Posted on 12-30-2019 09:29 AM
Hello,
My company currently uses Blue Coat Unified Agent as a cloud proxy solution. My Fleet currently runs Mojave 10.14.6 and everything worked just fine until 12/26/2019. Apparently Symantec did maintenance on the agent and now it automatically goes into failure mode on MacOS Mojave. Symantec says that the "solution" is to delete and reinstall the Entrust.net Certification Authority (2048) which is not possible without disabling SIP. That is NOT a solution. Oddly enough the agent still works on 10.13.6 and 10.15.2. I've installed a fresh version of 10.14.6 (no other software installed) and the agent still crashes. Has anyone else run into this?
Solved! Go to Solution.
Posted on 12-30-2019 01:06 PM
We were able to fix this by making sure that the computers are on the latest version of MacOS which distributes the new Entrust.net certificate and then install Symantec WSS 6.1.1 which is what's replacing Blue coat.
Posted on 12-30-2019 09:46 AM
Hi,
What version number is the updated agent? I'm currently testing 4.10.6.230466 on my machine in preparation for a full rollout later in January.
Posted on 12-30-2019 11:35 AM
@tomt My fleet is currently running on version 4.10.2.21004, but I've also tested 4.10.6.230466 with Symantec and the problem persists.
Posted on 12-30-2019 01:06 PM
We were able to fix this by making sure that the computers are on the latest version of MacOS which distributes the new Entrust.net certificate and then install Symantec WSS 6.1.1 which is what's replacing Blue coat.
Posted on 12-31-2019 07:35 AM
@VladCabrera you're right. WSS 6.1.1 seems to be the only solution at the moment. I'm going to remove BC from my fleet and install WSS in its place.
Posted on 12-31-2019 07:43 AM
Symantec has stated this is a problem only on Mojave clients:
In Mojave the deprecated cert is listed first and so BCUA uses that. Easiest fix is to upgrade to WSS 6.1.1 like above posts have stated. Or upgrade to Catalina which is a bit aggressive.
Posted on 12-31-2019 08:24 AM
Add another one to the list of companies impacted by this. We had to change our failure mode to fail open. It caused a major outage on the day after Christmas. Really unhappy about Symantec's support on this unforced error.
Thanks to all the suggestions on this tread.
Posted on 12-31-2019 09:56 AM
I'm having the same issue. Below is what Symantec asked us to do for all our Macs. This is making no sense since the Entrust Cert is NOT expired, however, doing this process does seem to fix the issue.
Here's the error I'm getting:
"Server's certificate failed validation at depth: 2, CN = Entrust.net Certification Authority (2048), error = certificate has expired"
Here's the article they keep throwing at me:
https://support.symantec.com/us/en/article.tech242793.html
That article speaks to level "failed validation at depth: 1" we have "depth: 2". Symantec won't tell me what that means.
I can verify that this has affected our fleet as well and I'm posting to help others understand the severity. No real support is coming from Symantec so I think I'm stuck doing what VladCabrera suggested.
Some further digging has brought this article to light:
https://portal.threatpulse.com/docs/am/connectivity/endpoint/agent/conn-about-wssa.htm
The tip on that page was very insightful:
Tip: This and related topics refer to the agent as the WSS Agent, which is the recommended agent. However, until further notice, Symantec will continue to support Unified Agent on Windows 7/8 and macOS Sierra Operating Systems only until those operating systems reach end-of-life by their respective vendors.
I guess updating the agent the day after Christmas and breaking it is one way to move people to a new agent.
Some helpful hints where given on Slack MacAdmins #symantec
Posted on 12-31-2019 10:00 AM
Hi @swolosin:
What is the output when you run the following command in terminal:
security find-certificate -a -Z -c "Entrust.net Certification Authority (2048)" "/System/Library/Keychains/SystemRootCertificates.keychain" | grep -e 'SHA-1 hash:' | cut -c 13-54
Posted on 12-31-2019 10:15 AM
@swolosin This issue is that the OS features two Entrust.net Certification Authority (2048) certificates. The agent is referencing the one that expired on 12/24/2019. To view the expired certificate: KeyChain Access>View>Show Invisible Items. The expired Entrust.net Certification Authority (2048) certificate will now appear. For some reason macOS Mojave seems to give the expired cert priority over the valid cert. High Sierra and Catalina don't exhibit the same behavior.
Posted on 12-31-2019 11:15 AM
Posted on 12-31-2019 11:20 AM
Yep, thats why it works in Catalina. The non-expired cert is listed first.
I was able to successfully delete the old via the commands from cert and validated it via the above command, however, way easier to upgrade to WSS 6.1.1.