Troubleshooting
Problem
Administrators who try to restart an application by using the qappmanager utility can receive the following error:
"An error occurred while checking if image [qapp/xxxxxxxxxxxxxxxx] exists in the registry.
Task state found to be [EXCEPTION]."
Task state found to be [EXCEPTION]."
Symptom
When users open the applications in the user interface, they can see errors such as "404 page not found", "Bad Gateway" or the application tab is not in the interface.
The following screen capture shows the Log Source Management app not opening and requesting to be downloaded despite the application IS already installed on the system.
Cause
The application framework certificates are expired and need to be replaced.
Diagnosing The Problem
Use the following steps to reproduce the issue:
- SSH to the QRadar Console as a root user.
- Run following command to open the qappmanager utility to start the application:
/opt/qradar/support/qappmanager
-
Select option 23 to change the application status to RUNNING:
-
Note the ID of the app that you want to start, then enter that number.
For example, in the following capture, the ID is 1154:
After the app ID is entered, then the error is seen: - Enter 0 to exit the qappmanager utility:
Result
Administrator is unable to start the app, instead they receive the "An error occurred while checking if image exists in the registry" error.
Run the following command to check the application framework certificates, the output displays "certificate has expired" alerts:
for i in `/opt/qradar/ca/bin/si-qradarca list -print | awk -F ',' '{print $4}'`; do echo $i ; openssl verify -CAfile /etc/pki/tls/cert.pem $i; done
Output example:
Result
The administrator can confirm if the certs are OK, or if they return the "certificate has expired" error.
[root@xxxxxx ~]# for i in `/opt/qradar/ca/bin/si-qradarca list -print | awk -F ',' '{print $4}'`; do echo $i ; openssl verify -CAfile /etc/pki/tls/cert.pem $i; done
/etc/pki/ca-trust/source/anchors/root-qradar-ca_ca.crt
/etc/pki/ca-trust/source/anchors/root-qradar-ca_ca.crt: OK
/etc/pki/ca-trust/source/anchors/intermediate-qradar-ca_ca.crt
/etc/pki/ca-trust/source/anchors/intermediate-qradar-ca_ca.crt: OK
/etc/httpd/conf/certs/cert.cert
/etc/httpd/conf/certs/cert.cert: OK
/etc/si-postfix/tls/si-postfix.cert
/etc/si-postfix/tls/si-postfix.cert: OK
/etc/ziptie-server/tls/certs/ziptie-server.cert
/etc/conman/tls/conman_ca.crt
/etc/conman/tls/conman_ca.crt: OK
/etc/conman/tls/conman.cert
/etc/conman/tls/conman.cert: OK
/etc/tomcat/tls/conman/tomcat-client-conman.cert
/etc/tomcat/tls/conman/tomcat-client-conman.cert: CN = xxxxxxxxx
error 10 at 0 depth lookup:certificate has expired
OK
/etc/docker-distribution/tls/docker-distribution_ca.crt
/etc/docker-distribution/tls/docker-distribution_ca.crt: OK
/etc/docker-distribution/tls/docker-distribution.cert
/etc/docker-distribution/tls/docker-distribution.cert: OK
/etc/docker/tls/registry/docker-client-registry.cert
/etc/docker/tls/registry/docker-client-registry.cert: CN = xxxxxxxxx
error 10 at 0 depth lookup:certificate has expired
OK
/opt/qradar/conf/SAMLAuthentication/SP/QRadarSAML_ca.crt
/opt/qradar/conf/SAMLAuthentication/SP/QRadarSAML_ca.crt: OK
/opt/qradar/conf/SAMLAuthentication/SP/QRadarSAML.crt
/opt/qradar/conf/SAMLAuthentication/SP/QRadarSAML.crt: CN = xxxxxxxxx
error 10 at 0 depth lookup:certificate has expired
OK
/etc/docker/tls/si-docker_ca.crt
/etc/docker/tls/si-docker_ca.crt: OK
/etc/docker/tls/si-docker.cert
/etc/docker/tls/si-docker.cert: OK
/etc/traefik/tls/docker/traefik-client-docker.cert
/etc/traefik/tls/docker/traefik-client-docker.cert: CN = xxxxxxxxx
error 10 at 0 depth lookup:certificate has expired
OK
/etc/traefik/tls/traefik_ca.crt
/etc/traefik/tls/traefik_ca.crt: OK
/etc/traefik/tls/traefik.cert
/etc/traefik/tls/traefik.cert: OK
/etc/tomcat/tls/traefik/tomcat-client-traefik.cert
/etc/tomcat/tls/traefik/tomcat-client-traefik.cert: CN = xxxxxxxxx
error 10 at 0 depth lookup:certificate has expired
OK
You have new mail in /var/spool/mail/root
Result
The administrator can confirm if the certs are OK, or if they return the "certificate has expired" error.
