IBM Support

QRadar: "An error occurred while checking if image exists in the registry" error due to app framework certificates expiration

Troubleshooting


Problem

Administrators who try to restart an application by using the qappmanager utility can receive the following error: 
"An error occurred while checking if image [qapp/xxxxxxxxxxxxxxxx] exists in the registry. 
Task state found to be [EXCEPTION]."

Symptom

When users open the applications in the user interface, they can see errors such as "404 page not found", "Bad Gateway" or the application tab is not in the interface.
The following screen capture shows the Log Source Management app not opening and requesting to be downloaded despite the application IS already installed on the system.
  image-20230502112139-1

Cause

The application framework certificates are expired and need to be replaced.

Diagnosing The Problem

Use the following steps to reproduce the issue:

  1. SSH to the QRadar Console as a root user.
  2. Run following command to open the qappmanager utility to start the application:
    /opt/qradar/support/qappmanager
  3.  Select option 23 to change the application status to RUNNING:
    image-20230502113152-2
  4. Note the ID of the app that you want to start, then enter that number.
    For example, in the following capture, the ID is 1154:
    image-20230502162041-1
    After the app ID is entered, then the error is seen:
    image-20230502162223-2
  5. Enter 0 to exit the qappmanager utility:
    image-20230502162506-3
    Result
    Administrator is unable to start the app, instead they receive the "An error occurred while checking if image exists in the registry" error.

Run the following command to check the application framework certificates, the output displays "certificate has expired" alerts:

for i in `/opt/qradar/ca/bin/si-qradarca list -print | awk -F ',' '{print $4}'`; do echo $i ; openssl verify -CAfile /etc/pki/tls/cert.pem $i; done
Output example:
[root@xxxxxx ~]# for i in `/opt/qradar/ca/bin/si-qradarca list -print | awk -F ',' '{print $4}'`; do echo $i ; openssl verify -CAfile /etc/pki/tls/cert.pem $i; done
/etc/pki/ca-trust/source/anchors/root-qradar-ca_ca.crt
/etc/pki/ca-trust/source/anchors/root-qradar-ca_ca.crt: OK
/etc/pki/ca-trust/source/anchors/intermediate-qradar-ca_ca.crt
/etc/pki/ca-trust/source/anchors/intermediate-qradar-ca_ca.crt: OK
/etc/httpd/conf/certs/cert.cert
/etc/httpd/conf/certs/cert.cert: OK
/etc/si-postfix/tls/si-postfix.cert
/etc/si-postfix/tls/si-postfix.cert: OK
/etc/ziptie-server/tls/certs/ziptie-server.cert
/etc/conman/tls/conman_ca.crt
/etc/conman/tls/conman_ca.crt: OK
/etc/conman/tls/conman.cert
/etc/conman/tls/conman.cert: OK
/etc/tomcat/tls/conman/tomcat-client-conman.cert
/etc/tomcat/tls/conman/tomcat-client-conman.cert: CN = xxxxxxxxx
error 10 at 0 depth lookup:certificate has expired
OK
/etc/docker-distribution/tls/docker-distribution_ca.crt
/etc/docker-distribution/tls/docker-distribution_ca.crt: OK
/etc/docker-distribution/tls/docker-distribution.cert
/etc/docker-distribution/tls/docker-distribution.cert: OK
/etc/docker/tls/registry/docker-client-registry.cert
/etc/docker/tls/registry/docker-client-registry.cert: CN = xxxxxxxxx
error 10 at 0 depth lookup:certificate has expired
OK
/opt/qradar/conf/SAMLAuthentication/SP/QRadarSAML_ca.crt
/opt/qradar/conf/SAMLAuthentication/SP/QRadarSAML_ca.crt: OK
/opt/qradar/conf/SAMLAuthentication/SP/QRadarSAML.crt
/opt/qradar/conf/SAMLAuthentication/SP/QRadarSAML.crt: CN = xxxxxxxxx
error 10 at 0 depth lookup:certificate has expired
OK
/etc/docker/tls/si-docker_ca.crt
/etc/docker/tls/si-docker_ca.crt: OK
/etc/docker/tls/si-docker.cert
/etc/docker/tls/si-docker.cert: OK
/etc/traefik/tls/docker/traefik-client-docker.cert
/etc/traefik/tls/docker/traefik-client-docker.cert: CN = xxxxxxxxx
error 10 at 0 depth lookup:certificate has expired
OK
/etc/traefik/tls/traefik_ca.crt
/etc/traefik/tls/traefik_ca.crt: OK
/etc/traefik/tls/traefik.cert
/etc/traefik/tls/traefik.cert: OK
/etc/tomcat/tls/traefik/tomcat-client-traefik.cert
/etc/tomcat/tls/traefik/tomcat-client-traefik.cert: CN = xxxxxxxxx
error 10 at 0 depth lookup:certificate has expired
OK
You have new mail in /var/spool/mail/root

