ERROR: Certificate couldn't be verified by CA: certificate has expired (10)
457 views
Skip to first unread message
Bipin Das
Sep 17, 2019, 9:19:24 AM9/17/19
to Wazuh mailing list
Hello All,
I have an environment where some agents are working fine but i am getting the following error while running agentu_upgrade from Manager
var/ossec/bin/agent_upgrade -d -a 003
```
Manager version: v3.9.3
Agent version: v3.2.2
Agent new version: v3.9.3
WPK file already downloaded: /var/ossec/var/upgrade/wazuh_agent_v3.9.3_linux_x86_64.wpk - SHA1SUM: 7a3c6417f79e05760375d5b05cc58d18850dfc55
Upgrade PKG: wazuh_agent_v3.9.3_linux_x86_64.wpk (4729.5625 KB)
MSG SENT: 003 com open wb wazuh_agent_v3.9.3_linux_x86_64.wpk
RESPONSE: ok
MSG SENT: 003 com lock_restart -1
RESPONSE: ok
Chunk size: 512 bytes
Sending: /var/ossec/var/upgrade/wazuh_agent_v3.9.3_linux_x86_64.wpk
MSG SENT: 003 com close wazuh_agent_v3.9.3_linux_x86_64.wpk
RESPONSE: ok
MSG SENT: 003 com sha1 wazuh_agent_v3.9.3_linux_x86_64.wpk
RESPONSE: ok 7a3c6417f79e05760375d5b05cc58d18850dfc55
WPK file sent
MSG SENT: 003 com upgrade wazuh_agent_v3.9.3_linux_x86_64.wpk upgrade.sh
RESPONSE: err Could not verify signature
Error 1716: Error upgrading agent: Could not verify signature
Traceback (most recent call last):
File "/var/ossec/framework/scripts/agent_upgrade.py", line 170, in <module>
main()
File "/var/ossec/framework/scripts/agent_upgrade.py", line 124, in main
rl_timeout=-1 if args.timeout == None else args.timeout, use_http=use_http)
File "/var/ossec/framework/python/lib/python3.7/site-packages/wazuh-3.9.3-py3.7.egg/wazuh/agent.py", line 2214, in upgrade
raise WazuhException(1716, data.replace("err ",""))
```
Manager version: v3.9.3
Agent version: v3.2.2
Agent new version: v3.9.3
WPK file already downloaded: /var/ossec/var/upgrade/wazuh_agent_v3.9.3_linux_x86_64.wpk - SHA1SUM: 7a3c6417f79e05760375d5b05cc58d18850dfc55
Upgrade PKG: wazuh_agent_v3.9.3_linux_x86_64.wpk (4729.5625 KB)
MSG SENT: 003 com open wb wazuh_agent_v3.9.3_linux_x86_64.wpk
RESPONSE: ok
MSG SENT: 003 com lock_restart -1
RESPONSE: ok
Chunk size: 512 bytes
Sending: /var/ossec/var/upgrade/wazuh_agent_v3.9.3_linux_x86_64.wpk
MSG SENT: 003 com close wazuh_agent_v3.9.3_linux_x86_64.wpk
RESPONSE: ok
MSG SENT: 003 com sha1 wazuh_agent_v3.9.3_linux_x86_64.wpk
RESPONSE: ok 7a3c6417f79e05760375d5b05cc58d18850dfc55
WPK file sent
MSG SENT: 003 com upgrade wazuh_agent_v3.9.3_linux_x86_64.wpk upgrade.sh
RESPONSE: err Could not verify signature
Error 1716: Error upgrading agent: Could not verify signature
Traceback (most recent call last):
File "/var/ossec/framework/scripts/agent_upgrade.py", line 170, in <module>
main()
File "/var/ossec/framework/scripts/agent_upgrade.py", line 124, in main
rl_timeout=-1 if args.timeout == None else args.timeout, use_http=use_http)
File "/var/ossec/framework/python/lib/python3.7/site-packages/wazuh-3.9.3-py3.7.egg/wazuh/agent.py", line 2214, in upgrade
raise WazuhException(1716, data.replace("err ",""))
wazuh.exception.WazuhException: Error 1716 - Error upgrading agent: Could not verify signature
root@wazuh-manager:~#
root@wazuh-manager:~#
I had checked the Agent and found the error below
2019/09/17 14:53:49 ossec-execd: ERROR: Certificate couldn't be verified by CA: certificate has expired (10)
2019/09/17 14:53:49 ossec-execd: ERROR: Error verifying WPK certificate.
2019/09/17 14:53:49 ossec-execd: ERROR: At unsign: Couldn't unsign package file '/var/ossec//var/incoming/wazuh_agent_v3.9.3_linux_x86_64.wpk'
I checked the Certificate validity and found below
openssl x509 -enddate -noout -in /var/ossec/etc/wpk_root.pem
notAfter=Sep 6 14:47:13 2022 GMT
As per my understanding environment is healthy and all configurations are OK.
Help is really appreciated
Bipindas
David Vidriales
Sep 30, 2019, 5:57:40 AM9/30/19
to Wazuh mailing list
Hi Bipindas,
First of all, sorry for the late response.
First of all, sorry for the late response.
I've been trying to reproduce this and the only way I've been able to is by changing the agent's date to a date after the certificate expires. As I see from your logs this shouldn't be your case (I see you put logs of 2019/09/17) unless the date was changed temporary before this. Is it possible that you're using a different certificate from the one you checked? I mean if you had configured a different certificate in the <active-response> section of your agent's ossec.conf.
Best regards,
David
Reply all
Reply to author
Forward
0 new messages