Resolving The Problem
To resolve this problem, administrators must manually regenerate the expired certificates. Use the following steps:
- SSH to QRadar as a root user.
- Run the following command to find the certificate name. Replace <cert_name> with the certificate name:
/opt/qradar/ca/bin/si-qradarca list -print | grep "<cert_name>"
/opt/qradar/ca/bin/si-qradarca list -print | grep "tomcat-client-traefik.cert"
Note the ID, which is the fist number in the output, in this example is 18:---- 18,mutual-client,/opt/qradar/ca/conf.d/tomcat-client-traefik.json,/etc/tomcat/tls/traefik/tomcat-client-traefik.cert,13
- Run the following command to reset the tomcat-client-traefik certificate. Replace <ID> with the ID, for this example is 18.
Notes:
• Follow these steps for each expired certificate.
• The command does not have any output. This behavior is expected and it means that the command worked well./opt/qradar/ca/bin/reset-qradar-ca.sh <ID> --reset
/opt/qradar/ca/bin/reset-qradar-ca.sh 18 --reset
- After the command finishes, execute the following command to verify whether all certs are OK. No "certificate expiration" messages are seen:
for i in `/opt/qradar/ca/bin/si-qradarca list -print | awk -F ',' '{print $4}'`; do echo $i ; openssl verify -CAfile /etc/pki/tls/cert.pem $i; done
[root@xxxxxxx ~]# for i in `/opt/qradar/ca/bin/si-qradarca list -print | awk -F ',' '{print $4}'`; do echo $i ; openssl verify -CAfile /etc/pki/tls/cert.pem $i; done /etc/pki/ca-trust/source/anchors/root-qradar-ca_ca.crt /etc/pki/ca-trust/source/anchors/root-qradar-ca_ca.crt: OK /etc/pki/ca-trust/source/anchors/intermediate-qradar-ca_ca.crt /etc/pki/ca-trust/source/anchors/intermediate-qradar-ca_ca.crt: OK /etc/httpd/conf/certs/cert.cert /etc/httpd/conf/certs/cert.cert: OK /etc/si-postfix/tls/si-postfix.cert /etc/si-postfix/tls/si-postfix.cert: OK /etc/ziptie-server/tls/certs/ziptie-server.cert /etc/conman/tls/conman_ca.crt /etc/conman/tls/conman_ca.crt: OK /etc/conman/tls/conman.cert /etc/conman/tls/conman.cert: OK /etc/tomcat/tls/conman/tomcat-client-conman.cert /etc/tomcat/tls/conman/tomcat-client-conman.cert: OK /etc/docker-distribution/tls/docker-distribution_ca.crt /etc/docker-distribution/tls/docker-distribution_ca.crt: OK /etc/docker-distribution/tls/docker-distribution.cert /etc/docker-distribution/tls/docker-distribution.cert: OK /etc/docker/tls/registry/docker-client-registry.cert /etc/docker/tls/registry/docker-client-registry.cert: OK /opt/qradar/conf/SAMLAuthentication/SP/QRadarSAML_ca.crt /opt/qradar/conf/SAMLAuthentication/SP/QRadarSAML_ca.crt: OK /opt/qradar/conf/SAMLAuthentication/SP/QRadarSAML.crt /opt/qradar/conf/SAMLAuthentication/SP/QRadarSAML.crt: OK /etc/docker/tls/si-docker_ca.crt /etc/docker/tls/si-docker_ca.crt: OK /etc/docker/tls/si-docker.cert /etc/docker/tls/si-docker.cert: OK /etc/traefik/tls/docker/traefik-client-docker.cert /etc/traefik/tls/docker/traefik-client-docker.cert: OK /etc/traefik/tls/traefik_ca.crt /etc/traefik/tls/traefik_ca.crt: OK /etc/traefik/tls/traefik.cert /etc/traefik/tls/traefik.cert: OK /etc/tomcat/tls/traefik/tomcat-client-traefik.cert /etc/tomcat/tls/traefik/tomcat-client-traefik.cert: OK
- Run the following command to start the qappmanager utility again:
/opt/qradar/support/qappmanager
- Select option 23 to change the application status to RUNNING.
-
Enter the app ID, for this example is 1154, this time the output display the correct message:
App instance - start > Choose app instance ID: 1154 Changing app instance 1154 status to RUNNING
ResultThe application is restarted successfully by using the qappmanager utility. If the application is not restarted successfully after the steps on this technote, contact QRadar Support for assistance.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.4.0;and future releases"}]
Was this topic helpful?
Document Information
Modified date:
11 May 2023
UID
ibm16980637