Unknown and RemoteCertificateChainErrors SSL errors after installing or changing CA with improper eDirectory CA certificate

  • 7012138
  • 12-Apr-2013
  • 03-May-2013

Environment

Novell ZENworks Configuration Management 11.2

Situation

Agents can't communicate with the primaries. 
 
DEBUG (from zmd-messages.log):
 
[ZenworksWindowsService] [27] [] [RegistrationModule-CertValidation] [] [Policy errors:] [] []
[ZenworksWindowsService] [27] [] [RegistrationModule-CertValidation] [] [  SslPolicyErrors.RemoteCertificateChainErrors] [] []
[ZenworksWindowsService] [27] [] [RegistrationModule-CertValidation] [] [Chain status array:] [] []
[ZenworksWindowsService] [27] [] [RegistrationModule-CertValidation] [] [  Chain status(0) = PartialChain, Unknown error.] [] []
 
[ZenworksWindowsService] [54] [] [ZenCertificatePolicy] [ZMD.CertificateChainError] [Error in the TLS certificate chain. Message: Unknown error..] [] []
[ZenworksWindowsService] [54] [] [ConnectMan-ping] [] [web request exception] [] []
[ZenworksWindowsService] [54] [] [ConnectMan-ping] [] [status: TrustFailure] [] []
[ZenworksWindowsService] [54] [] [ConnectMan-ping] [] [The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.] [] []
[ZenworksWindowsService] [54] [] [ConnectMan-ping] [] [   at System.Net.HttpWebRequest.GetResponse()
   at Novell.Zenworks.ConnectionManager.HttpLocation.Ping(TimeSpan timeout)] [] []

Resolution

When installing or modifying ZENworks zone CA certificate from eDirectory CA, the CA export should be the "Self Signed Certificate" choice not the "Public Key Certificate" choice.  
 
For more information using iManager see https://www.netiq.com/documentation/crt33/crtadmin/?page=/documentation/crt33/crtadmin/data/a2ebop8.html 4.1.6 Exporting the Organizational CA's Self-Signed Certificate
 
The self signed Certificate Authority certificate must be prepopulated into the local device machine certificate store.  If the wrong certificate was used prior to the change, then "zac ci ca.der" will fail.  Also "zac reestablish-trust" will fail.  In that case, the proper CA can be injected into the store with the following command (Note:  certmgr.exe is a Microsoft tool that can be downloaded with the Windows SDK):
 
certmgr.exe -add -all ca.der -s -r localMachine root
 

Feedback service temporarily unavailable. For content questions or problems, please contact Support.