Symptom

After an update to IGEL OS 11.04 or higher, the device fails to connect to the UMS via ICG. The log journal shows a message similar to this:

igelrm_agent[9824]: [2020/11/11 17:56:16:0140] ERR: SSL error: invalid CA certificate (preverify_ok=0;err=24;depth=1)

Environment

  • UMS 5.07 or higher
  • ICG with older root certificates that have been created with UMS 5.07 or UMS 5.08
  • Devices that have just been updated to IGEL OS 11.04 or higher

Problem/Possible Cause

CA root certificates for ICG that have been created with UMS 5.07 or UMS 5.08 are not accepted by IGEL OS 11.04. This is because version 1.1 of the OpenSSL library does not accept certificates as CA certificates if they do not have the CA flag (i.e. X509v3 BasicConstraint extension "is_ca" is set to "false"). As a consequence, IGEL OS 11.04 or higher refuses to use such a certificate.

Diagnosis

  1. Open the UMS Console, go to UMS Administration > Global Configuration > Cloud Gateway Configuration (UMS 5.07 to UMS 6.05) or UMS Administration > Global Configuration > Certificate Management > Cloud Gateway (UMS 6.06 or higher) and select your ICG root certificate. 
  2. Click  to review the content of the certificate. 
  3. If Certificate Authority: is false, find further instructions under Solution.

Solution

  1. ReInstall the ICG using an appropriate root certificate. For details, see the following articles:
  2. Register the devices again. For details, see Connecting the Devices.