Troubleshooting
Problem
What's new in auto update V9.11
- Added an intermediate certificate named au-cert-chain.pem, replacing au-cert.pem.
- Improves installation dependencies and RPM conflict resolution when updates run.
- Reduces wait times for failed downloads.
- Other small quality of life improvements.
Symptom
- Log in to the Console as an administrator.
- In the Admin tab, click the Auto Update icon and select View Log.
- Verify the automatic update history to determine the cause of the installation error.
Cause
- Administrators on auto update version 9.9 or earlier must update to 9.11 or later using the AUProxyFP-9.11 from IBM Fix Central.
Or - Administrators on auto update version 9.10 might need to replace their au-cert file with a new version for updates to download.
Diagnosing The Problem
Administrators must verify their auto update version before they attempt to resolve their auto update issues.
- Use SSH to log in to the QRadar Console as the root user.
- To view your auto update version, type:
/opt/qradar/bin/UpdateConfs.pl -v
- The output displays the current version installed on the Console. For example,
[root@qradar-lab ~]# /opt/qradar/bin/UpdateConfs.pl -v 9.16
- Review the resolution section for your auto update version.
Resolving The Problem
Auto update 9.9 or earlier: "Could not retrieve signature for manifest errors"
Administrators on auto update version 9.9 or earlier can experience connection issues due to deprecated GPG keys. When older versions of auto update software attempt to connect to IBM Cloud, a 'Could not retrieve signature for manifest file'. To resolve this error, administrators can run the QRadar-AUProxyFP utility from IBM Fix Central.
Error log example
Fri Nov 5 10:30:06 2021 [DEVEL] Downloading "dau/dau.manifest.xml.asc" and placing in "/store/autoupdates/".
Fri Nov 5 10:30:06 2021 [DEVEL] Attempting to retrieve https://auto-update.qradar.ibmcloud.com
/dau/dau.manifest.xml.asc?version=7.4.3&customer=Example%20ExampleCorp.&lastau=0&lastpatch=0
&vendor=Q1%20Labs
Fri Nov 5 10:30:06 2021 [INFO] Could not retrieve "dau/dau.manifest.xml.asc": 404 Not Found
Fri Nov 5 10:30:06 2021 [ERROR] Could not retrieve signature for the manifest file.
Procedure
- Use SSH to log in to the QRadar Console as the root user.
- Navigate to the /var/log/autoupdates directory.
- To locate the latest auto update log, type:
ls -lart
The output displays the auto update logs by date. For example,[root@qradar-lab]# ls -lart drwxr-xr-x 2 root root 66 Nov 11 15:40 AU-1636662807 drwxr-xr-x 2 root root 66 Nov 10 15:40 AU-1631778909 drwxr-xr-x 2 root root 66 Nov 09 15:40 AU-1636490007
- Navigate to the directory with the most recent auto update log by date.
- Review the log for error messages. For example,
less AU-1636662807.log | grep 'Could not retrieve signature'
- Download the Auto Update Fix Pack utility from IBM Fix Central to your laptop or workstation: AUProxyFP-9.11.tgz.
- Copy the file to a directory of the QRadar Console, such as /root, /tmp, or /storetmp.
- Navigate to the directory with the AUProxyFP-9.11.tgz file.
- Type the following command to extract the file:
tar -zxvf AUProxyFP-9.11.tgz
gunzip -c AUProxyFP-9.11.tgz | tar zxvf -
- Type the following command to install the proxy fix pack:
./install.sh
- In the Admin tab, click the Auto Update icon and click Get New Updates.
- Optional. After you start the auto update request, you can confirm your auto update version is updated.
[root@qradar-lab]# /opt/qradar/bin/UpdateConfs.pl -v 9.10
Wait for the auto update to run and confirm the update is successful. If you continue to experience errors, contact QRadar Support.
Auto update 9.10 and later: "Bad signature, Rejecting the manifest errors"
Administrators on auto update version 9.10 or later can experience an issue where the au-cert.pem file is an old version, which can cause the IBM Cloud server to return a 'Bad signature' error. If you experience this error, you can delete the au-cert.pem file from your Console and run a manual auto update.
Error log example
Mon Nov 8 03:08:11 2021 [DEVEL] Running: openssl x509 -in /tmp/au_cert -pubkey -noout > /tmp/au_pub
Mon Nov 8 03:08:11 2021 [DEVEL] openssl dgst -sha256 -verify /tmp/au_pub -signature /store/autoupdates/scripts
/AUScripts.tgz.sig /store/autoupdates/scripts/AUScripts.tgz /var/log/autoupdates/AU-1636358882/AU-1636358882.log
>> /var/log/autoupdates/AU-1636358882/AU-1636358882.log 2>&1
Mon Nov 8 03:08:11 2021 [DEVEL] Output of verification command above: Verification Failure
Mon Nov 8 03:08:11 2021 [ERROR] Bad signature! Rejecting the manifest, aborting
Mon Nov 8 03:08:11 2021 [ERROR] Could not verify the authenticity of scripts/AUScripts.tgz.
Procedure
- Use SSH to log in to the QRadar Console as the root user.
- Navigate to the /store/autoupdates directory.
- Remove the file au-cert.pem file. For example,
rm au-cert.pm
- Run an auto update to receive an updated au-cert-chain.pem file.
- In the Admin tab, click the Auto Update icon and click Get New Updates.
Or - To start an auto update from the command line, type:
/opt/qradar/bin/UpdateConfs.pl -ds runnow 1
- In the Admin tab, click the Auto Update icon and click Get New Updates.
When the Console connects to the auto update server, it replaces the removed au-cert file with a new file named au-cert-chain. Wait for the auto update to run. If the auto update fails, administrators can run the AUProxyFP-9.11 utility. For information on running AUProxyFP-9.11, see Auto update 9.9 or earlier: "Could not retrieve signature for manifest errors" in this technical note. If you continue to experience errors, contact QRadar Support.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
03 May 2024
UID
ibm16515880