Failed to get the repositories list from the agent service (mirror task intermittently fails with McAfee Agent 5.5.x)

Technical Articles ID: KB91069
Last Modified: 2022-05-27 06:07:56 Etc/GMT

Environment

McAfee Agent (MA) 5.5.x

Microsoft Windows Server 2012, 2008

Problem

Mirror task execution intermittently fails.

The failure can occur when using MA 5.5.x to perform a mirror task using a SuperAgent to a mirror location.

The MA log records the following errors:

#3888 mirror& MIRROR TASK START with params - Destination directory: c:\mcafee, Log file path: C:\ProgramData\McAfee\Agent\\logs\marepomirror, Catalog version: 20180920144354, Agent Mode: 1, Log Size: 2, Max Rollovers: 1
#3888 crypto RSA version : 4.0.1.0
#3888 crypto RSA crypto role : User Role
#3888 crypto RSA crypto mode : NON-FIPS Mode
#3888 crypto RSA rand algo : HMAC Random
#3888 ma_client ma client is started.
#4760 msgbus Allowing <1160> onto msgbus
#3888 creposi Failed to get repositories list from the agent service.
#3888 ma_client stopping ma client.

Cause

One or more of the following certificates are missing:

UTN-USERFirst-Object
Verisign Universal Root Certification Authority
Verisign Class 3 Public Primary Certification Authority - G5

The latest binaries have been signed with updated SHA-1 and SHA-256 certificates. These root certificates are required to validate the digital signatures. Microsoft distributes these certificates.

The reasons for the missing root certificates include, but aren't limited to, the following:

The certificate was removed from the system by an administrator.
The system doesn't have internet connectivity, which is needed to perform a Root AutoUpdate (automatic root update).
The group policy in effect prevents the root certificate update:
- The registry value HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate is set to 1.
- Verify that the following registry key is present: HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots.

Solution 1

Install the missing UTN-USERFirst-Object, Verisign Universal Root Certification Authority, and Verisign Class 3 Public Primary Certification Authority - G5 certificates in the physical Third-Party Trusted Root Certification Authorities store.

Install the missing COMODO RSA Code Signing CA and Verisign Class 3 Code Signing 2010 CA certificates in the physical Intermediate Certification Authorities store.

After installing the certificates, the product installs or upgrades successfully.

We recommend that you install the certificates using the Active Directory group policy for wide deployment. For information about how to deploy registry changes using the group policy, see this Microsoft article.

Deploy the registry change for the Computer policy, not the User policy. Instead of using a Certificate group policy object (GPO), use a Registry group policy to make the change directly to endpoint registries, which puts the certificate in the correct store. (Using a Certificate group policy puts the certificate in the wrong certificate store.)

Or, use one of the following methods to install the certificate directly on the system, or remotely using any appropriate administrative deployment method:

To install the Verisign Class 3 Public Primary Certification Authority - G5, UTN-USERFirst-Object, Verisign Universal Root Certification Authority, COMODO RSA Code Signing CA, and Verisign Class 3 Code Signing 2010 CA certificates:
- Download the file USERFirst_and_VeriSign_and_Comodo.bat.txt in the "Attachment" section of this article. Rename the file to USERFirst_and_VeriSign.bat and run it.
- Download the file USERFirst_and_VeriSign_and_Comodo.reg.txt in the "Attachment" section of this article. Rename the file to USERFirst_and_VeriSign.reg and import it.

If you have a single system or only a few systems to install only the Verisign Class 3 Public Primary Certification Authority - G5 certificate to remediate manually:

Contact Verisign customer support to obtain the missing certificate.
Copy the contents of the certificate shown in the box (including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines).
Paste the copied contents into a plain text editor such as Notepad.
Save the file with a .cer extension, for example: C:\Temp\VeriSign.cer
Open an elevated command prompt, right-click Command Prompt and select Run as administrator.
Run the following command:

certutil -addstore root C:\Temp\VeriSign.cer

Solution 2

Address the issue preventing the automatic update of root certificates on the system.

Microsoft allows the administration of root certificate stores though many GPOs and automatic updates. For more information, see this Microsoft article. The administration of certificate stores isn't within the scope of Technical Support.

Use the following solution only if the group policy in effect prevents the root certificate update:

CAUTION: This article contains information about opening or modifying the registry.

The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see the Microsoft Windows registry information for advanced users article.
Do not run a REG file that is not confirmed to be a genuine registry import file.

Change the registry value for HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate from 1 to 0:

NOTE: If you're making this change using the group policy for wide deployment, the GPO for this setting is at Computer Configuration, Administrative Templates, System, Internet Communication Management, Internet Communication settings, Turn off Automatic Root Certificates Update.
Change Turn off Automatic Root Certificates Update from Enabled to Disabled.
1. Press Windows+R, type regedit, and click OK.
2. Navigate to HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate
3. Change the value from 1 to 0.
4. Exit the registry editor.
If present, remove the registry key ProtectedRoots, which is at HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots:
1. Press Windows+R, type regedit, and click OK.
2. Navigate to HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root
3. Right-click ProtectedRoots, select Export, and choose a location in which to save a backup copy.
4. Right-click ProtectedRoots, select Delete, and click Yes when prompted.
5. Exit the registry editor.

Knowledge Center

Failed to get the repositories list from the agent service (mirror task intermittently fails with McAfee Agent 5.5.x)

Environment

Problem

Cause

Solution 1

Solution 2

Related Information

Affected Products

Languages:

Title

Title

Knowledge Center

Failed to get the repositories list from the agent service (mirror task intermittently fails with McAfee Agent 5.5.x)

Environment

Problem

Cause

Solution 1

Solution 2

Related Information

Affected Products

Languages:

Choose your region

Title

Title