Hi all …
I was working with a client to get a new 9.5.13 BigFix server going for the purposes of installing the IBM License Metric Tool.
After the BigFix installation finished, we noticed that the BigFix Management (BES Support site) tasks & fixlets were not loading. The BigFix server uses a proxy to get out on the Internet, and that was configured properly and tested (besadmin.exe /setproxy). We checked besrelay.log and saw timeouts to https://gatherer.bigfix.com. We tried going to that site in a browser and was able to reach it - however, the browser gave us a security warning. We took a guess that the gather process was stopped because it couldn’t answer the security warning.
The resolution in this case was to get the cert for gatherer.bigfix.com using openssl’s s_client, convert it to x509, install it locally on the BigFix server and then the fully populated list of fixlets was generated – so it was clearly the untrusted cert causing the problem.
We are a bit confused why our BigFix server didn’t recognize the cert as coming from a valid CA - which is
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
Perhaps the server didn’t like the wildcard bit of the CN?
CN = *.subscribenet.com
Or maybe it’s because a proxy is in use here?
Can anyone explain this to me? Thanks!