none
Error Message "Signed certificate verification operation was not successful"

    Question

  • I am trying to deploy Linux agent and I am getting this error below.  OpsMgr discovers the target machine fine, but it appears to fail to ... I get this below when I tell System Center to "manage"  We are using SCOM 2012 SP1, CU2.

    We have no trouble monitoring CentOS, solaris, etc... this is one of those Scientific Linux machine we want to monitor.  I don't believe Microsoft supports Scientific Linux distribution but we need this monitored but I can't figure this out.  Anyone familiar with below error message ?

    thanks,

    Andrew

    Agent verification failed. Error detail: The server certificate on the destination computer (mydevlinuxbox.com:1270) has the following errors:
    The SSL certificate could not be checked for revocation. The server used to check for revocation might be unreachable.     
    The SSL certificate contains a common name (CN) that does not match the hostname.     
    It is possible that:
       1. The destination certificate is signed by another certificate authority not trusted by the management server.
       2. The destination has an invalid certificate, e.g., its common name (CN) does not match the fully qualified domain name (FQDN) used for the connection.  The FQDN used for the connection is: mydevlinuxbox.com.
       3. The servers in the resource pool have not been configured to trust certificates signed by other servers in the pool.

    The server certificate on the destination computer (mydevlinuxbox.com:1270) has the following errors:
    The SSL certificate could not be checked for revocation. The server used to check for revocation might be unreachable.     
    The SSL certificate contains a common name (CN) that does not match the hostname.     
    It is possible that:
       1. The destination certificate is signed by another certificate authority not trusted by the management server.
       2. The destination has an invalid certificate, e.g., its common name (CN) does not match the fully qualified domain name (FQDN) used for the connection.  The FQDN used for the connection is: mydevlinuxbox.com.
       3. The servers in the resource pool have not been configured to trust certificates signed by other servers in the pool.



    Tuesday, September 10, 2013 6:14 PM

Answers

  • Most likely the system name for the Linux system "mydevlinuxbox.com" does not match what is in your DNS. SCOM will lookup the name in DNS and see if it matches the name that was generated in the  certificate of the agent. If they do not match you will see the error you posted.

    On the agent run:

    openssl x509 -in /etc/opt/microsoft/scx/ssl/scx.pem -text

    Look at the CN name returned and see if it matches what a nslookup returns for the system from the SCOM server. If it does not then this is your problem. You can either fix the DNS entry or if you want to rename the name in the certificate to match what is in DNS run the following command on the agent.

    /opt/microsoft/scx/bin/tools/scxsslconfig -h <hostname> -d <domain name> -f -v

    Where <hostname> and <domain name> are the DNS versions.

    Once complete re-run the discovery wizard in SCOM and see if it can now manage the agent.

    Regards,

    -Steve

    Tuesday, September 10, 2013 7:23 PM
    Moderator

All replies

  • Some of the troubleshooting I've done so far are shown below...

    -bash-4.1# scxadmin -status
    scxcimserver: is running
    scxcimprovagt: 1 instance running

    -bash-4.1# /opt/microsoft/scx/bin/tools/scxcimcli xq -n root/scx "Select * from SCX_Agent"
    path= //mydevlinuxbox/root/scx:SCX_Agent.Name="scx"

    //Instance of SCX_Agent
    instance of SCX_Agent
    {
    ElementName = NULL;
    InstallDate = "20130910124132.000000+000";
    OperationalStatus = NULL;
    StatusDescriptions = NULL;
    Status = NULL;
    HealthState = NULL;
    Name = "scx";
    Caption = "SCX Agent meta-information";
    Description = "Labeled_Build - 20121017";
    VersionString = "1.4.0-906";
    MajorVersion = 1;
    MinorVersion = 4;
    RevisionNumber = 0;
    BuildNumber = 906;
    BuildDate = "2012-10-17T00:00:00Z";
    Architecture = "x64";
    OSName = "Scientific Linux release 6.1 (Carbon)";
    OSType = "Linux";
    OSVersion = "2.6";
    KitVersionString = "1.4.0-906";
    Hostname = "mydevlinuxbox.com";
    OSAlias = "UniversalR";
    UnameArchitecture = "x86_64";
    MinActiveLogSeverityThreshold = "INFO";
    MachineType = "Physical";
    PhysicalProcessors = 2;
    LogicalProcessors = 16;
    };
    -bash-4.1#

