Skip to content
  • There are no suggestions because the search field is empty.

NetWitness Upgrade Precheck - Certificate Chain Probe error

Issue

NetWitness Platform upgrade , if an incorrect or corrupted node-cert.chain cert is used, it will cause a communication breakdown between the Admin server and Node-Xs.

Certificate Chain Probe status fails and shows the messages below:
One or more of the following certificates are messed up : node-cert.chain, node-cert.pem, ssca-cert.pem, nwca-cert.pem
image.png

Cause

The admin server and the node-x server will encounter communication breakdown if the node-cert.chain file is inaccurate or corrupted, or if it does not contain the node-cert.pem, ssca-cert.pem, and nwca-cert.pem.


Resolution

1. The node-cert.chain file is a concatenation of the following files in the mentioned order: node-cert.pem, ssca-cert.pem and nwca-cert.pem.

2. Verify the certificates in the node-cert.chain file are in the same order as mentioned above and that the certificates are correct.
node-cert.chain path : /etc/pki/nw/node/node-cert.chain
cat /etc/pki/nw/node/node-cert.chain
node.chain.png

3. The different certificates can be verified from the following files:
node-cert.pem file path: /etc/pki/nw/node/node-cert.pem
cat /etc/pki/nw/node/node-cert.pem
image.png
 
  ssca-cert.pem file path : /etc/pki/nw/ca/ssca-cert.pem
cat /etc/pki/nw/ca/ssca-cert.pem
image.png
 
nwca-cert.pem file path : /etc/pki/nw/ca/nwca-cert.pem
cat /etc/pki/nw/ca/nwca-cert.pem
image.png

4. If any one of the three certs are incorrect within the node-cert.chain file or  node-cert.chain file is corrupted in some way, please follow any one of the below methods to fix the issue.

Please find below two methods to  correct node-cert.chain file:

Method 1:
Manually edit the node-cert.chain file so that it matches the contents of node-cert.pem, ssca-cert.pem, and nwca-cert.pem certs in the order mentioned here.

Method 2 (Best Practice):
Perform the following commands as root to correct the node-cert.chain file or create a new file
# cp /etc/pki/nw/node/node-cert.chain /root/node-cert.chain.bakup
# cat /etc/pki/nw/node/node-cert.pem /etc/pki/nw/ca/ssca-cert.pem /etc/pki/nw/ca/nwca-cert.pem > /etc/pki/nw/node/node-cert.chain
This makes a backup copy of the original node-cert.chain and then creates a new node-cert.chain file while pushing the contents of the three required pem files into it. This creates a new clean chain file.

After successfully running the commands, verify the node-cert.chain file to make sure that it matches the contents of node-cert.pem, ssca-cert.pem, and nwca-cert.pem  files in the mentioned order.
 
 
 

Product Details

Product Set: NetWitness Platform
Product/Service Type: Admin server & Node-X
Version/Condition: 12.4 or later
Platform: Alma Linux

Summary

When the Pre Upgrade Check tool runs the Checklist in the Precheck tool, the Certificate Chain Probe verifies if the node-cert.chain file is a combination of node-cert.pem, ssca-cert.pem,and nwca-cert.pem files or not. If the node-cert.chain file is incorrect or corrupted, the Certificate Chain Probe will return Failed status.


Approval Reviewer Queue

Technical approval queue