Hi

On 4 or 5 may we upgraded PASM 5.6 to 5.7 on our central service and all of our customers satellites. Everything was ok until 9 may. At that day, 2 of more than 20 satellites were displayed as disconnected (nearly at the same minute).

Trough RDP to the remote host, i saw nothing unusual at both sarellites, except they both said the central host was denying connection (message tells to yake a look at firewall settings). The 2 satellite are both hosted by old Windows Server 2003 R2 and i cannot browse to my https://centralservice_url from them (I don't have the ssl warning but a failure). Someting appears to be linked with this disconnection, in the few minutes before disconnection the PASM central service has generated a new self signed certificate. Let me say we have done nothing to make this happen (the host server have not been restarted nor the central service)

Only those 2 satellites lost connection in the 5 following minutes.

At a time, i've suspected Win 2003 but a third Windows Server 2003 R2 doesn't have any connection after the new certificate event.

We've already tried to remove the CA directory form the central service with the same result. At one remote site, i've suppressed the disconnected satellite form central service and reinstalled satellite (without registry cleanup) with no success.

Help us please

asked 13 May '15, 05:13

PERSATL's gravatar image

PERSATL
1324
accept rate: 33%


Hi Doug,

Both Satellites are back again after the latest windows update installs

I didn't have to install the SHA256 hotfix

So our problem is solved at the moment

link

answered 18 May '15, 09:52

PERSATL's gravatar image

PERSATL
1324
accept rate: 33%

Hi PERSATL

This is almost certainly an issue with Win 2003's limited ability to do SSL (compared to newer OS's).

First step: On the central server, look at Settings -> HTTP Server Settings. Make sure you are only using the Normal settings

Second: Very interesting that the SSL certificate had just regenerated. It looks like between 5.6 and 5.7 the certificates went from being generated with SHA1 (which is now considered insecure) to SHA256 also known as SHA2. There is apparently a patch for Windows 2003 to support SHA256 which you can find by Googling "Windows 2003 SHA256".

If you need to downgrade your certificate, use a text editor and edit:

C:\Program Files (x86)\PA Server Monitor\MakePACA.cmd

Search for MSG_DIG. Remove the 'rem' in front of the two lines that say:

set MSG_DIG=sha1

and add 'rem' to the front of the two lines that say

set MSG_DIG=sha256

Then delete the CA folder and new lower-security certificates will be generated that work with Windows 2003.

link

answered 13 May '15, 18:02

Doug's gravatar image

Doug ♦♦
10.2k122138
accept rate: 21%

Hi Doug

1st step : already checked

Today one of the two satellites is back. There was MS update waiting for reboot and after reboot today the connection is back again. So i didn't try the SHA256 hotfix on this system.

The other Windows 2003 is waiting for MS update but cannot be restarted today. I will see next week.

I will keep you informed after

link

answered 15 May '15, 06:10

PERSATL's gravatar image

PERSATL
1324
accept rate: 33%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×44
×10

Asked: 13 May '15, 05:13

Seen: 6,263 times

Last updated: 18 May '15, 09:52