    -bash-4.1# netstat -punta | grep ":1270"
    tcp        0      0 :::1270                     :::*                        LISTEN      21747/scxcimserver





    Tuesday, September 10, 2013 6:20 PM
  • Here below is some additional information

    ----------------------------------------------

    winrm enumerate http://schemas.microsoft.com/wbem/wscim/1/cim-schema/2/SCX_Agent?__cimnamespace=root/scx -username:root -password:<root password> -r:https://<RHEL server>:1270/wsman -auth:basic -skipCACheck -skipCNCheck -skiprevocationcheck -encoding:utf-8 

    SCX_Agent
        Architecture = x64
        BuildDate = 2012-10-17T00:00:00Z
        BuildNumber = 906
        Caption = SCX Agent meta-information
        Description = Labeled_Build - 20121017
        ElementName = null
        HealthState = null
        Hostname = mydevlinuxbox.com
        InstallDate = 2013-09-10T12:41:32Z
        KitVersionString = 1.4.0-906
        LogicalProcessors = 16
        MachineType = Physical
        MajorVersion = 1
        MinActiveLogSeverityThreshold = INFO
        MinorVersion = 4
        Name = scx
        OSAlias = UniversalR
        OSName = Scientific Linux release 6.1 (Carbon)
        OSType = Linux
        OSVersion = 2.6
        OperationalStatus = null
        PhysicalProcessors = 2
        RevisionNumber = 0
        Status = null
        StatusDescriptions = null
        UnameArchitecture = x86_64
        VersionString = 1.4.0-906



    Tuesday, September 10, 2013 6:25 PM
  • Also, I can telnet into my linux machine on 1270 from my OpsMgr box, and my IPv6 table looks like this below

    -bash-4.1# cat /etc/sysconfig/ip6tables
    # Firewall configuration written by system-config-firewall
    # Manual customization of this file is not recommended.
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A INPUT -p ipv6-icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
    -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
    COMMIT
    -bash-4.1#



    Tuesday, September 10, 2013 6:31 PM
  • Most likely the system name for the Linux system "mydevlinuxbox.com" does not match what is in your DNS. SCOM will lookup the name in DNS and see if it matches the name that was generated in the  certificate of the agent. If they do not match you will see the error you posted.

    On the agent run:

    openssl x509 -in /etc/opt/microsoft/scx/ssl/scx.pem -text

    Look at the CN name returned and see if it matches what a nslookup returns for the system from the SCOM server. If it does not then this is your problem. You can either fix the DNS entry or if you want to rename the name in the certificate to match what is in DNS run the following command on the agent.

    /opt/microsoft/scx/bin/tools/scxsslconfig -h <hostname> -d <domain name> -f -v

    Where <hostname> and <domain name> are the DNS versions.

    Once complete re-run the discovery wizard in SCOM and see if it can now manage the agent.

    Regards,

    -Steve

    Tuesday, September 10, 2013 7:23 PM
    Moderator
  • i renamed the name in the certificate and i am golden.

    Steve, you da man !!!

    Now we got our Scientific Linux monitored successfully.  Thanks so much.



    Tuesday, September 10, 2013 7:34 PM
  • I did change the name in my case, yet the signing and validation failed.

    Thursday, July 5, 2018 3:29 PM
  • Hi Steve,

    You solution is perfect. But even Linux machine Name is already resolving properly on both side but still why we face this issue. From both side resolution works fine.


    Omkar umarani SCOM STUDENT


    Thursday, August 2, 2018 5:57 AM
  • Your comment was very helpful. Thanks
    Friday, October 5, 2018 10:16 AM