Certificates expire soon after update to 15.1 [KSC for Linux]

[Egor Erastov]

Problem

Afted updating KSC for version 15.1 we can see error 

Some of the trusted Kaspersky Security Center certificates expire soon. Run the installer in Modify mode..

 

Workaround

Gather WEBconsole log (you can run collect.sh and check /tmp/collect/kaspersky/KSC-web-console/logs)

• Instruction

1. Search latest log logs-KSC-web-console-server#ephemeral
2. In this log search CertValidTo"    

   {"level":"info","version":"15.1.523","tags":["OS Hostname: ksc"],"message":"[TRACE] *** Response for command CertUtils.GetCertificateAttributes with requestId \"-c0_E6dgBF\" finished with: ***","timestamp":"2024-12-09T06:47:10.350Z","component":"KSC-Web-Console-server","data":{"PxgRetVal":[{"type":"params","value":{"CertExtensions":":\n    ----cutdata---- "CertSerial":"5095780E8D87F26489813A0621A6586174545D04","CertSha1Thumbprint":"6660E54552BE0A05A811B82A213ADC02FD252378", "CertValidTo":"Jan  7 10:34:17 2025 GMT","CertValidToTime":{"type":"datetime","value":"2025-01-07T10:34:17Z"},"CertVersion":3}}]},"extendedData":[{"connection":{"uid":"DkQUL3KKvr","clientUid":"sA5n2fHrk"}}]}

3. Find all certificates that expire less than 1 month
4. Copy all certs serials 

   "CertSerial":"5095780E8D87F26489813A0621A6586174545D04"

5. Get certificates in next catalogues in webconsole catalogue   

   ls *.crt server/plugins/*.crt -l

6. Next, use the openssl x509 -in cert.crt -serial -noout command to get the serial number. Instead of cert.crt, substitute the path to the certificate obtained by the above command.

Then check what cert is expired

if expired cert is KLRootCA.crt, nsq-server.crt, server/plugins/plugin.crt, signal-server.crt, utilility.crt, web-server.crt
You need to reinstall the web console to generate new certificates

RCA

The root cause is that the console looks at all the certificates in the catalogue, some are no longer in use.