Rudder

Description¶

Some user face problems when ESET software is installed on nodes, with an error for agent run or inventory

curl: (90) SSL: public key does not match pinned public key

Seems to come from ESET Endpoint Security : https://help.eset.com/ees/9/en-US/idh_config_epfw_ssl.html
It contains a certificate checker that modifies “invalid” certificates on the fly, by replacing the issuer field with this exact string:

CN=The original certificate provided by the server is untrusted

This changes the hash of the certificate, and prevents the Rudder agent from contacting its policy server over HTTPS.

How to identify the problem¶

1. On the node run
   

   grep POLICY_SERVER_KEY_HASH /var/rudder/cfengine-community/inputs/rudder.json@ -> you will a hash like @sha256//<hash>
   

2. Then run
   

   curl -v -k --pin @sha256//<hash>@ https://<policy-server-hostname-or-ip>

3. In the output, check the issuer line if it contains this following line, then it is linked to ESET software
   

   CN=The original certificate provided by the server is untrusted
   

How to fix¶

It seems possible to add the root server’s certificate to the EDR configuration and explicitly allow it: https://help.eset.com/ees/9/en-US/idh_config_epfw_ssl_known.html