When using the SSL trustores on Unix, the CA certificates also have a hash assigned that makes it easier for OpenSSL to find them.
This means, just copying the root certificate is not enough, you also need to install it. For Ubuntu there are some instructions here, but it might be different depending on the platform https://ubuntu.com/server/docs/security-trust-store.
If you also have intermediate certificates between the root and the jcp certificate, you need to install the whole chain.
Original Message:
Sent: Dec 13, 2023 09:18 AM
From: PeterSchwerdtfeger613158
Subject: Could not parse certificate './security/CWHQ.pem'. Please make sure that the certificate is in PEM format.
Hello Oana,
I'm working for a customer to upgrade their environment to V21. I setup new test environment, build it with 21.0.8.2023-11-04. I followed all instructions regarding certificate and so on. I was not able to get the linux agent connected to the engine. I always get the error
Could not parse certificate './security/xxx.pem'. Please make sure that the certificate is in PEM format.
I had the rootCA certificate in the trustedCerts folder as well as in /etc/ssl/certs in PEM format. Windows agents are working as expected. Then i tried to put the jcp-certificate I created into the trustedCerts folder as well, then connection was possible. Is there a bug in the newest version?
The jcp-certificate contains FQDN, hostname and IP's for two servers signed by internal customer CA which rootca certificate was stored into trustedCerts folder.
Any ideas what could be wrong.
Regards
Peter
Original Message:
Sent: Mar 07, 2023 05:08 AM
From: Oana Botez
Subject: Could not parse certificate './security/CWHQ.pem'. Please make sure that the certificate is in PEM format.
Hi Gergely,
The case is already solved, this was a bug that is now fixed and will be released in the next days with 21.0.5 HF1.
BR,
Oana
Original Message:
Sent: Mar 07, 2023 04:48 AM
From: j_gergely
Subject: Could not parse certificate './security/CWHQ.pem'. Please make sure that the certificate is in PEM format.
Dear Oana,
Thanks for the suggestions.
1) Are the agents running in the same cluster as AAKE and do they connect directly to the JCP or via an Ingress/Load balancer? In case of an Ingress, there is a TLS termination and an external certificate needed. If directly connecting to the JCP, did you replace the self-generated certificate within the cluster with your company's server certificate?
The agents are not running in the same cluster. THey are connecting via nginx ingress controller and AWS EC2 ALB. The TLS termination is happening on the ALB for which the certificates (with the JCP's domain name added as SAN) are added to the ALB as additional certifacetes. Then this JCP domain is configured in the agent ini file.
2) Is the JCP address configured in the agent ini file included in the JCP certificate, either as CN or SAN?
It's a SAN. Confirmed with curl and openssl s_client that the proper certificate is presented on the AWS ALB, and that it can be verified with my company ROOT and SUB certificates.
3) Other issues that might show up are maybe covered by our TLS troubleshooting guide.
I am checking those and also opened a case ( 33376540) which is investigated by your colleague. The strange thing is that this started to happen with 21.0.5, it was ok in 21.0.4
Gergely
Original Message:
Sent: Mar 07, 2023 03:59 AM
From: Oana Botez
Subject: Could not parse certificate './security/CWHQ.pem'. Please make sure that the certificate is in PEM format.
Original Message:
Sent: Mar 06, 2023 10:40 AM
From: j_gergely
Subject: Could not parse certificate './security/CWHQ.pem'. Please make sure that the certificate is in PEM format.
Hi,
Here are some things that need to be considered especially when using AAKE:
- Are the agents running in the same cluster as AAKE and do they connect directly to the JCP or via an Ingress/Load balancer? In case of an Ingress, there is a TLS termination and an external certificate needed. If directly connecting to the JCP, did you replace the self-generated certificate within the cluster with your company's server certificate?
- Is the JCP address configured in the agent ini file included in the JCP certificate, either as CN or SAN?
