KB Article | Forcepoint Support

Problem Description

All Endpoint Clients are disconnected but the Endpoint Server appears to be reachable through a browser at https://<EPServer IP>/ep/endpointserver.dll

However, within EndpointClassfier.log, the following error is received:

"CURL error - Peer certificate cannot be authenticated with known CA certificates".

Causes for the issue include the following:

  • The Management Server certificate chain was recreated through a modify of the DLP installer
  • Forcepoint DLP was reinstalled on the Management Server resulting in new certificates being generated and used
  • Older (or newer) Endpoint packages are being installed with different certificates than the Management Server expects

Resolution

The general solution to this issue is to build new Endpoint Clients on the Management Server and distribute these out throughout the network, as these would contain the new certificates for a proper connection.

However, if the task of pushing out new Endpoints is too impactful, the following steps can be used to just update the certificate files on environments where the Endpoint Client is already installed.
  1. Download the attached VBS script and open it for editing.
  2. Replace the Endpoint anti-tampering password in the script with the once in use on the network if applicable:
    • This is found under line 2: Const EndpointPassword
  3. Import the new certificate string into the script:
    1. On the DSS Management Server, open ca.cer under the DSS installation directory %DSS_HOME% with a text editor and ensure that it matches the same ca.cer on each Endpoint Server
      • If the secondary Windows servers have a different ca.cer, reregister them to the Management Server
    2. Navigate to line 8 within the attached script where the Copy certificate here is displayed

  • Copy each individual line from %DSS_HOME%ca.cer from -----BEGIN CERTIFICATE----- to  -----END CERTIFICATE----- into the script, replacing the existing strings within WriteFile.WriteLine(): as shown below:
User-added image
  1. Save the script
  2. Distribute the script using a method such as GPO
  3. Make a minor change to the Endpoint profile and/or policy in order to increment the Profile or Policy version
When the Endpoint Clients update afterward, they should be able to connect and synchronize.

 

If you would prefer to perform these steps manually or write a script of your own:

  1. In an administrative command prompt, navigate to the Websense Endpoint directory on the local machine
  2. Execute the following command: WDEUtil -set disableAntiTampering=true
  3. Replace the ca.cer file in the Endpoint Client installation directory with the new ca.cer taken from the Management Server
  4. Restart the Endpoint Services:
WDEUtil -stop all
WDEUtil -start all
 

Attachments

cert.vbs

Article Feedback



Thank you for the feedback and comments.