none
Linux certificate signing issue

    Question

  • An issue has popped up on a couple of Oracle Linux 6.6 servers when signing the certificate. The error message is:

    "Certificate signing operation was not successful" and the details are

    "Task invocation failed with error code -2130771868. Error message was:"  

    There is no error message.  I did restart the scom service as I have read on some posts but that did not make a difference.  For some reason this is affecting only a couple of my oracle Linux 6.6 servers.  I was able to install the agent on others without issue. 

    Thanks,

    Rene

    Tuesday, March 14, 2017 2:48 PM

All replies

  • Hi Rene,

    this is not a "common" cert signing error message indeed. How are your system connected to the resource pool members? Do you have a good network connection to them. I am asking because of this particular post:

    How to change default timeout for linux agent installation file copy

    Could it be that you are facing the same issue?

    Have you tried manually installing the agent, copying the certificate to a MS, signing it there and copying it back to the Linux system? If you do this you will only have to discover the Linux system afterwards.

    You can find the details in regards to the procedure here:

    Install agent and certificate on UNIX and Linux computers using the command line

    and here

    SCOM 2012 R2: Manually installing and troubleshooting Linux/UNIX Agents

    Give it a try. Sometimes the devil is in the network (or they say so :) )Regards,


    Stoyan (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!)

    Tuesday, March 14, 2017 2:58 PM
  • Hi Stoyan,

    I have tried installing the agent manually with the same issue.  I have not tried copying the file and signing it on the management server.  One question about that process.  I notice that the documentation states that I am to copy the scx-host-<hostname>.pem file from the /etc/opt/microsoft/scx/ssl directory.  However on my instance all there is on that directory is the scx.pem file. Do I use that one then?

    Thanks,

    Rene

    Tuesday, March 14, 2017 3:09 PM
  • Hi Rene,

    absolutely. You use this scx.pem file, copy it to the MS and rename it to "scx-host-<hostname>.pem" prior to signing it.

    Afterwards you put the "scx-host-<hostname>.pem" back in the same directory, restart the agent service and try to discover the system.

    Regards,


    Stoyan (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!)

    Tuesday, March 14, 2017 3:16 PM
  • I followed the documentation on signing the cert on the management server and copying back the new one.   I have the same issue.  Upon further investigation I find on another server that the agent installed on Oracle Linux the cert scx.pem is a link to the omi.pem cert.  By replacing it with a new cert as per the documentation it breaks the link.  I should mention that I am using SCOM 2016 and using file scx-1.6.2-337.universalr.1.x64.sh to install the agent.  I am wondering if things have changed since the previous version.  Do you know of any logs that this install may generate?

     ssl]# ls -al
    total 8
    drwxr-xr-x. 2 root root 4096 Mar  1 08:34 .
    drwxr-xr-x. 4 root root 4096 Mar  1 08:34 ..
    lrwxrwxrwx. 1 root root   24 Mar  1 08:34 scx.pem -> /etc/opt/omi/ssl/omi.pem

    Thanks again,

    Rene


    • Edited by rene_paq Tuesday, March 14, 2017 7:39 PM
    Tuesday, March 14, 2017 6:40 PM
  • Hi Rene,

    you should be able to find the agent logs under /etc/opt/microsoft/scx/log.

    Regards,


    Stoyan (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!)

    Wednesday, March 15, 2017 8:57 AM
  • There are no logs in that folder. I found one in /opt/microsoft/scx/log but there is really nothing in there to help troubleshoot the issue. 
    Wednesday, March 15, 2017 4:53 PM
  • I was able to enable verbose logging on the scx log however there was still nothing in the log that helps.  I am at a loss.  My two most critical servers and I cannot seem to get the agent to work on them.  I have tried everything I can think of. Manual install, signing the cert locally on the management server, examining any log that I can find that may relate, using different accounts.  All the results end up with the same error message. Is there anyone out there that had this issue and beat it?

    Thanks,

    Rene

    Wednesday, March 15, 2017 6:57 PM
  • I have also looked in the windows management server event logs but nothing is showing up there as well.  Are there any other logs on the windows server that would help?

    Rene

    Thursday, March 16, 2017 7:30 PM
  • Can you please take a look at :

    https://social.technet.microsoft.com/Forums/en-US/ec8ae7b6-189f-457d-863c-e2ef379cc432/scom-recovery-task-times-out-after-5-minutes-with-error-2130771868?forum=operationsmanagergeneral

    Friday, March 17, 2017 10:52 PM
  • What is your scom version? try update to last UR version
    Monday, March 20, 2017 5:23 PM
  • Hi Nirbhay,

    Not sure how this will help.  I am dealing with discovery and agent install while your link is dealing with a task that can be modified.  If you can show me how I can relate to my issue that would be great.

    Rene

    Monday, March 20, 2017 5:56 PM
  • I am on scom 2016.
    Monday, March 20, 2017 5:56 PM
  • Hi,

    Please try restarting HealthService, SystemCenter Config and SystemCenter dataccess service. If this does not help.

    Got to the Monitoring -> Tasks status and see what task is failing (Discovery of unix/linux from Console is just running multiple Tasks). Then Go to Authoring Pane and try to find the task and try to update the time. But first please try restarting all the SCOM Services.

    Thanks,

    Nirbhay Singh

    Monday, March 20, 2017 9:37 PM
  • Hi Nirbhay,

    I believe that I found the task in the authoring pane.  The problem is that I cannot make the change to the timeout setting from the view.  Where would I make this change?

    Thanks again.

    Rene

    Tuesday, March 21, 2017 1:42 PM
  • Hi,

    I believe you have already tried restarting all the SCOM Services.

    Well please make sure to look in the tasks status window as which Task is failing. If you cannot create an override, you can export the MP and edit the XML manually and import the MP into SCOM.

    Thanks,

    Nirbhay Singh 

    Tuesday, March 21, 2017 3:09 PM
  • Hi Nirbhay,

    The problem is that the MP is sealed and I cannot export a sealed MP.

    Thanks,

    Rene

    Wednesday, March 22, 2017 7:27 PM
  • Please check these links to export the Sealed MP :

    https://blogs.technet.microsoft.com/jonathanalmquist/2009/03/30/export-a-management-pack/

    https://social.technet.microsoft.com/Forums/systemcenter/en-US/7cf44788-cd2f-4910-8c90-bfdb88a1d49f/how-could-i-export-all-sealed-mp-to-a-folder?forum=operationsmanagermgmtpacks

    Thursday, March 23, 2017 9:55 AM