- Other issues that might show up are maybe covered by our TLS troubleshooting guide.
If none of the above solve your issue, please contact support and provide the log files.
BR,
Oana
Hello @Shaikh Danish Farhan & @Maria Joseph Vimalan ,
I am joining this thread to ask if there is any update, if this is solved for Maria in the meantime?
Since upgrading from 21.0.4 to 21.0.5 (Kubernetes Edition) I am having a similar issue with Linux agents only. Windows agents are working fine.
We have an enterprise certificate for the JCPs, and the intermediate and root certs for the enterprise are added to /etc/ssl/certs directory and /etc/pki/tls/certs/ca-bundle.crt as well. Therefore curl and other utilities can validate the JCP endpoint correctly. The agents are installed by downloading preconfigured agent packages.
However, since upgrading to 21.0.5 for Linux agents I have similar problems as @Maria Joseph Vimalan :
The agent starts, generates a private key (in PEM format), reads the cetificates from the system locations, but then fails to connect to the JCP endpoint due to TLS handshake error.
0230306/162905.673 - U02000000 Started program Agent 'AUT-AGENT-01', version '21.0.5+build.1675100990579', changelist '1675100990'.
20230306/162905.673 - U02000232 Build Date: '2023-01-30', '17:49:50'
20230306/162905.673 - U00000061 (c) Automic Software GmbH
20230306/162905.674 - U02003034 File attribute : '-rwxr-xr-x 1 root root 14495896 2023-03-06/14:34:55 2023-03-06/13:34:38 2023-03-06/14:34:49 /opt/AUT-tls/bin/./ucxjlx6'
20230306/162905.674 - U02003034 File attribute : '-rw-r--r-- 1 root root 21606 2023-03-06/15:20:00 2023-03-06/15:19:55 2023-03-06/15:19:55 /opt/AUT-tls/bin/./ucxjlx6.ini'
20230306/162905.674 - U02003054 The Agent was able to gain user privileges of real user 0.
20230306/162905.676 - U02000331 OpenSSL library Version 'OpenSSL 1.1.1s 1 Nov 2022' is used.
20230306/162905.676 - U02000362 Environment variable: 'SSL_CERT_DIR' = '/etc/ssl/certs'.
20230306/162905.676 - U02000362 Environment variable: 'SSL_CERT_FILE' = '/etc/pki/tls/certs/ca-bundle.crt'.
20230306/162905.676 - U02000396 /etc/ssl/certs' is used as the location for trusted CA certificates (SSLCertDir).\
20230306/162905.677 - U02000396 /etc/pki/tls/certs/ca-bundle.crt' is used as the location for trusted CA certificates (SSLCertFile).\
20230306/162906.184 - U02000307 New private key './security/AUT-AGENT-01.pem' was created.
20230306/162906.186 - U02000020 Environment: Hardware = 'x86_64/2'.
20230306/162906.186 - U02000021 Environment: Software = 'Linux'.
20230306/162906.186 - U02000022 Environment: SW version = '3.10.0-1160.81.1.el7.x86_64'.
20230306/162906.186 - U02000093 Environment: program addressing mode = '64-bit'.
20230306/162906.187 - U02000045 Maximum number of open file descriptors a process may have: '32768'
20230306/162906.188 - U02000037 Started Agent with INI file '/opt/AUT-tls/bin/./ucxjlx6.ini'.
20230306/162906.188 - ;
20230306/162906.192 - U02000072 Connection to system 'LAB' initiated.
20230306/162906.192 - U02000379 Initiating connection to server 'LAB' using WebSocket URI: 'jcp-ws-lab-AUT-main.k8s.aws.mydomain.net:443/agent'.
20230306/162906.219 - U02000377 Certificate loaded from file '/etc/pki/tls/certs/ca-bundle.crt'.
