Hello everyone, I received a mail from itglue support that the certificate chain on our vsa server is faulty. you can check that here: https://www.digicert.com/help/I get an error message "The server is not sending the required intermediate certificate."
Is there something wrong with the VSA firewall? is there something that is not properly taken over? I have checked the installed certificate and even recreated it and integrated it with the Kaseya Firewall SSL Tool. Everything is in the certificate. root, intermediate, certificate, private key. Now I'm starting to get confused. Can someone please give me a hint? thx
I assume you're on prem?
Check your cert here.
It is probably missing an intermediate cert. https://whatsmychaincert.com/
Most.browsers can deal with missing intermediate certs, but the mobile app for vsa and bms does not.
I have re-integrated the intermediate certificate several times. The problem remains. I have now invested several hours in it, it remains the same. The mobile app works perfectly. Itglue says they will change something soon and then the sync between vsa and itglue won't work anymore.
i have read this manual several times, especially point 15 and also the manual under the link in point 15.
here is the error I get when I use your link
An error occurred when building the chain for this certificate. The certificate might lack necessary metadata or its certificate authority might be malfunctioning. Details:
* The chain contains an untrusted certificate without standard CA issuer information (subject = "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1"; issuer = "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2"; error code = 20)
Even if I want to have the chain rebuilt there.
exitsys , we just went through the same thing. 1) Make sure the intermediate certificate has been imported into IIS. 2) make sure you have checked all the correct boxes when you are exporting the certificate... There are 2 boxes.
I don't quite see why we need to export anything. We have all the certificates as a file. as well as private key and csr. We have created a p12 in which everything is available and also individually imported only the intermediate certificate.
exitsys, we ran into the same thing, and I spent way too much time trying to fix it on my own. I ended up opening a ticket with Kaseya support and they resolved it in a matter of minutes. Like you, I'd imported the intermediate cert. What I had to do was export the cert with intermediate certs and private key, then use the Kaseya cert import tool (c:\kaseya\services\kaf-tool.exe) to re-import.
I think you have to export it so that the Kaseya import tool recognizes the intermediate certs as well. Then restart the edge service. After doing that, it passed all cert tests.
So, by saying that, it seems like you aren’t following the instructions? This is one of those times where you need to just accept the process and follow it. This all starts in IIS. Once you have your cert in the Personal folder and the Intermediates in the intermediate folder, you just export it per the instructions. Don’t forget to give it a password, and record that somewhere. Take the exported cert, and put it somewhere permanent. It is not a temporary load, it needs to refer back to it.
Import, verify, restart Edge services and you will hopefully be good.
Hello Chris, it seems that there are no exact instructions how to do this, if so please tell me where I can find them?
This has indeed led to the solution of the problem.
You referenced it earlier... helpdesk.kaseya.com/.../115000637668-Using-An-Existing-SSL-Certificate-R9-4-or-later
The only thing that is probably not in there is import of the Intermediate certificates, you should be able to get instructions for that from the cert vendor
for me, it just meant that if I wanted to export it, I could do so. Since I had the complete certificate including private key, root and intermediate certificate as a file, I saw no reason to export it and skipped this chapter completely.
hello chris, thanks for asking. yes it works now