This document has been created to address deployment failures due to issues with the Console Root Certificate.
After Upgrading from 9.X to 9.2 Deployments fail.
- ST.ServiceHost.managed.log shows one or more of the following:
2016-01-18T16:08:24.6388150Z 0026 V Pki.cs:60|Found root certificate in state 'InvalidHashAlgorithm, ReissuePending' and console certificate in state 'InvalidHashAlgorithm'.
2016-01-18T16:08:24.6388150Z 0026 I Pki.cs:64|Action required, evaluating root certificate state(s) InvalidHashAlgorithm, ReissuePending.
2016-01-18T16:08:24.6544408Z 0026 I Pki.cs:224|A root certificate reissue is pending. Waiting '26.00:00:01.3455592' to commit.
If STMgmt.exe -test_console is run (open command prompt as administrator and change the directory to C:\Program Files\LANDESK\Shavlik Protect and execute STMgmt.exe -test_console. This path will be different if you have specified an alternate install directory) you will see one of the following three errors listed in the screenshot below.(Due to sensitive information displayed in the command results some items have been hidden)
Under the -test-console results summary you will see Root Authority Configuration --> Warning or Failed. You may also see Failed results on all other results as well. (Due to sensitive information displayed in the command results some items have been hidden)
When upgrading from 9.0/9.1 to 9.2 the Console Certificate is upgraded. If your console has Agents in an invalid state, meaning the Agent is not up to the current version, has not checked in since the upgrade, or has not checked in for more than 45 days the Console will set a Console schedule to retry the Certificate upgrade at a later date. If the Agent issues are not resolved the Console certificate may expire or stay in an Invalid Hash Algorithm State.
If you choose to force commit the root certificate (explained below) without resolving the displayed agent warnings, you will effectively break your Agents communication to the Console. Ignoring the warnings and choosing to force commit the root will require you to re-install the agents listed.
To check the status of the Protect Console Certificates you can access the link under the description section of this document or follow the commands below. In the results summary we will be looking for Warning or Failed.
1) Open a Command Prompt as Administrator
2) Change your directory to the install directory of Shavlik Protect: C:\Program Files\LANDESK\Shavlik Protect (this path will be different if you have specified an alternate install directory).
3) Run the command: STMgmt.exe -test_console
4) Your results should look similar or identical to the screenshots in the description.
5) To commit the pending root certificate you will need to run the following command- STMgmt.exe -commit_root
a) When the command completes you should see" Certificate Operation Performed, followed by The service 'STConsoleSvc' was successfully stopped, Complete successfully.
b) If the command does not complete successfully you will see see the output below;
Each one of the entries above is referencing "check-in required" meaning the Agent needs to check-in to the console to synchronize itself. Often times people will retire a machine with an agent installed and not delete the machine from the console's machine view. Alternatively the agent listed in the warning could be appearing due to the agent version not matching the corresponding console version.
6) If your commit root command fails with warnings you will need to cross reference the machine names listed with machine view and Identify the issue. You might see in machine view that the "Last Agent Check-In" was 2 weeks ago and the laptop has not been turned on since. If you would like to keep the Agent in a working state you will need to turn on the machine and request it to check in. You may also see in Machine view that the "Agent Version" is not current. This will be updated before you can commit the root certificate.
*7) ***THIS WILL BREAK CONSOLE/AGENT COMMUNICATION WITH AGENTS DISPLAYING PROBLEMS*** Alternatively you can force commit the Root Certificate however if you have machines displaying Warnings under the Summary this is not advised. Forcing the root certificate to commit while agents are in this state will permanently break the agents ability to communicate with the console and will require the agents with warnings to be manually reinstalled. Keeping in mind that running this command will break Console/Agent communication you can run the following command to force commit the pending root certificate: STMgmt.exe -commit_root -force
8) Once you have fixed the agents with problems and committed the root OR force committed the root, run STMgmt.exe test_console again. You should see under the "Passed" under all items in the summary.
Also See: Testing Shavlik Protect Console Certificates- Test And Renew Patch For Windows Console Certificates