20230306/162906.219 - U02000398 Loading certificates from the directory './security' that is specified in the parameter'AgentSecurityFolder'.\
20230306/162906.219 - U02000376 Could not parse certificate './security/AUT-AGENT-01.pem'. Please make sure that the certificate is in PEM format.
20230306/162906.225 - U02000313 Communication error with partner '*SERVER', error: 'TLS-handshake/337047686(certificate verify failed (SSL routines, tls_process_server_certificate))'.
20230306/162906.225 - U02000010 Connection to Server 'LAB/10.131.3.70:443' terminated.
20230306/162906.225 - U02000074 Connecting to system 'LAB' is not possible.
20230306/162906.225 - U02003073 Agent Prozess 'AGENT,PID=34615' shutdown has been initiated.
20230306/162911.227 - U02000041 Shutdown Agent 'AUT-AGENT-01'.
20230306/162911.228 - U02000002 Agent 'AUT-AGENT-01' version '21.0.5+build.1675100990579' ended abnormally.
On the same host, the JCP endpoint (in my example jcp-ws-lab-AUT-main.k8s.aws.mydomain.net:443/agent) can be reached by curl, and the certificate is valid.
THe same issue is not experienced on Windows agents, in the same environment, there the agent generates a fresh private key, and fetches the agent/server cert from the JCP.
Can anyone give me a hint what is going wrong here?
Thanks.
Gergely
Original Message:
Sent: Feb 27, 2023 04:43 AM
From: Shaikh Danish Farhan
Subject: Could not parse certificate './security/CWHQ.pem'. Please make sure that the certificate is in PEM format.
Hello Maria,
Whenever a Unix Agent is installed using a TLS agent it will create an Agent certificate under /bin/security folder to connect with Automic Engine via TLS gateway agent.
I faced a similar issue for the Unix agent which was resolved by following the below steps, please check if this helps you.
Delete the existing certificate created for the agent under <Unix agent directory>/bin/security/
Renew the agent transfer key from Client 0
Place the JCP certificate as jcp1.cer in trusterCertfolder i.e., /home/unicntrl/automic/agents/CWHQ_SBX/certs/jcp1.cer
Start the agent.
Original Message:
Sent: Feb 22, 2023 03:23 PM
From: Maria Joseph Vimalan
Subject: Could not parse certificate './security/CWHQ.pem'. Please make sure that the certificate is in PEM format.
Dear Experts,
We have recently upgraded to Version 21.0 SP5 and post upgrade, we are noticing that some errors in the Unix Agent file. I'm not sure what mistake i have done here. I just followed the below steps
- Created a JKS file for Tomcat with internal CA signed . The certificate contains the URL of the AWI and Physical hostname as SAN. Both are setup with fully qualified domain.
- From that JKS file, I created a file for the Automic Engine with export key Pair option in the Key Store explorer.
- I placed the file in the bin directory of the AE folder and added the details in the Authorization section of the AE INI File
- Then in the Agent trustedcertfolder, I placed the internal ROOT.CER and SSL.CER and fully certificate of the file that is placed in the AE Bin folder.
- Agent is getting connected to the AE without any problem and TLS option is enabled. However , in the Unix Agent log file, I'm seeing the below error .
I'm not sure what mistake i have done here or any other action is pending. Could you please guide me here ?
20230222/202817.678 - U02000379 Initiating connection to server 'SBX' using WebSocket URI: 'XXXXXXXX:8443/agent'.
20230222/202817.707 - U02000377 Certificate loaded from file '/etc/pki/tls/certs/ca-bundle.crt'.
20230222/202817.707 - U02000378 Loading certificates from directory: '/home/unicntrl/automic/agents/CWHQ_SBX/certs/'.
20230222/202817.712 - U02000377 Certificate loaded from file '/home/unicntrl/automic/agents/CWHQ_SBX/certs/Root.cer'.
20230222/202817.714 - U02000377 Certificate loaded from file '/home/unicntrl/automic/agents/CWHQ_SBX/certs/ssl.cer'.
