Root Cause and Log Evidence of SSL Issue
Upon further investigation, the affected linux agent may encounter a communication issue with the Trend Micro Servers due to an SSL Certificate Issue. Below are log snippets when the connection fails:
[Error/1] | Failed download: https://files.trendmicro.com/products/deepsecurity/en/linuxsensor/index/ksp-index-RedHat_EL6.x86_64.zip: SSL certificate problem: self signed certificate in certificate chain | plugin/dsp/ksp/service.lua:106:download | 2AD3:7F2A03DFF700:dsp.ksp.service [Error/1] | Failed download: https://files.trendmicro.com/products/deepsecurity/en/linuxsensor/index/ksp-index-RedHat_EL6.x86_64.zip: SSL certificate problem: self signed certificate in certificate chain | plugin/dsp/ksp/service.lua:106:download | 2AD3:7F2A03DFF700:dsp.ksp.service
Initial Isolation
Before applying the fix, verify the environment to ensure correct targeting:
- Check the Kernel Support List: Check the List of TrendAI Vision One Linux Kernel Support.
- Audit Network Security: Confirm whether a MITM proxy or firewall is used by referring to the Online Help doc URLs to be whitelisted for Trend Micro Services (per region).
- Test Connectivity: Collect the stdout of the command below to verify if the communication is established.
- (Command without proxy):
# curl -k -l -vvv https://files.trendmicro.com - (Command with proxy):
# curl -k -l -vvv --proxy [protocol://]host[:port] https://files.trendmicro.com
- (Command without proxy):
Applying SSL Certificates
If diagnostics indicate an SSL issue, follow these steps to manually apply the root certificates to the affected Linux agent.
- Download https://web.entrust.com/root-certificates/entrust_g2_ca.cer
- Move the
entrust_g2_ca.certo the following directory:/etc/pki/ca-trust/source/anchors folder - Reload using this command:
$ update-ca-trust - Log on to TrendAI Vision One web console, go to Endpoint Inventory, and try again.