Some ePO features or integrations might start to fail after May 29, 2020

Technical Articles ID: KB92954
Last Modified: 2023-03-21 09:38:30 Etc/GMT

Environment

ePolicy Orchestrator (ePO) - all versions

Summary

ePO uses TLS to secure the communication between ePO and several of our back-end servers. The original root certificate from the public CA that we derived our certificates from expired on May 30, 2020. A new root certificate, which won't expire until 2038, has been in place for several years. But, if you've turned off Automatic Root Certificate Updates on your ePO server, you might be missing the new root certificate. As a result, some components of ePO or some ePO-product integrations aren't working properly.

Any connection ePO makes that requires TLS has the potential to be impacted. These connections include connections to third-party servers if they're signed by the same expired root certificate. ePO's core functionality isn't affected. For example, agent-to-server communication doesn't fail because ePO acts as its own certificate authority. ePO's Master Repository pull also doesn't fail because it doesn't use TLS.

For additional information not-specific to ePO regarding this, see KB92937 - Secondary root certificate for TLS might need to be updated.

The problem statements below provide details about the features of ePO confirmed to be impacted by this issue.

Problem 1

Issue:
When you run the Download Software Product List server task on your ePO server, it fails and the server task log contains the error below:

Failed to download file C:\PROGRA~2\McAfee\EPOLIC~1\DB\licensed_products_list.xml.tmp. A connection error occurred: Issue with the certificate (12175).

The ePOApSrv log from the ePO server displays the following errors:

20200530211221 I #07200 DOWNLOAD_JNI Downloading file: C:\PROGRA~2\McAfee\EPOLIC~1\DB\licensed_products_list.xml.tmp.

20200530211221 I #07200 MCUPLOAD Connecting to server epo.mcafee.com through proxy server http://someproxyserver.com:1234.

20200530211221 I #11652 DOWNLOAD_JNI Downloading file: C:\PROGRA~2\McAfee\EPOLIC~1\DB\trial_products_list.xml.tmp.

20200530211221 I #11652 MCUPLOAD Connecting to server epo.mcafee.com through proxy server http://someproxyserver.com:1234.

20200530211222 E #07200 MCUPLOAD SecureHttp.cpp(1384): Failed to send HTTP request. Error=12175 (12175)

20200530211222 I #07200 DOWNLOAD_JNI Finished downloading file: C:\PROGRA~2\McAfee\EPOLIC~1\DB\licensed_products_list.xml.tmp (0 bytes).

20200530211222 E #11652 MCUPLOAD SecureHttp.cpp(1384): Failed to send HTTP request. Error=12175 (12175)

20200530211222 I #11652 DOWNLOAD_JNI Finished downloading file: C:\PROGRA~2\McAfee\EPOLIC~1\DB\trial_products_list.xml.tmp (0 bytes).

Impact:

You can't update the list of available products for download in the software catalog.

Problem 2

Issue:
Downloading a package from the software catalog fails with the console displaying the following error:

An unknown error occurred downloading the file from the McAfee server (error=10,005).

The ePOApSrv log displays the following errors:

20200530212252 I #10888 DOWNLOAD_JNI Downloading file: C:\PROGRA~2\McAfee\EPOLIC~1\Server\temp\SoftwareManager3279939840147434372URI.

20200530212252 I #10888 MCUPLOAD Connecting to server epo.mcafee.com through proxy server http://someproxyserver.com:1234.

20200530212253 E #10888 MCUPLOAD SecureHttp.cpp(1384): Failed to send HTTP request. Error=12175 (12175)

20200530212253 I #10888 DOWNLOAD_JNI Finished downloading file: C:\PROGRA~2\McAfee\EPOLIC~1\Server\temp\SoftwareManager3279939840147434372URI (0 bytes).

Impact:
You can't download packages from the Software Catalog.

Workaround:
You can manually download software from our Product Downloads site. See the "Product Downloads site" section of KB56057 - How to download product updates and documentation for instructions.

Problem 3

Issue:
The Product Compatibility List Update task fails with the server task log displaying the error below:

Failed to download latest Product Compatibility List: Failed to connect to the Software Catalog server.

The ePOApSrv log displays the following errors:

20200530211219 I #09912 DOWNLOAD_JNI Downloading file: C:\PROGRA~2\McAfee\EPOLIC~1\DB\ProductCompatibilityList.xml.tmp.

20200530211219 I #09912 MCUPLOAD Connecting to server epo.mcafee.com through proxy server http://someproxyserver.com:1234.

20200530211220 E #09912 MCUPLOAD SecureHttp.cpp(1384): Failed to send HTTP request. Error=12175 (12175)

20200530211220 I #09912 DOWNLOAD_JNI Finished downloading file: C:\PROGRA~2\McAfee\EPOLIC~1\DB\ProductCompatibilityList.xml.tmp (0 bytes).

Impact:
You can't retrieve an updated list of compatible extensions for ePO. This fact can be particularly problematic when upgrading ePO from a major/minor release of ePO to a newer release, such as when upgrading from ePO 5.9.1 to 5.10. The reason is that you might not be alerted if your ePO server has extensions checked in that aren't compatible with the new version of ePO, or your upgrade might be blocked.

Workaround:
You can either bypass the compatibility check or manually update the product compatibility list by following the instructions in KB79523 - Products aren't compatible with this version of ePO.

Solution

To resolve this issue, you must install the new root certificate on your ePO server. It's not required to be installed on your agent handlers or endpoints for the ePO features to continue working. But, we highly recommend that you keep the root certificates for public certificate authorities up to date on all systems throughout your environment. See KB92937 - Secondary root certificate for TLS might need to be updated for instructions on several different methods that can be used to update the certificate.

Affected Products

Languages:

This article is available in the following languages:

Knowledge Center

Some ePO features or integrations might start to fail after May 29, 2020

Environment

Summary

Problem 1

Problem 2

Problem 3

Solution

Affected Products

Languages:

Title

Title

Knowledge Center

Some ePO features or integrations might start to fail after May 29, 2020

Environment

Summary

Problem 1

Problem 2

Problem 3

Solution

Affected Products

Languages:

Choose your region

Title

Title