20230222/202817.716 - U02000377 Certificate loaded from file '/home/unicntrl/automic/agents/CWHQ_SBX/certs/tomcat.crt'.
20230222/202817.716 - U02000398 Loading certificates from the directory './security' that is specified in the parameter'AgentSecurityFolder'.\
20230222/202817.718 - U02000376 Could not parse certificate './security/CWHQ.pem'. Please make sure that the certificate is in PEM format.
20230222/202817.741 - U02000313 Communication error with partner '*SERVER', error: 'TLS-handshake/337047686(certificate verify failed (SSL routines, tls_process_server_certificate))'.
20230222/202817.741 - U02000010 Connection to Server 'SBX/172.28.146.119:8443' terminated.
20230222/202817.741 - U02000072 Connection to system 'SBX' initiated.
20230222/202817.741 - U02000379 Initiating connection to server 'SBX' using WebSocket URI: 'automic-sbx.XXXX.com8443/agent'.
20230222/202817.768 - U02000377 Certificate loaded from file '/etc/pki/tls/certs/ca-bundle.crt'.
20230222/202817.768 - U02000378 Loading certificates from directory: '/home/unicntrl/automic/agents/CWHQ_SBX/certs/'.
20230222/202817.769 - U02000377 Certificate loaded from file '/home/unicntrl/automic/agents/CWHQ_SBX/certs/Root.cer'.
20230222/202817.769 - U02000377 Certificate loaded from file '/home/unicntrl/automic/agents/CWHQ_SBX/certs/ssl.cer'.
20230222/202817.770 - U02000377 Certificate loaded from file '/home/unicntrl/automic/agents/CWHQ_SBX/certs/tomcat.crt'.
20230222/202817.770 - U02000398 Loading certificates from the directory './security' that is specified in the parameter'AgentSecurityFolder'.\
20230222/202817.773 - U02000376 Could not parse certificate './security/CWHQ.pem'. Please make sure that the certificate is in PEM format.
20230222/202817.813 - U02000004 Connection to Server 'SBX#CP001' successfully created.
20230222/202817.813 - U02000297 Agent doesn't have valid certificate, requesting new one from server.
20230222/202817.833 - U02000401 Received JCP server list: 'https://XXXXXXXX:8443/'
20230222/202818.092 - U02000298 New certificate stored at path './security/CWHQ.cert', expiration '20240219/192601'.
20230222/202818.095 - U02000314 Initial challenge has been requested.
20230222/202818.128 - U02000316 Challenge procedure has been successfully performed.
20230222/202818.152 - U02000377 Certificate loaded from file '/etc/pki/tls/certs/ca-bundle.crt'.
20230222/202818.153 - U02000378 Loading certificates from directory: '/home/unicntrl/automic/agents/CWHQ_SBX/certs/'.
20230222/202818.155 - U02000377 Certificate loaded from file '/home/unicntrl/automic/agents/CWHQ_SBX/certs/Root.cer'.
20230222/202818.157 - U02000377 Certificate loaded from file '/home/unicntrl/automic/agents/CWHQ_SBX/certs/ssl.cer'.
20230222/202818.158 - U02000377 Certificate loaded from file '/home/unicntrl/automic/agents/CWHQ_SBX/certs/tomcat.crt'.
20230222/202818.158 - U02000398 Loading certificates from the directory './security' that is specified in the parameter'AgentSecurityFolder'.\
20230222/202818.160 - U02000376 Could not parse certificate './security/CWHQ.pem'. Please make sure that the certificate is in PEM format.
20230222/202818.161 - U02000377 Certificate loaded from file './security/CWHQ.cert'.
20230222/202818.164 - U02000377 Certificate loaded from file './security/CWHQ_ca.pem'.
20230222/202818.164 - U02003057 Agent process 'LISTENER0' with PID='62001' is up and running.
