Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Loading...
Loading...

PRB: Updates fail due to SSL certificate issues

Expand / Collapse


This article applies to:

  • Trustwave MailMarshal (SEG) 
  • Trustwave ECM/MailMarshal Exchange 7.X
  • HTTPS Certificates for Internet Access
  • Blended Threats licensing
  • Maintenance Check
  • McAfee for Marshal
  • Sophos for Marshal
  • Bitdefender for Marshal

Symptoms:

  • Installations cannot download updates for Automatic Updates (SpamCensor), or cannot validate Blended Threats or Maintenance
  • Logs show error Unable to get Local Issuer Certificate
  • Virus scanner updaters cannot perform updates or licensing checks
  • Error messages indicate SSL certificate validation errors
  • New installations may display a warning on installation
    • Warning text similar to: The MailMarshal Update service and the Blended Threats Module require SSL certificates currently not installed on this system

Cause:

The most common cause of these symptoms is that required CA root certificates are not installed, so the SSL certificates used by Trustwave websites cannot be validated.

Trustwave uses certificates issued by several authorities, including Microsoft, DigiCert, and Let's Encrypt. All of the root certificates for these authorities are included by default in the Windows certificate store.

As of late 2024, Let's Encrypt certificates may be in use.
  • Currently supported Windows Servers that have the default set of root certificates already have the required certificates (ISRG Root X1). Windows 2012 servers may not have the required certificate. 

As of mid 2023, DigiCert is issuing certificates from a new root certificate.

  • This change is required because some browsers will stop trusting older DigiCert roots in 2025. For more details see information from DigiCert.
  • For new certificates to be trusted, you must have the DigiCert Global Root G2 installed as a trusted root certificate in the Windows certificate store.
  • Windows Servers that have automatically installed required updates should already have installed the required certificate.
  • All certificates currently in use are issued from the new root certificate.
Also, you must allow access to Certificate Revocation List servers (such as http://crl3.digicert.com/ and http://c.lencr.org) to allow SSL connections to be validated.

Resolution:

To resolve this issue in most cases, you can take one of the following actions:
  • You may be able to install the certificates automatically by browsing to the affected site (such as https://mcafee.marshal.com) using Internet Explorer or Edge from an administrator account. Once you have successfully browsed to the site, try the updater functionality again.
  • You can manually retrieve the DigiCert Global Root G2 certificate from: https://www.digicert.com/kb/digicert-root-certificates.htm
    • Install this certificate to the Trusted Root Certificates store on Array Manager and Processing Node servers. See manual installation instructions at the end of this article.
    • Previous generation certificates (validity starting before March 2023) are issued from the DigiCert Global Root CA certificate. 
  • You can manually retrieve the ISRG Root X1 certificate from https://letsencrypt.org/certificates/.
    • Install this certificate to the Trusted Root Certificates store on Array Manager and Processing Node servers. See manual installation instructions at the end of this article.

Once the root certificate is installed, all functions requiring web access should work.


Other possible causes:

Cause 2: Access through WebMarshal 

If Web access for SEG/MailMarshal or a virus scanner updater is through a WebMarshal installation that is configured for HTTPS content inspection, it is possible that the root certificates are not installed for the account(s) used by the Engine service, Array Manager service, and/or virus updater services. 

Note: This cause only applies when Web access is through a WebMarshal installation that has HTTPS content inspection enabled for the specific update sites. Inspection is disabled by default.

  • WebMarshal HTTPS Content Inspection uses a special locally generated root certificate. This certificate is installed into the user's certificate store by default. It is not available for service accounts by default.
  • WebMarshal makes an exception for the SpamCensor update site, but current versions do not make an exception for the Blended threats site.

Resolution - WebMarshal certificate:

To resolve this issue, on each SEG/MailMarshal server, manually install the WebMarshal root certificate using the Windows Certificate Management console:

  1. Download the certificate from the WebMarshal.Home page of the WebMarshal installation.
  2. Run Microsoft Management Console (MMC.exe)
  3. Choose to add a snapin and select the Certificates snap in.
  4. Choose to manage certificates for the Computer account. 
  5. Open Trusted Root Certification Authorities > Certificates.
  6. Import the certificate.

Alternatively, you might choose to bypass the proxy completely, or disable HTTPS inspection, for the update URLs required by Trustwave products

Cause 3: Access through a third party proxy

If Web access for MailMarshal/SEG or a virus scanner updater is through a third party proxy configured for HTTPS content inspection, you may need to complete further configuration.

Note: This cause only applies when Web access is through a third party proxy server that has HTTPS content inspection enabled.

    • The proxy server might not have the required CA certificates installed.
    • The certificate used for local re-encryption might not be installed on the MailMarshal servers.

    Resolution - third party proxy:

    To resolve this issue, consult the documentation for the third party proxy and ensure the following:

    • Verify that all CA certificates required are installed on the proxy server. See the list in resolution 1, above.
    • Verify that the certificate used for re-encryption (and any CA or intermediate certificates) are installed on the servers.

      1. Obtain the certificate(s) required. See the list in the Manual Download section below.
      2. On each server in the installation, run Microsoft Management Console (MMC.exe)
      3. Choose to add a snapin and select the Certificates snap in.
      4. Choose to manage certificates for the Computer account. 
      5. Import the certificate(s) to the appropriate locations. In most cases Windows will select the locations automatically.
    • Alternatively, you might choose to bypass the proxy completely for the update URLs required by Trustwave products. See the documentation for the proxy server.

    Additional technical details:

    • Some Windows releases install a very limited set of SSL CA certificates by default. Additional certificates are downloaded on demand.
      • Windows Group Policy can be set to disable the on-demand downloads.

    Manual download of certificates:

    You can also manually download and install the required CA Certificates using the Windows Certificate Management console.

    Install the certificates on Array Manager and Processing Node servers.

    1. Download the root certificate
    2. Run Microsoft Management Console (MMC.exe)
    3. Choose to add a snapin and select the Certificates snap in.
    4. Choose to manage certificates for the Computer account. 
    5. Open Trusted Root Certification Authorities > Certificates.
    6. Import the root certificate.

    Notes:

    Verify your system clock is accurate. Certificates might be rejected if they are "out of date" according to the local system time.

    If none of the above solutions resolve your issue, contact Technical Support for help in diagnosing and resolving the problem.


    To contact Trustwave about this article or to request support:


    Rate this Article:
         

    Related Articles



    Related Links



    Add Your Comments


    Comment submission is disabled for anonymous users.
    Please send feedback to Trustwave Technical Support or the Webmaster
    .