Standalone system updater fails with intermediary subordinate CA in zone or if CASubject does not match initial-web-service URL

  • 7015233
  • 18-Jun-2014
  • 18-May-2017

Environment

Novell ZENworks Configuration Management 11.3

Situation

Standalone system updater fails with intermediary subordinate CA in zone or if CASubject does not match initial-web-service URL

ERROR:
[SystemUpdate] [Checking if device is registered.]
[SystemUpdate] [Initial web service file C:\Program Files (x86)\Novell\ZENworks\conf\initial-web-service found.]
[SystemUpdate] [CA certificate name DC=com, DC=doman, CN=server does not match registry CA certificate name CN=domain Root CA ]
[SystemUpdate] [Device registered to different zone] [ERROR] [] [] []





Resolution

Workaround:

  1. Download the standalone updater to the agent device.
  2. Extract the content of standalone updater using command line -  
  3. "11.4.0.8141 windows 64.exe" -n -d "c:\temp"
  4. This will extract all content bundled with 11.4.0.8141 windows 64.exe in temp directory.
  5. Replace the ca.pem file with new ca certificate chain having full chain.
  6. Run the StandaloneUpdater.exe from temp directory.
Workaround 2:

If a one off, registry can be modified temporarily to change registry:

  1. rename HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node\]Novell\ZCM\CASubject
  2. add HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node\]Novell\ZCM\CASubject to match the top CA subject as seen in logs above.
  3. Run the standalone updater 
  4. Revert the registry change above