And time to time, we are getting the below error in the log file too
20230222/203241.069 - U02000313 Communication error with partner '*ACCEPT(1)', error: 'TLS-handshake/67625064(bad signature (rsa routines, RSA_verify_PKCS1_PSS_mgf1))'.
20230222/203241.069 - U02000313 Communication error with partner '*ACCEPT(1)', error: 'TLS-handshake/67625064(bad signature (rsa routines, RSA_verify_PKCS1_PSS_mgf1))'.
Below is the INI file content
20230222/202817.676 - U02000037 Started Agent with INI file '/home/unicntrl/automic/agents/CWHQ_SBX/bin/ucxjlx6.ini'.
20230222/202817.676 - [GLOBAL]
20230222/202817.677 - ;
20230222/202817.677 - name = CWHQ
20230222/202817.677 - ;
20230222/202817.677 - system = SBX
20230222/202817.677 - ;
20230222/202817.677 - language = (E,D)
20230222/202817.677 - ;
20230222/202817.677 - logging = ../temp/uCWHQ_SBX_l##.txt
20230222/202817.677 - ;
20230222/202817.677 - logCount = 10
20230222/202817.677 - ;
20230222/202817.677 - helplib = ucx.msl
20230222/202817.677 - ;
20230222/202817.677 - killSignal = SIGKILL
20230222/202817.677 - ;
20230222/202817.677 - login_Check = no
20230222/202817.677 - ;
20230222/202817.677 - open_File_Max = 32768
20230222/202817.677 - ;
20230222/202817.677 - readUserAlways = no
20230222/202817.677 - ;
20230222/202817.677 - reportMode = 600
20230222/202817.677 - ;
20230222/202817.677 - uc_User_Type = EXCL
20230222/202817.677 - ;
20230222/202817.677 - userid_Type = EXCL
20230222/202817.677 - ;
20230222/202817.677 - fileProcessingMaxDepth = 0
20230222/202817.677 - ;
20230222/202817.677 - fileProcessingTimeout = 0
20230222/202817.677 - ;
20230222/202817.677 - ft_Owner = user
20230222/202817.677 - ;
20230222/202817.677 - ft_Temp_File = yes
20230222/202817.677 - ;
20230222/202817.677 - jobFileMode = 700
20230222/202817.677 -
20230222/202817.677 - [TRACE]
20230222/202817.677 - ;
20230222/202817.677 - file = ../temp/CWHQ_SBX_t##.txt
20230222/202817.677 - ;
20230222/202817.677 - trccount = 10
20230222/202817.677 - ;
20230222/202817.677 - tcp/ip = 0
20230222/202817.677 - ;
20230222/202817.677 - event = 0
20230222/202817.677 - ;
20230222/202817.677 - ex_init = 0
20230222/202817.677 - ;
20230222/202817.677 - ft_debug = 0
20230222/202817.677 - ;
20230222/202817.677 - job_debug = 0
20230222/202817.677 - ;
20230222/202817.677 - mail = 0
20230222/202817.677 - ;
20230222/202817.677 - memory = 0
20230222/202817.677 - ;
20230222/202817.677 - signal = 0
20230222/202817.677 -
20230222/202817.677 - [TCP/IP]
20230222/202817.677 - ;
20230222/202817.677 - connection = automic-sbx.intra.xxxxx.com:8443
20230222/202817.677 - ;
20230222/202817.677 - bindAddr =
20230222/202817.677 - ;
20230222/202817.677 - connect = 60
20230222/202817.677 - ;
20230222/202817.677 - maxMsgSize = 500000
20230222/202817.677 - ;
20230222/202817.677 - maxRepCnt = 8
20230222/202817.677 - ;
20230222/202817.677 - port = 32354
20230222/202817.677 - ;
20230222/202817.677 - sendBufferSize = 1024k
20230222/202817.677 - ;
20230222/202817.677 - recvBufferSize = 1024k
20230222/202817.677 - ;
20230222/202817.677 - tcp_KeepAlive = Y
20230222/202817.677 - ;
20230222/202817.677 - tcp_KeepAlive_Time = 6600
20230222/202817.677 -
20230222/202817.677 - [AUTHORIZATION]
20230222/202817.677 - ;
20230222/202817.677 - initialPackage =
20230222/202817.677 - ;
20230222/202817.677 - trustedCertFolder = /home/unicntrl/automic/agents/CWHQ_SBX/certs/
20230222/202817.677 - ;
20230222/202817.677 - agentSecurityFolder = ./security
20230222/202817.677 - ;
20230222/202817.677 - keyPassword = ???
