none
SSL certificate is signed by an unknown certificate authority.

    Question

  • Hi,

    I've been trying to test Operations Manager 2007 R2 RC in my environment, and I'm trying to get a RHEL 4 system to communicate properly with the management server. The problem has to do with the certificate signing process failing no matter how I try to set up and discover the agent. I have a feeling this has to do with the management server not properly recognizing itself as a valid self-signing authority.

    Here's what I know:

    I originally tried an SSL discovery of the machine. After some testing, I got to a point where the discovery process failed at "Signing". So I pull out the OM2007R2 Security Guide and went through its process on removing the previous generated certs, reinstalling the agent, copying the client-signed certs to the management server, running scxcertconfig -sign on the management server (which here is OPSTEST2), porting the newly signed certificate back to the client and overwriting the old certificate with the new management-server-signed certificate.

    Based on another thread on these forums, I took a close look with openSSL at the subject and issuer of the certificate in question.

    The original generated certificate looked like this:
    subject= /CN=<client FQDN>/CN=<client FQDN>
    issuer= /CN=<client FQDN>/CN=<client FQDN>

    The new management-server-signed certificate looks like this:
    subject= /CN=<client FQDN>/CN=<client FQDN>
    issuer= /CN=SCX-Certificate/title=SCX3D03AD02-DDB6-4906-ABDE-7089A1398A4F/DC=OPSTEST2

    I would think that the DC should be the FQDN of OPSTEST2, not just the hostname, correct?

    If I try to do a (non-SSH) discovery now, it lists the certificate status as invalid, with the details:

    Message: The certificate is invalid, please select the system to issue a new certificate.
    Details: The server certificate on the destination computer (<client FQDN>:1270) has the following errors: The SSL certificate is signed by an unknown certificate authority.

    This occurs, even though the management server itself signed the certificate.

    Any help on trying to resolve this would be appreciated.

    Chay Casso
    Friday, June 12, 2009 4:07 PM

Answers

  • Hi,
     
    Did you install everything the same day? I had some problems between RC and RTM, where I tried to use RC agents to communicate with RTM R2. The solution was to clean up the Linux side, remove all folders and files regarding to ops mgr. Then do a new discovery.

    --

    Anders Bengtsson
    Microsoft MVP - Ops Mgr
    www.contoso.se
    • Marked as answer by Robert Hearn Saturday, November 07, 2009 12:16 AM
    Saturday, June 13, 2009 8:14 AM

All replies

  • Hi,
     
    Did you install everything the same day? I had some problems between RC and RTM, where I tried to use RC agents to communicate with RTM R2. The solution was to clean up the Linux side, remove all folders and files regarding to ops mgr. Then do a new discovery.

    --

    Anders Bengtsson
    Microsoft MVP - Ops Mgr
    www.contoso.se
    • Marked as answer by Robert Hearn Saturday, November 07, 2009 12:16 AM
    Saturday, June 13, 2009 8:14 AM
  • I think I tried to install this on the Red Hat machine the day after installing SCOM R2 RC. I probably should go evaluate RTM, I was just trying to demo what I already had first before going through the whole installation process again.
    Monday, June 15, 2009 1:36 PM
  • Okay, updates: I tried it with the RTM evaluation version with no success.

    However, it does work with RHEL5, so it looks like this problem is specific to RHEL4 for me (although I've seen scattered reports of this in other forums).
    Wednesday, June 17, 2009 4:09 PM
  • Turns out I was still installing with the RC version of the Red Hat client. Installing with the RTM version of the client fixed it.
    Thursday, June 18, 2009 2:45 PM