AnsweredAssumed Answered

Check-in issues with Cloud agent

Question asked by James Hamill on Sep 12, 2017
Latest reply on Oct 25, 2017 by Robert Klohr

I've recently installed the Cloud agent on a number of DMZ servers which naturally have restricted Internet access. We have implemented an exception to allow comms over 443 out to 64.39.96.0/20. The agents appear to have installed without issue on all of the servers, however only a handful of the servers have checked in. It's worth noting that the agent was installed over a week ago so sufficient time has passed for the client to submit a full dataset. 

 

Looking at the Qualys log at C:\ProgramData\Qualys\Log.txt it's evident there is a problem with the communication out to the Qualys cloud. Below is a snippet from a machine failing to check in:

09/12/2017 10:15:11.0048 [16C4]: Information: Scheduling Thread: RUNNING event 'INTERVAL_EVENT_CAPI'...
09/12/2017 10:15:11.0048 [16C4]: Information: Agent CAPI json: {"Data":{"Agent":{"CustomerID":"72944C71-A7D6-4F62-80B6-B4E8C5F7287C","ActivationID":"72DEDA88-ED03-4039-B6C7-BA5B32BF13FF","AgentID":"ABBEB6F8-86B6-4113-9359-00F6158751A0","AgentVersion":"1.5.6.46","CapiVersion":"1.0","Platform":"WINDOWS","ProvisioningKey":"TkJJUU5VUk5OVUVNUVlkTU4wME9STVlPTE1nTVFRWUxRSVJOTzBNT1JaY1FPSmRRTVZzVlJWY1JSTlZNUUpnTUxJVk5NSk1MTk1BTk8xU0N6a0QzdFVEQkVVVXo0a1RHRVRFR3lsVFArMkdCRGtERnlqakcxQ0U0RmtqMnRUanh3VFR0eVRqMTBTaXdFRVQydFR6NER6RHg1VHo2"},"Client":{"ComputerName":"LONVSB01P","NetBiosName":"LONVSB01P","IPv4":"10.101.1.211","IPv6":"2001:0:4137:9e76:301f:1628:f59a:fe2c"},"Synchronization":{"Sequence":"0","RetryCount":"217"},"Resources":{"Config":"00000000-0000-0000-0000-000000000000","Binary":"6155225D-3DF8-4EAF-9A8B-53EAA741F94A"},"Status":{"Capi":{"Time":"2017-09-12T07:15:52Z","ID":"","OsStatus":12175,"HttpStatus":0,"RetryCount":173}},"ScanManagement":{}}}
09/12/2017 10:15:11.0563 [16C4]: Information: Detecting proxy for [secure] URI:443 - HTTPS://qagpublic.qg1.apps.qualys.eu/CloudAgent/v1.0/customer/72944C71-A7D6-4F62-80B6-B4E8C5F7287C/agent/ABBEB6F8-86B6-4113-9359-00F6158751A0/CAPI...
09/12/2017 10:15:11.0625 [16C4]: Information: No WinHTTP proxies defined. Detecting auto proxy...
09/12/2017 10:15:14.0246 [16C4]: Information: No proxies found.
09/12/2017 10:15:44.0357 [16C4]: Error: WinHttp Security Failure: The function is unfamiliar with the Certificate Authority that generated the server's certificate.
09/12/2017 10:15:44.0357 [16C4]: Error: Failed to send request to web service: Error: 12175, "(WinHttp) One or more errors were found in the Secure Sockets Layer (SSL) certificate sent by the server.".
09/12/2017 10:15:44.0357 [16C4]: Error: CommRequest() failed to send the data. Error: 12175. URI("https://qagpublic.qg1.apps.qualys.eu/CloudAgent/v1.0/customer/72944C71-A7D6-4F62-80B6-B4E8C5F7287C/agent/ABBEB6F8-86B6-4113-9359-00F6158751A0/CAPI"), Port(443), Secure(1)
09/12/2017 10:15:44.0357 [16C4]: Error: Unable to communicate with the server. Error: 12175, "(WinHttp) One or more errors were found in the Secure Sockets Layer (SSL) certificate sent by the server.".
09/12/2017 10:15:44.0357 [16C4]: Information: Set the backoff multiplier to: 7200.000
09/12/2017 10:15:45.0106 [16C4]: Error: Scheduling Thread: EVENT 'INTERVAL_EVENT_CAPI' returned error: Error: 12175, "(WinHttp) One or more errors were found in the Secure Sockets Layer (SSL) certificate sent by the server."..
09/12/2017 10:15:45.0169 [16C4]: Information: Scheduling Thread: FINISHED running event 'INTERVAL_EVENT_CAPI'. Result: Error: 12175, "(WinHttp) One or more errors were found in the Secure Sockets Layer (SSL) certificate sent by the server."..
09/12/2017 10:15:45.0169 [16C4]: Information: INTERVAL_EVENT_CAPI Interval: 0 days, 1 hours, 58 minutes, 40 seconds
09/12/2017 10:15:45.0169 [16C4]: Information: INTERVAL_EVENT_EXECUTE_SETUP Interval: 11174 days, 6 hours, 29 minutes, 17 seconds (Disabled)
09/12/2017 10:15:45.0169 [16C4]: Information: Scheduling Thread: WAITING 7120 seconds for event 'INTERVAL_EVENT_CAPI'.

 

 The log entry that jumps out is;

 

09/12/2017 10:15:44.0357 [16C4]: Error: WinHttp Security Failure: The function is unfamiliar with the Certificate Authority that generated the server's certificate.

Does the agent attempt to call out and obtain a cert revocation list? I can't see anything in the FW to suggest this is the case. 

 

Any pointers would be massively appreciated. 

 

Thanks in advance.

Outcomes