My company currently uses Blue Coat Unified Agent as a cloud proxy solution. My Fleet currently runs Mojave 10.14.6 and everything worked just fine until 12/26/2019. Apparently Symantec did maintenance on the agent and now it automatically goes into failure mode on MacOS Mojave. Symantec says that the "solution" is to delete and reinstall the Entrust.net Certification Authority (2048) which is not possible without disabling SIP. That is NOT a solution. Oddly enough the agent still works on 10.13.6 and 10.15.2. I've installed a fresh version of 10.14.6 (no other software installed) and the agent still crashes. Has anyone else run into this?
Solved! Go to Solution.
Add another one to the list of companies impacted by this. We had to change our failure mode to fail open. It caused a major outage on the day after Christmas. Really unhappy about Symantec's support on this unforced error.
Thanks to all the suggestions on this tread.
I'm having the same issue. Below is what Symantec asked us to do for all our Macs. This is making no sense since the Entrust Cert is NOT expired, however, doing this process does seem to fix the issue.
Here's the error I'm getting:
"Server's certificate failed validation at depth: 2, CN = Entrust.net Certification Authority (2048), error = certificate has expired"
Here's the article they keep throwing at me:
That article speaks to level "failed validation at depth: 1" we have "depth: 2". Symantec won't tell me what that means.
I can verify that this has affected our fleet as well and I'm posting to help others understand the severity. No real support is coming from Symantec so I think I'm stuck doing what VladCabrera suggested.
Some further digging has brought this article to light:
The tip on that page was very insightful:
Tip: This and related topics refer to the agent as the WSS Agent, which is the recommended agent. However, until further notice, Symantec will continue to support Unified Agent on Windows 7/8 and macOS Sierra Operating Systems only until those operating systems reach end-of-life by their respective vendors.
I guess updating the agent the day after Christmas and breaking it is one way to move people to a new agent.
Some helpful hints where given on Slack MacAdmins #symantec
@swolosin This issue is that the OS features two Entrust.net Certification Authority (2048) certificates. The agent is referencing the one that expired on 12/24/2019. To view the expired certificate: KeyChain Access>View>Show Invisible Items. The expired Entrust.net Certification Authority (2048) certificate will now appear. For some reason macOS Mojave seems to give the expired cert priority over the valid cert. High Sierra and Catalina don't exhibit the same behavior.