Actions
Bug #26234
closed
Troubleshooting ESET software modifying certifactes by replacing issuers
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
No
Description
Description¶
Some user face problems when ESET software is installed on nodes, with an error for agent run or inventory
curl: (90) SSL: public key does not match pinned public key
Seems to come from ESET Endpoint Security : https://help.eset.com/ees/9/en-US/idh_config_epfw_ssl.html
It contains a certificate checker that modifies “invalid” certificates on the fly, by replacing the
issuer field with this exact string:CN=The original certificate provided by the server is untrusted
This changes the hash of the certificate, and prevents the Rudder agent from contacting its policy server over HTTPS.
How to identify the problem¶
- On the node run
grep POLICY_SERVER_KEY_HASH /var/rudder/cfengine-community/inputs/rudder.json@ -> you will a hash like @sha256//<hash>
- Then run
curl -v -k --pin @sha256//<hash>@ https://<policy-server-hostname-or-ip>
- In the output, check the
issuerline if it contains this following line, then it is linked to ESET softwareCN=The original certificate provided by the server is untrusted
How to fix¶
It seems possible to add the root server’s certificate to the EDR configuration and explicitly allow it: https://help.eset.com/ees/9/en-US/idh_config_epfw_ssl_known.html
Updated by Elaad FURREEDAN 3 months ago
- Status changed from In progress to Pending technical review
- Assignee changed from Elaad FURREEDAN to Alexis Mousset
- Pull Request set to https://github.com/Normation/rudder-doc/pull/1082
Updated by Anonymous 3 months ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder-doc|a94ea702f460936094e8568a8a63badc0919f130.
Updated by
Updated by Vincent MEMBRÉ about 2 months ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 8.1.12 and 8.2.5 which were released today.
Actions