locked
Cert expired and service will not start RRS feed

  • Question

  • Hello All,

    I just found out the the self signed cert I was using on the center machine has expired. I figured no big deal I will change out the cert and everything will be fine. I tried to go to the web page to login to ATA and found not page available. I notice the service was not running on the center machine. I tried to start the service and the service will not start. I found the following error in the error logs:

    2018-02-12 17:58:17.7830 1948 5   00000000-0000-0000-0000-000000000000 Error [SecretManager] Microsoft.Tri.Infrastructure.ExtendedException: Certificate is invalid [CertificateThumbprint=C2C1B90EE5CFDBFB6F2A0352EC88864029740A25]
       at Microsoft.Tri.Infrastructure.Framework.SecretManager.UpdateMutableConfiguration(SecretManagerConfiguration configuration)
       at Microsoft.Tri.Infrastructure.ActionExtension.<>c__DisplayClass1_0`1.<ToAsync>b__0(TItem _)
       at Microsoft.Tri.Infrastructure.Framework.ConfigurationManager`2.<>c__DisplayClass17_0`1.<<RegisterConfigurationAsync>b__0>d.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
       at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at Microsoft.Tri.Infrastructure.Framework.ConfigurationManager`2.<RegisterConfigurationAsync>d__19.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
       at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at Microsoft.Tri.Infrastructure.Framework.ConfigurationManager`2.<RegisterConfigurationAsync>d__17`1.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
       at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at Microsoft.Tri.Infrastructure.Framework.ConfigurationManager`2.RegisterConfiguration[TConfiguration](Action`1 updateMutableConfiguration)
       at Microsoft.Tri.Infrastructure.Framework.SecretManager.OnInitializeAsync()
       at Microsoft.Tri.Infrastructure.Framework.Module.<InitializeAsync>d__18.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
       at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at Microsoft.Tri.Infrastructure.Framework.ModuleManager.<OnInitializeAsync>d__4.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
       at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at Microsoft.Tri.Infrastructure.Framework.Module.<InitializeAsync>d__18.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
       at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at Microsoft.Tri.Infrastructure.Framework.Service.<OnStartAsync>d__10.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
       at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at Microsoft.Tri.Infrastructure.Framework.Service.OnStart(String[] args)

    I get the error states that the certificate is invalid, but if I cannot start the service to get into the application to change the cert I'm in a bit of a spot. If anyone knows a way to correct this without reinstalling that would be much appreciated.

    Thanks,

    Scott 

    Monday, February 12, 2018 7:40 PM

Answers

  • The reason the docs says that you need to change the cert BEFORE it expires, is because it is impossible to do it after that. That's why the system also produces health alert some time before it sees it's going to happen.

    The reason is that some data is encrypted with this cert, and once expired, you cannot decrypt the data any more...

    That is also why the brave try to fix it described on one of the replies eventually failed.


    Tuesday, February 13, 2018 7:21 PM

All replies

  • https://docs.microsoft.com/en-us/advanced-threat-analytics/modifying-ata-center-configuration#the-ata-center-certificate

    Monday, February 12, 2018 8:10 PM
  • I understand that I cannot renew the cert and I need to apply a new one. I have a new cert; however, I cannot apply it because I cannot get into the application to apply it because the application will not start because the old cert has expired. So I need to either start the application somehow or change the cert some other way. 

    thanks,

    Scott

    Tuesday, February 13, 2018 3:38 PM
  • I experienced this problem once, there is a way to get the service running again but I would not recommend it.

    I ran into other buggy problems afterwards which ultimately made me decide to do a re-install of ATA center and the gateways.

    So the certificate thumbprint is stored in the SystemProfile_date.json file located in folder:

    ..\Microsoft Advanced Threat Analytics\Center\Backup

    This file is created by ATA every hour.

    You can use this file to do a Disaster Recovery of MS ATA, see:

    https://docs.microsoft.com/en-us/advanced-threat-analytics/disaster-recovery

    First, find out what the thumbprints are of the expired and new certificates.

    If you replace the thumbprint of the expired certificate in the .json file with the thumbprint of your new certificate, and follow through the disaster recovery procedure, it will restore your ATA configuration with the new certificate information. the service will start again. However, afterwards I found out I couldn't edit a couple of settings in ATA anymore. As fixing this further got too time consuming, I simply re-installed.

    The Gateway client also has the certificate thumbprint stored in the configuration file, which you also need to edit, if i'm correct.

    ..\Microsoft Advanced Threat Analytics\Gateway\GatewayConfiguration.json

    Tuesday, February 13, 2018 5:42 PM
  • The reason the docs says that you need to change the cert BEFORE it expires, is because it is impossible to do it after that. That's why the system also produces health alert some time before it sees it's going to happen.

    The reason is that some data is encrypted with this cert, and once expired, you cannot decrypt the data any more...

    That is also why the brave try to fix it described on one of the replies eventually failed.


    Tuesday, February 13, 2018 7:21 PM
  • Thanks a lot for the information. I really appreciate it, I was thinking of going down the road you have mentioned and now will just reinstall. Thanks again.
    Tuesday, February 13, 2018 9:58 PM