Client Security failed to download definition updates from Policy Manager Proxy and Policy Manager Server with "certificate expired" and "untrusted root ca" errors. - F-Secure Community
<main> <article class="userContent"> <h3 data-version="5" data-article="000038287" data-id="issue">Issue:</h3> <p>This article applies to the following F-Secure products: Policy Manager Server, Policy Manager Proxy<br><br>The Client Security failed to download definition updates from Policy Manager Proxy (PMP) and Policy Manager Server (PMS) with "certificate expired" and "untrusted root ca" errors.<br><br><u><b>Host using PMP</b></u><br>2022-02-01 09:32:21.040 [1454.1a68] I: Checking for updates from <a rel="nofollow" href="https://math-x.math.tu-cottbus.de:488/guts2">https://xxxx.xxxxx.xxxxx.de:488/guts2</a><br>2022-02-01 09:32:21.040 [1454.1a68] I: Update check failed, error=221 (certificate expired)<br><br><u><b>Host using PMS directly</b></u><br>2022-01-31 16:32:22.806 [0f54.1300] I: Checking for updates from <a rel="nofollow" href="https://fspmsrv.math.tu-cottbus.de/guts2">https://xxxxx.xxxxx.xxx.de:443/guts2</a><br>2022-01-31 16:32:22.884 [0f54.1300] I: Update check failed, error=216 (untrusted root ca)<br><br>The problem occurred after updating to Policy Manager Server 15.30</p> <h3 data-id="resolution">Resolution:</h3> <p></p><p>Based on data from the Java KeyStore (.jks) files, the certificates on the Policy Manager Proxy was renewed, however, it was not included in the logs. The CA certificate was updated, however, SCEP certificates were not.<br><br>You can delete the SCEP certificates from fspms-ca.jks to fix the issue.<br><br><b>For Policy Manager installed on a Linux host: :</b></p> <ol><li><b>Stop</b> the F-Secure Policy Manager service</li><li><b>Delete</b> the fspms.jks file</li><li><b>Run</b> the following command folder under data folder (/var/opt/f-secure/fspms/data/)</li></ol><ul><li>/opt/f-secure/fspms/jre/bin/keytool -delete -alias fspm-ra-encryption -keystore fspms-ca.jks</li><li>/opt/f-secure/fspms/jre/bin/keytool -delete -alias fspm-ra-signing -keystore fspms-ca.jks</li></ul><ol start="4"><li><b>Start</b> F-Secure Policy Manager service</li><li>On the Policy Manager Proxy machine, <b>run</b> the fspmp-enroll-tls-certificate script from /opt/f-secure/fspms/bin/ </li></ol><p><b>For Policy Manager installed on a Windows host:</b></p> <ol><li><b>Stop</b> the F-Secure Policy Manager Server service from services.msc > F-Secure Policy Manager Server</li><li><b>Delete</b> the fspms.jks in <Installation folder>\F-Secure\Management Server 5\data) <b>Note: Make a backup of this file</b></li><li><b>Launch</b> Command Prompt as administrator</li><li><b>Navigate</b> to \F-Secure\Management Server 5\jre\bin\ folder in the Command Prompt</li><li><b>Run </b>the following command:</li></ol><ul><li>"C:\Program Files (x86)\F-Secure\Management Server 5\jre\bin\keytool.exe" -delete -alias fspm-ra-encryption -keystore fspms-ca.jks</li><li>"C:\Program Files (x86)\F-Secure\Management Server 5\jre\bin\keytool.exe" -delete -alias fspm-ra-signing -keystore fspms-ca.jks </li></ul><ol start="6"><li><b>Start</b> the F-Secure Policy Manager Server service from services.msc</li><li>Upon launching the Policy Manager Console, you will be prompted to accept the new certificate. You can click <b>Accept</b> to continue</li><li><b>Run</b> the fspmp-enrol- tls-certificate.bat script on the Policy Manager Proxy machine.</li></ol><ul><li>(...\F-Secure\Management Server 5\bin\fspmp-enroll-tls-certificate.bat)</li></ul><p>Once the steps above are completed, the definiton updates should work as expected. </p> <p>Article no: 000038287</p> </article> </main>