Loading...
Loading...

PRB: Updates fail due to SSL certificate issues

Expand / Collapse


This article applies to:

  • Trustwave MailMarshal (SEG) 
  • Trustwave ECM/MailMarshal Exchange 7.X
  • HTTPS Certificates for Internet Access
  • Blended Threats licensing
  • Maintenance Check
  • McAfee for Marshal
  • Sophos for Marshal
  • Bitdefender for Marshal

Symptoms:

  • Installations cannot download updates for Automatic Updates (SpamCensor), or cannot validate Blended Threats or Maintenance
  • Logs show error Unable to get Local Issuer Certificate
  • Virus scanner updaters cannot perform updates or licensing checks
  • Error messages indicate SSL certificate validation errors
  • New installations may display a warning on installation
    • Warning text similar to: The MailMarshal Update service and the Blended Threats Module require SSL certificates currently not installed on this system

Cause:

The most common cause of these symptoms is that required CA root certificates are not installed, so the SSL certificates used by Trustwave websites cannot be validated.

As of mid 2023, DigiCert is issuing certificates from a new root certificate.

  • This change is required because some browsers will stop trusting older DigiCert roots in 2025. For more details see information from DigiCert.
  • For new certificates to be trusted, you must have the DigiCert Global Root G2 installed as a trusted root certificate in the Windows certificate store.
  • All certificates currently used by the affected sites are issued by DigiCert and will be affected by this change as the certificates are renewed annually.
  • Windows Servers that have automatically installed required updates should already have installed the required certificate.

Also, you must allow access to Certificate Revocation List servers (such as http://crl3.digicert.com/) to allow SSL connections to be validated.

Resolution:

To resolve this issue in most cases, you can take one of the following actions:
  • You may be able to install the certificates automatically by browsing to the affected site (such as https://mcafee.marshal.com) using Internet Explorer or Edge from an administrator account. Once you have successfully browsed to the site, try the updater functionality again.
  • You can manually retrieve the DigiCert Global Root G2 certificate from: https://www.digicert.com/kb/digicert-root-certificates.htm
    • Install this certificate to the Trusted Root Certificates store on Array Manager and Processing Node servers. See manual installation instructions at the end of this article.
    • Previous generation certificates (validity starting before March 2023) are issued from the DigiCert Global Root CA certificate. 

Once the root certificate is installed, all functions requiring web access should work.


Other possible causes:

Cause 2: Access through WebMarshal 

If Web access for SEG/MailMarshal or a virus scanner updater is through a WebMarshal installation that is configured for HTTPS content inspection, it is possible that the root certificates are not installed for the account(s) used by the Engine service, Array Manager service, and/or virus updater services. 

Note: This cause only applies when Web access is through a WebMarshal installation that has HTTPS content inspection enabled for the specific update sites. Inspection is disabled by default.

  • WebMarshal HTTPS Content Inspection uses a special locally generated root certificate. This certificate is installed into the user's certificate store by default. It is not available for service accounts by default.
  • WebMarshal makes an exception for the SpamCensor update site, but current versions do not make an exception for the Blended threats site.

Resolution - WebMarshal certificate:

To resolve this issue, on each SEG/MailMarshal server, manually install the WebMarshal root certificate using the Windows Certificate Management console:

  1. Download the certificate from the WebMarshal.Home page of the WebMarshal installation.
  2. Run Microsoft Management Console (MMC.exe)
  3. Choose to add a snapin and select the Certificates snap in.
  4. Choose to manage certificates for the Computer account. 
  5. Open Trusted Root Certification Authorities > Certificates.
  6. Import the certificate.

Alternatively, you might choose to bypass the proxy completely, or disable HTTPS inspection, for the update URLs required by Trustwave products

Cause 3: Access through a third party proxy

If Web access for MailMarshal/SEG or a virus scanner updater is through a third party proxy configured for HTTPS content inspection, you may need to complete further configuration.

Note: This cause only applies when Web access is through a third party proxy server that has HTTPS content inspection enabled.

    • The proxy server might not have the required CA certificates installed.
    • The certificate used for local re-encryption might not be installed on the MailMarshal servers.

    Resolution - third party proxy:

    To resolve this issue, consult the documentation for the third party proxy and ensure the following:

    • Verify that all CA certificates required are installed on the proxy server. See the list in resolution 1, above.
    • Verify that the certificate used for re-encryption (and any CA or intermediate certificates) are installed on the servers.

      1. Obtain the certificate(s) required. See the list in the Manual Download section below.
      2. On each server in the installation, run Microsoft Management Console (MMC.exe)
      3. Choose to add a snapin and select the Certificates snap in.
      4. Choose to manage certificates for the Computer account. 
      5. Import the certificate(s) to the appropriate locations. In most cases Windows will select the locations automatically.
    • Alternatively, you might choose to bypass the proxy completely for the update URLs required by Trustwave products. See the documentation for the proxy server.

    Additional technical details:

    • Some Windows releases install a very limited set of SSL CA certificates by default. Additional certificates are downloaded on demand.
      • Windows Group Policy can be set to disable the on-demand downloads.

    Manual download of certificates:

    You can also manually download and install the required CA Certificates using the Windows Certificate Management console.

    Install the certificates on Array Manager and Processing Node servers.

    1. Download the root certificate DigiCert Global Root G2 (.pem) (right click, save as). See additional links and other formats at DigiCert Root Downloads.
      (Note: SecureTrust certificates that were previously used are no longer required.)
    2. Run Microsoft Management Console (MMC.exe)
    3. Choose to add a snapin and select the Certificates snap in.
    4. Choose to manage certificates for the Computer account. 
    5. Open Trusted Root Certification Authorities > Certificates.
    6. Import the root certificate.

    Notes:

    Verify your system clock is accurate. Certificates might be rejected if they are "out of date" according to the local system time.

    If none of the above solutions resolve your issue, contact Technical Support for help in diagnosing and resolving the problem.


    To contact Trustwave about this article or to request support:


    Rate this Article:
         

    Related Articles



    Related Links



    Add Your Comments


    Comment submission is disabled for anonymous users.
    Please send feedback to Trustwave Technical Support or the Webmaster
    .