Skip to main content
Skip table of contents

Troubleshooting: IGEL OS 12 Devices Failing to Connect to the ICG Due to Expired Client Certificates

IGEL OS 12 devices need to have valid client certificates to connect to the IGEL Universal Management Suite (UMS) through the IGEL Cloud Gateway (ICG). Client certificates expire 1 year after device registration in the UMS. For devices running IGEL OS 12.4.1 or newer, the client certificates are renewed automatically, but for devices running IGEL OS 12.4.0 or older, the client certificates are not renewed in some cases, making the devices unmanageable. The mitigation of the issue is done by allowing expired client certificates to be temporarily accepted through a custom TrustManager that can be enabled for the ICG. This way, the devices can be updated without manual intervention.

For details on how to use the custom TrustManager in the UMS, see Troubleshooting: IGEL OS 12 Devices Failing to Connect to UMS Due to Expired Client Certificates.

Requirements

  • ICG version 12.09.100 or higher

Using the Custom TrustManager

Starting from ICG 12.09.100, a custom TrustManager is integrated in the UMS that can be enabled to accept expired client certificates. The TrustManager can be managed through the /opt/IGEL/icg/usg/conf/application-prod.yml file:

  • Enable: add the client-certificate: line and nest the allow-expired-certificates: true line under it:

    CODE 
    igel:
  client-cert-forwarding:
    enabled: false
    client-cert-forwarded-header: X-SSL-CERT
  client-certificate:
    allow-expired-certificates: true

  • Disable: allow-expired-certificates set to false

When the custom TrustManager is enabled, a warning is shown in the UMS Web App system info box to highlight the potential security and compliance risk. The warning is shown 5 minutes after the ICG is reconnected to the UMS. You can get further information if you click the warning icon.

The warning is only shown to administrators with write access to the UMS Console > UMS Administration > UMS Network node.

image-20250711-142054.png

Step-by-Step Instructions to Renew Expired Client Certificates

  1. Open the file /opt/IGEL/icg/usg/conf/application-prod.yml

  1. Add the client-certificate: line and nest the allow-expired-certificates: true line under it:

CODE 
igel:
  client-cert-forwarding:
    enabled: false
    client-cert-forwarded-header: X-SSL-CERT
  client-certificate:
    allow-expired-certificates: true

  1. Restart the ICG.

  1. Disconnect IGEL OS devices with the expired certificates and reconnect them to the ICG.
    Device should be connected.

  1. Go to the UMS Console or UMS Web App and check if the IGEL OS 12 devices are connected to the ICG now.

  1. Go to the UMS Web App and update the IGEL OS 12 Base System version on the devices to the latest available version.
    The devices will get their client certificates renewed by the update.

  1. Set allow-expired-certificates to false.

CODE 
igel:
  client-cert-forwarding:
    enabled: false
    client-cert-forwarded-header: X-SSL-CERT
  client-certificate:
    allow-expired-certificates: false

This disables the custom TrustManager and devices with expired client certificates cannot connect to the ICG anymore.

  1. Restart ICG.

  1. Go to the UMS Console or UMS Web App and check if the updated IGEL OS 12 devices are connected now.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close