How to troubleshoot Web Gateway Certificate Revocation List update or load errors
Articles techniques ID:
KB83679
Date de la dernière modification : 6/18/2021
Synthèse
A Certificate Revocation List (CRL) refers to certificates managed by a Certificate Authority (CA) that are revoked or no longer valid. The CRL indicates that these certificates must no longer be considered trusted. Different CAs host CRLs, and McAfee does not have control over access to the CRL or the CA.
CRL updates occur as part of the daily update process on Web Gateway. They are the only updates that Web Gateway downloads McAfee does not host.
Because of the many different web servers Web Gateway must contact to obtain the CRL files, one or more servers can be down or have issues hosting the CRL file at any given time. When this issue occurs, alert level warning messages appear on your Web Gateway Dashboard. These alerts are not serious and rarely require administrative interaction. If you want to determine why the CRL updates are failing, use the troubleshooting information in this article.
Problème
When a CRL update or load fails, the Web Gateway Dashboard could display any of the following errors:
- An operating system error exception occurred with error message : Connection refused because the centralized updater tried to connect to host www.example-URL.domain (Origin: Updater, ID: 305, X times within the last X 'time')
This error indicates that Web Gateway could not reach the host defined by the Certificate Authority for the CRL. In the example error above, the host is www.example-URL.domain. This error can indicate that the host is down or that some network device, such as a firewall, is blocking connectivity to it.
- 1 of the recently updated CRLs for the certificate chain filter cannot be loaded (Origin: Certificate Chain Filter, ID: 1651)
This error indicates that Web Gateway could connect to the server that hosts the CRL, but the server did not return a CRL file. For example, the request for the CRL returned only an .html file.
- Download of Certificate chain filter failed for node xxxxxxxx-xxxx-xxxx-xxxxxx (HOSTNAME)(Origin: Updater, ID: 1652)
This error is a general one that typically indicates that Web Gateway could connect to the destination, but experienced problems after connecting. One example could be that the server redirects the Web Gateway request for the CRL, but the new path provided in the location header is malformed.
Solution
To troubleshoot CRL update or load failure errors, perform the following steps.
- Troubleshoot the error: "An operating system error exception occurred with error message : Connection refused because the centralized updater tried to connect to host www.example-URL.domain (Origin: Updater, ID: 305, X times within the last X 'time')"
- Troubleshoot the errors: "1 of the recently updated CRLs for the certificate chain filter cannot be loaded" and "Download of Certificate chain filter failed for node xxxxxxxx-xxxx-xxxx-xxxxxx (HOSTNAME)(Origin: Updater, ID: 1652)"
Troubleshoot the error: "An operating system error exception occurred with error message : Connection refused because the centralized updater tried to connect to host www.example-URL.domain (Origin: Updater, ID: 305, X times within the last X 'time')"
- Identify the Certificate Authority whose CRL triggered the error.
In the Web Gateway UI, go to Troubleshooting, Log files, mwg-errors, and find the mwg-coordinator.errors.log that matches the time frame of the warning in your Dashboard. An entry in the log corresponds to the time of the warning in your Dashboard. The entry includes the complete CRL URI that Web Gateway tried to connect to. Example:
Failed to connect to host: 'http://crl.aol.com/AOLMSPKI/aolServerCert.crl' caught exception: 'COSErrException' with errorcode: '101', message:'errno: 101 - 'Network is unreachable
- Test the CRL URI.
Use the CRL URI you found in Step 1 and try to retrieve the file using these three methods:
NOTE: Test with both the web browser and with Web Gateway to see whether the problem stays consistent or occurs only when going through Web Gateway.
- Request the URL in a web browser that is not going through Web Gateway.
- Request the URL in a web browser from outside of your network.
- Use the wget command from your Web Gateway to request the file. Example:
wget http://crl.comodo.net/UTN-USERFIRST.crl
- Examine the results.
- If all three tests fail, the problem is the server hosting the CRL. The server host is likely down. Use the following guidance:
- If you are using a local known CA list, you can manually remove the CRL URI from this Certificate Authority. After the URI is removed, Web Gateway will no longer fetch it during its scheduled update.
- If you are using the McAfee-maintained list, open a case with Technical Support and request that McAfee update or remove the CRL in question. Provide a feedback file (Troubleshooting, Feedback) and the CRL URI. See the Related Information section of this article for contact details.
- If A and C fail, the problem likely lies within your network where a network device, such as a firewall, is blocking connectivity to the server hosting the CRL.
- If only C fails, the problem likely lies within the network path upstream of the Web Gateway.
Troubleshoot the errors: "1 of the recently updated CRLs for the certificate chain filter cannot be loaded" and "Download of Certificate chain filter failed for node xxxxxxxx-xxxx-xxxx-xxxxxx (HOSTNAME)(Origin: Updater, ID: 1652)"
- Identify the Certificate Authority whose CRL triggered the error.
In the Web Gateway UI, go to Troubleshooting, Log files, mwg-errors, and find the mwg-coordinator.errors.log that matches the time frame of the warning in your Dashboard. An entry in the log corresponds to the time of the warning in your Dashboard. The entry includes a reference to the CRL URI. Example:
Failed to download file: 'UTN-USERFirst-NetworkApplications.crl'.
- Search your known Certificate Authority list (local or McAfee-maintained) for the CRL URI.
- If you are using the McAfee-maintained list, you can search the list at Policy, Lists, Subscribed Lists, Certificate Authority, Known CAs (McAfee Maintained). Use the filter field to search for the CRL URI you found in Step 1.
- If you are using a locally maintained list, you can search the list at: Policy, Lists, Custom Lists, Certificate Authority. Search for the CRL URI you found in Step 1.
- Test the CRL URI.
Use the CRL URI from the Certificate Authority you found in Step 2 and try to retrieve the file using these two methods:
- Request the URL in your web browser.
- Use the wget command from your Web Gateway and request the file. This method is preferred because your local browser might see different results than Web Gateway. Web Gateway is the entity trying to download the file. Example:
wget http://crl.comodo.net/UTN-USERFIRST.crl
- Examine the results.
If the CRL is available, the browser downloads a .crl file from the web server.
- A successful download of the .crl file indicates that there is not a problem with the server hosting the .crl. If you can successfully download the CRL from your browser and Web Gateway, but are still seeing the error in your Dashboard, use these steps:
- Verify that there is not another CRL that is triggering the warning. See Step 1.
- Open a case with Technical Support and provide a feedback file (Troubleshooting, Feedback). See the Related Information section of this article for contact details.
- If you do not receive a .crl file, there is a problem with the server hosting the file, or the location of the CRL URI has changed. In this case, you might get redirected to another webpage or download an .html file instead. In this case, Web Gateway could not process the .crl file and would report the error. If you are not able to download the CRL from your browser and Web Gateway, follow these remediation steps:
- If you are using a local known CA list, you can manually remove the CRL URI from this Certificate Authority. After the URI is removed, Web Gateway will no longer fetch it during its scheduled update.
- If you are using the McAfee-maintained list, open a case with Technical Support and request that McAfee update or remove the CRL in question. Provide a feedback file (Troubleshooting, Feedback) and the CRL URI. See the Related Information section of this article for contact details.
|
