none
The SSL Certificate used by the Agent has a configuration error on most of the SCOM Linux Agents RRS feed

  • Question

  • Hi Folks,

    I'm able to manage and deploy the agents in SCOM however I 'm getting the error "The SSL Certificate used by the Agent has a configuration error" on most of the Linux Agents.

    Configured 2 Management Servers in a Resource Pool and Exchanged the SCX cert between them. Can someone please help resolving this.



    Regards

    SK
    Friday, May 24, 2019 6:52 AM

Answers

  • Hi All,

    Thanks for your inputs. This has resolved now. As mentioned I configured a resource pool for 2 Management Servers and exchanged the certificates between them. After all checking just went to the Resource Pool and checked the members there were 3 Management Servers, I dont remember adding it. Post removing the 3rd MS and re-installing the agent made them healthy without any SSL alerts. This is resolved now.

    Regards

    SK

    • Marked as answer by SaiSK Monday, June 3, 2019 10:15 AM
    Monday, June 3, 2019 10:15 AM

All replies

  • Please refer to the following post whether it can solve your issue or not.
    http://systemcentermvp.com/2016/09/19/fixing-ssl-certificate-error-unixlinux-devices/
    roger
    Friday, May 24, 2019 7:14 AM
  • That did not solve, Exchanged the certificates within the Management Servers which did not resolve the issue.
    Friday, May 24, 2019 8:01 AM
  • Also, Could see the event 262 in OpsMgr Logs as:

    Error scanning logfile /var/log/secure on host XXXXXX.domain as user <SCXUser><UserId>root</UserId><Elev>sudo</Elev></SCXUser>; A security error occurred .

    Initially I was getting error for my dedicated run as account used for Linux Monitoring. Consider the permission issue I have changed the run as account as "Root" but still I continue to get the same error. Root account basically has complete permissions.


    • Edited by SaiSK Friday, May 24, 2019 8:08 AM
    Friday, May 24, 2019 8:07 AM
  • Hi,

     

    Please check the certificate on the linux to see if the name is the FQDN. If not, please change it according to the following article:

    https://support.microsoft.com/en-us/help/4490426/troubleshooting-unix-linux-agent-discovery-in-operations-manager

     

    Due to the permission error, could you try to grant the previous runas account sudo permission to /var/log/secure and see if it is working.

     

    Hope the information can help.

     

    Best regards.

    Crystal


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 24, 2019 8:56 AM
  • From Both the Management servers, Pick 1 problematic Linux Agent and run the below 2 commands and post the output.

    Replace the server names and username from my example to your Linux Agents having the problem. You would be prompted for the Unix/Linux account password in the command prompt, Just enter it and it will be invisible and press enter key:


    1. winrm enumerate http://schemas.microsoft.com/wbem/wscim/1/cim-schema/2/SCX_Agent?__cimnamespace=root/scx -auth:basic -remote:https://YOURMACHINEFQDN:1270 -username:LINUXACCOUNT -encoding:utf-8

    2. winrm enumerate http://schemas.microsoft.com/wbem/wscim/1/cim-schema/2/SCX_Agent?__cimnamespace=root/scx -auth:basic -remote:https://YOURMACHINEFQDN::1270 -username:LINUXACCOUNT -skipCACheck -skipCNCheck -skiprevocationcheck -encoding:utf-8 


    Gautam.75801

    Friday, May 24, 2019 8:00 PM
  • Hi,

    Did you try the suggestions? If any update, please let us know.

    Best regards.

    Crystal


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 27, 2019 5:46 AM
  • Here is the output:

    Management Server1:

    Command1 Output:
    WSManFault
        Message = The server certificate on the destination computer (server name:1270) has the following errors:
    The SSL certificate could not be checked for revocation. The server used to chec
    k for revocation might be unreachable.
    The SSL certificate is signed by an unknown certificate authority.

    Command2 Output:

    WSManFault
        Message = The WS-Management service cannot process the request because port
    :1270 is invalid.

    Error number:  -2144108325 0x803380DB
    The WinRM client cannot process the request because the port specified in the co
    nnection string is not valid. Verify the port and retry the request. Valid value
    s are between 1 and 65535. Change the value for port and try the request again.

    Management Server 2:

    Command 1 Output:

    WSManFault
        Message = The server certificate on the destination computer (server name:1270) has the following errors:
    The SSL certificate could not be checked for revocation. The server used to chec
    k for revocation might be unreachable.
    The SSL certificate is signed by an unknown certificate authority.

    Error number:  -2147012721 0x80072F8F
    A security error occurred

    Commad 2 Output:

    WSManFault
        Message = The WS-Management service cannot process the request because port
    :1270 is invalid.

    Error number:  -2144108325 0x803380DB
    The WinRM client cannot process the request because the port specified in the co
    nnection string is not valid. Verify the port and retry the request. Valid value
    s are between 1 and 65535. Change the value for port and try the request again.

    Wednesday, May 29, 2019 11:38 AM
  • Sorry there were 2 semi colons, I have got the command corrected, Can you Run the below and post me the output ?

    winrm enumerate http://schemas.microsoft.com/wbem/wscim/1/cim-schema/2/SCX_Agent?__cimnamespace=root/scx -auth:basic -remote:https://YOURMACHINEFQDN:1270 -username:LINUXACCOUNT -skipCACheck -skipCNCheck -skiprevocationcheck -encoding:utf-8 


    Gautam.75801

    Wednesday, May 29, 2019 1:03 PM
  • Hi

    From the error message you provided, it seems the root CA certificate is not imported, port 1270 is not invalid, Given the situation, please try the following steps:

    1. On the Linux agent. Please import the root CA certificate.
    2. Confirm port 1270 on Linux us opening

    http://ask.xmodulo.com/open-port-firewall-centos-rhel.html

    1. Check the RunAs account to see if it has enough permission:

    https://kevinholman.com/2012/03/18/deploying-unix-linux-agents-using-opsmgr-2012/

    Please try the above steps and if any question, please let us know.

    Best regards.

    Crystal


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 31, 2019 1:47 AM
  • Hi All,

    Thanks for your inputs. This has resolved now. As mentioned I configured a resource pool for 2 Management Servers and exchanged the certificates between them. After all checking just went to the Resource Pool and checked the members there were 3 Management Servers, I dont remember adding it. Post removing the 3rd MS and re-installing the agent made them healthy without any SSL alerts. This is resolved now.

    Regards

    SK

    • Marked as answer by SaiSK Monday, June 3, 2019 10:15 AM
    Monday, June 3, 2019 10:15 AM