20230222/202817.677 - ;
20230222/202817.677 - SSLCertDir =
20230222/202817.677 - ;
20230222/202817.677 - SSLCertFile =
20230222/202817.677 -
20230222/202817.677 - [FILETRANSFER]
20230222/202817.677 - ;
20230222/202817.677 - ft_Check_Free_Disk_Space = no
20230222/202817.677 - ;
20230222/202817.677 - ft_Linkfiles = no
20230222/202817.677 - ;
20230222/202817.677 - ft_ConnectingTimeout = 10
20230222/202817.677 -
20230222/202817.677 - [MISC]
20230222/202817.677 - ;
20230222/202817.677 - authentication = local
20230222/202817.677 - ;
20230222/202817.677 - FileBufferSize = 0
20230222/202817.677 - ;
20230222/202817.677 - FileEndDelimiter = no
20230222/202817.677 - ;
20230222/202817.677 - fileRemoveCheck = yes
20230222/202817.677 - ;
20230222/202817.677 - MsgToStdout = no
20230222/202817.677 - ;
20230222/202817.677 - processInfo = yes
20230222/202817.677 - ;
20230222/202817.677 - TraceFileSize = 32M
20230222/202817.677 -
20230222/202817.677 - [PAM]
20230222/202817.677 - ;
20230222/202817.677 - libName = libpam.so
20230222/202817.677 - ;
20230222/202817.677 - pam_Open_Session = no
20230222/202817.677 -
20230222/202817.677 - [STARTCMD]
20230222/202817.677 - ;
20230222/202817.677 - start_Type = fork
20230222/202817.677 -
20230222/202817.677 - [USERID]
20230222/202817.677 - ;
20230222/202817.677 - unicntrl = START
20230222/202817.677 - ;
20230222/202817.677 - root = NO_START
20230222/202817.677 - ;
20230222/202817.677 - dwhp = START
20230222/202817.677 - ;
20230222/202817.677 - vihsa116 = START
20230222/202817.677 - ;
20230222/202817.677 - cwhi = START
20230222/202817.677 -
20230222/202817.677 - [VARIABLES]
20230222/202817.677 - ;
20230222/202817.677 - UC_EX_JOB_MD = ucxj???m
20230222/202817.677 - ;
20230222/202817.677 - UC_EX_PATH_BACKUP = /home/unicntrl/automic/agents/CWHQ_SBX/backup/
20230222/202817.677 - ;
20230222/202817.677 - UC_EX_PATH_BIN = ./
20230222/202817.677 - ;
20230222/202817.677 - UC_EX_PATH_JOBREPORT = /dwhg/UC4Reports/CWHQ/
20230222/202817.677 - ;
20230222/202817.677 - UC_EX_PATH_TEMP = /home/unicntrl/automic/agents/CWHQ_SBX/temp/
20230222/202817.677 - ;
20230222/202817.677 - UC_HOST_CODE = UC_CODE
20230222/202817.677 - ;
20230222/202817.677 - UC_HOST_JCL_VAR = UNIX
20230222/202817.677 - [JCPLIST]
20230222/202817.677 - ; List of available JCP endpoints.
20230222/202817.677 - JCP1 = https://KLUTSAXXX:8443/