ZCM Server certificate renewal with external CA - error that the certificate verification failed

Hello, our certificate for our ZCM-server runs out on 21.03.2024. I started the renewal process by generating the csr and creating a certificate with our PKI. I then imported the .pem via configuration --> cerfikates and started the reminitng. After some days I looked into the server and encountered the following error. I then uploaded the .pem and .key named both with the servername into opt/zenworks/remint-repo.

Then I tried to refresh the device. But the error still occurs. Since the clock is ticking and I didn't find the error I wonder if you can help me finding a solution. I am not sure how I can (maybe via console) force the certificate update to start deploying the new cert to the clients ASAP. As I understand, at 22.03.2024 will every client without the new certificate siece to contact the server. We also run an active directory, is there a way to force the deployment of that certificate via this when the deadline is run over? As a plan B I mean ...

Device: Server1
Status: Certificate Verification Failed
Description: Server Certificate is neither found in database nor at location ZENworks_home/remint-repo.
You can import the server certificate through zcc or place the certificate manually in remint-repo folder.
Error will be removed in next verification schedule if certificate is found at time.
Status Updated On: Mar 1, 2024 5:30:26 PM

Thank you ...

  • Hi Tobias,

    You proceed at a remint server certificate or proceed at migration of your AC root?


    To try certificat after import this on server you can use command "zac cv" on server. This command check directly your new certificate with key and root ca on remint-repo.

    You are a log file on /var/opt/microfocus/log/zenworks/microfocus-zenworks-configure.log. You can show if error is due of key pair isn't valid or certificate can't validate because FQND of your server doesn't match with server name of your certificate.
    Normally, the server name in the certificate should correspond to the FQDN name of the server.

    For the first case, most of the time, this is due to the key not being in the right format. you can try this command:

    openssl pkcs8 -topk8 -nocrypt -inform PEM -outform DER -in [key_name_file] -out key.der

    For second case, you can check if hostame is same of server name of your certificate:

    use "hostname" command.

    if hostname isn't same of server name of your certificate  you can add on /ect/hosts the server name in the certificate 

    Example:

    IP_Address_of_Server the_server_name_in_the_certificate hostname

    After, you can use "zac cv" to check certificate validation.

    If it's not solved, you can open issue: https://portal.microfocus.com with your customer account.

  • If Adrien's comments do not help, a service request may help.

    Go through the documents here....

    https://www.novell.com/documentation/zenworks-23.4/zen_certificates/data/t457oyo6x90k.html#b1f0lvte

    --

    It sounds as if you are simply reminting your Server Cert and not trying to change your Certificate Authority.  These are two VERY different things.

    There is nothing to push out with Active Directory for a SERVER CERT Change....AD would push out trusts for a New CA.

    It sounds like you are doing just a Server Cert so nothing needs to get pushed to all your devices....This will primarily just be an internal process for your Primary Server to verify the new cert and get it inserted into it's web services.  Non-Primary Servers are only alerted when its a CA Change.  They are not sent any details about server cert changes.

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

  • Thank you for your reply. I mean that interface. I thought this would be for communication between ZCM server and Zen-Agents though.

    As you see I have applied the Root CA certificate and tried to push a new certificate to the server.

  • Thank you Tobias,
    I suppose Update Status is "Certificate verification failed"?

    If so go on ZENworks server (ssh for linux or rdp for windows) to check log file microfocus-zenworks-configure.log 

    it is present:

    - Linux: /var/opt/microfocus/log/zenworks/microfocus-zenworks-configure.log

    - Windows: %ZENSERVER_HOME%\logs\microfocus-zenworks-configure.log

    Kind Regards,

  • Most of this article does not apply to you because it's about Internal CAs, but the part about pushing the trust via GPO does.

     ZENworks: Tips and Tricks for Reminting an Internal ZENworks Certificate Authority (CA) 

    You want to push out a trust for the new External CA.  This can be done in advance now via GPOs....But your PCs likely already trust that Public AAA CA.  Pushing Trusts for changed CAs is when they are non-public such as the internal ZENworks CA or perhaps the use of any updated Windows AD CA or eDirectory CA if they are expiring as they would be considered external.

    You are still free to push out a trust via GPO for the AAA Cert, just in case some device is missing it.  This can be done now without any need to wait.

    However, I'm still worried about the error you noted.  If this is not resolved, the new Cert will likely not be used by the Server on the Activation Date.

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

  • Thank you, so it is that this cert is used for comminucation between agent and server? And when I fail to solve the problem the agents won't communicate with the server?

    Just want to be sure ...

    I think that the CA is already trusted by the clients. But I am not sure if the zen agents then also trusts the new certificate if not explicite told so via server before the21st.

  • If you fail to solve that issue....the new Cert will not be used by the ZCM Web Services and the old cert will remain in place.  When that cert expires, communication will break.  Since it's a public CA.....As soon as the new cert if successfully in use by the  ZCM Web Services, devices should talk successfully since it's a PUBLIC CA and they will already trust it.  You can use AD GPOs to also push the trust in case any devices are missing the trust.  ZCM will also try and push that trust via a System Update Job, but that needs to happen before the new CA goes live.  I always recommend using the GPO as backup for Non-Public CAs, it is likely less urgent if a random check of your devices show that particular CA is already trusted by your devices.  Keep in mind that many public CAs have more than one CA so you need to make sure the one you are using is the one devices have. 

