing the certificate.
Our production server is not having this problem, and the cert is from Digicert, unlike the test root server where the cert is from my company. I don’t see any differences in the BES Server\Reference directory between the test and production servers.
Ok that sounds like what I was describing. I’m guessing your production root server has a different proxy configuration,.either on your server or on the proxy itself, so the connection goes through unmodified; but your test server doesn’t have the same config or exception on the proxy.
You’ll need to update the test server to trust the certificates issued by your company’s certificate authority. The doc is at https://help.hcltechsw.com/bigfix/9.5/platform/Platform/Config/c_https_gathering.html
From your browser’s connection, when you view the certificate, navigate up to your company’s root certificate authority and open the Details for that root certificate. Find the “Copy to File” option and export it as a base64 x509 certificate. Then open it in notepad and copy all of the contents (including the —BEGIN CERTIFICATE— and —END CERTIFICATE— lines)
Then open the ca-bundle.crt in the server’s Reference folder and paste your company’s certificate to the end of it. (Make a backup copy first).
You shouldn’t need to restart any of the services, but you might try restarting GatherDB just to trigger a gather attempt sooner.
Thanks Jason! This is great information. I was able to get the “Copy to File” option by running IE as administrator. Otherwise, “Copy to File” was greyed out.
The problem has been resolved by copying the certificate per Jason’s instructions.
Once per day, I am still getting the following message in the BESRelay.log.
Mon, 07 Dec 2020 12:49:36 -0800 - LicenseUpdater (4248) - HTTP gather for http://gatherer.bigfix.com/cgi-bin/LicenseServerFrontend.pl was successful. HTTPS connection to {https://gatherer.bigfix.com/cgi-bin/LicenseServerFrontend.pl} was unsuccessful due to {HTTP Error 60: SSL peer certificate or SSH remote key was not OK: SSL certificate problem: unable to get local issuer certificate}; retried using HTTP