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

  • Note: On my machine...I only see one "AAA" CA.  ANd it is a VERY OLD SHA-1 CA.

    is the AAA CA you are using different?  Is it still SHA-1?

    You will have issues with any Cert issued by a SHA-1 CA with current versions of ZENworks due to OpenSSL now disallowing them by default in current versions.  I think it's only an issue with 23.4 (or maybe 23.4) due to the updated OpenSSL on those versions.

    You want to make sure your CA is SHA-256 or Greater.....That could explain why the remint fails if your ZCM server is current.

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

  • This is the cert in theZone CA set:

    zcc cv doesn't work and in the log its the following:

    [DEBUG] [03/13/2024 16:25:25.187] [1] [ConfigureServer] [1] [root] [ConfigureUtility] [] [(ConfigureServer) Initialized...] [] [] [] [ConfigureUtility]
    [DEBUG] [03/13/2024 16:25:25.196] [1] [ConfigureServer] [1] [root] [ConfigureUtility] [] [Configure server listening on port : 31582] [] [] [] [ConfigureUtility]
    [DEBUG] [03/13/2024 16:25:25.199] [1] [ConfigureServer] [1] [root] [ConfigureUtility] [] [(ConfigureServer) Info: Configure service started & listening for connections @ port 31582] [] [] [] [ConfigureUtility]
    [INFO] [03/13/2024 16:25:25.985] [1] [ActivateCertificateConfigureAction] [15] [root] [ConfigureUtility] [] [suguid:5000000000fc50000000202403011730] [] [] [] [ConfigureUtility]
    [INFO] [03/13/2024 16:25:25.985] [1] [ActivateCertificateConfigureAction] [15] [root] [ConfigureUtility] [] [caType:External] [] [] [] [ConfigureUtility]
    [INFO] [03/13/2024 16:25:25.985] [1] [ActivateCertificateConfigureAction] [15] [root] [ConfigureUtility] [] [remintType:server] [] [] [] [ConfigureUtility]
    [INFO] [03/13/2024 16:25:25.985] [1] [ActivateCertificateConfigureAction] [15] [root] [ConfigureUtility] [] [caCommonName(cn):AAA Certificate Services] [] [] [] [ConfigureUtility]
    [INFO] [03/13/2024 16:25:25.986] [1] [ActivateCertificateConfigureAction] [15] [root] [ConfigureUtility] [] [RemintMode (rmode):manual] [] [] [] [ConfigureUtility]
    [INFO] [03/13/2024 16:25:58.362] [1] [ActivateCertificateConfigureAction] [15] [root] [ConfigureUtility] [] [Obtained the list of canceled remints.] [] [] [] [ConfigureUtility]
    [INFO] [03/13/2024 16:25:58.363] [1] [ActivateCertificateConfigureAction] [15] [root] [ConfigureUtility] [] [Unable to delete/Already deleted all the files from previous Remint operation : 5000000000fc50000000202303210919] [] [] [] [ConfigureUtility]
    [INFO] [03/13/2024 16:25:58.364] [1] [ActivateCertificateConfigureAction] [15] [root] [ConfigureUtility] [] [Unable to delete/Already deleted all the files from previous Remint operation : 5000000000fc50000000202403011626] [] [] [] [ConfigureUtility]
    [INFO] [03/13/2024 16:25:58.368] [1] [PrimaryServerCertActivator] [15] [root] [ConfigureUtility] [] [Content of file /etc/opt/microfocus/zenworks/security/5000000000fc50000000202403011730/externalRemintInProgress : null] [] [] [] [ConfigureUtility]
    [INFO] [03/13/2024 16:25:58.447] [1] [PrimaryServerCertActivator] [15] [root] [ConfigureUtility] [] [Validated CA certificate, certificatefile :/opt/novell/zenworks/remint-repo/ca.cert] [] [] [] [ConfigureUtility]
    [INFO] [03/13/2024 16:25:58.602] [1] [ActivateCertificateConfigureAction] [15] [root] [ConfigureUtility] [] [Updated system update status, Status=CERTIFICATE_VERIFICATION_FAILED Message=SERVER_CERTIFICATE_NOT_FOUND] [] [] [] [ConfigureUtility]
    [INFO] [03/13/2024 16:25:58.609] [1] [ZENworksConfigure] [15] [root] [ConfigureUtility] [] [ActivateCertificateConfigureAction complete!] [] [] [] [ConfigureUtility]

    When I try the command from Adrian I get the following error:

    Could the certificate file be faulty? Can I stop the remint process and start over from scratch with new request etc?

    God, I hate certification ;-)

    Thank you for your support.

  • Problem is that you server name certificate is not valid:

    [INFO] [03/13/2024 16:25:58.602] [1] [ActivateCertificateConfigureAction] [15] [root] [ConfigureUtility] [] [Updated system update status, Status=CERTIFICATE_VERIFICATION_FAILED Message=SERVER_CERTIFICATE_NOT_FOUND] [] [] [] [ConfigureUtility]

    i think that you try to add on /ect/hosts the server name in the certificate. Before this, you can backup file.

    Example:

    IP_Address_of_Server the_server_name_in_the_certificate hostname

    After, you can use "zac cv" to check certificate validation.