Result
The administrator can confirm if the certs are OK, or if they return the "certificate has expired" error.

Resolving The Problem

To resolve this problem, administrators must manually regenerate the expired certificates. Use the following steps:
  1. SSH to QRadar as a root user.
  2. Run the following command to find the certificate name. Replace <cert_name> with the certificate name:
    /opt/qradar/ca/bin/si-qradarca list -print | grep "<cert_name>"
    For this example, one of the expired certificates is tomcat-client-traefik.cert. The command is:
    /opt/qradar/ca/bin/si-qradarca list -print | grep "tomcat-client-traefik.cert"
    Output example:
    Note the ID, which is the fist number in the output, in this example is 18:
    ---- 18,mutual-client,/opt/qradar/ca/conf.d/tomcat-client-traefik.json,/etc/tomcat/tls/traefik/tomcat-client-traefik.cert,13
  3. Run the following command to reset the tomcat-client-traefik certificate. Replace <ID> with the ID, for this example is 18.
    Notes:
    • Follow these steps for each expired certificate.
    • The command does not have any output. This behavior is expected and it means that the command worked well.
    /opt/qradar/ca/bin/reset-qradar-ca.sh <ID> --reset
    Command example:
    /opt/qradar/ca/bin/reset-qradar-ca.sh 18 --reset
  4. After the command finishes, execute the following command to verify whether all certs are OK. No "certificate expiration" messages are seen:
    for i in `/opt/qradar/ca/bin/si-qradarca list -print | awk -F ',' '{print $4}'`; do echo $i ; openssl verify -CAfile /etc/pki/tls/cert.pem $i; done
    Output Example:
    [root@xxxxxxx ~]# for i in `/opt/qradar/ca/bin/si-qradarca list -print | awk -F ',' '{print $4}'`; do echo $i ; openssl verify -CAfile /etc/pki/tls/cert.pem $i; done
    /etc/pki/ca-trust/source/anchors/root-qradar-ca_ca.crt
    /etc/pki/ca-trust/source/anchors/root-qradar-ca_ca.crt: OK
    /etc/pki/ca-trust/source/anchors/intermediate-qradar-ca_ca.crt
    /etc/pki/ca-trust/source/anchors/intermediate-qradar-ca_ca.crt: OK
    /etc/httpd/conf/certs/cert.cert
    /etc/httpd/conf/certs/cert.cert: OK
    /etc/si-postfix/tls/si-postfix.cert
    /etc/si-postfix/tls/si-postfix.cert: OK
    /etc/ziptie-server/tls/certs/ziptie-server.cert
    /etc/conman/tls/conman_ca.crt
    /etc/conman/tls/conman_ca.crt: OK
    /etc/conman/tls/conman.cert
    /etc/conman/tls/conman.cert: OK
    /etc/tomcat/tls/conman/tomcat-client-conman.cert
    /etc/tomcat/tls/conman/tomcat-client-conman.cert: OK
    /etc/docker-distribution/tls/docker-distribution_ca.crt
    /etc/docker-distribution/tls/docker-distribution_ca.crt: OK
    /etc/docker-distribution/tls/docker-distribution.cert
    /etc/docker-distribution/tls/docker-distribution.cert: OK
    /etc/docker/tls/registry/docker-client-registry.cert
    /etc/docker/tls/registry/docker-client-registry.cert: OK
    /opt/qradar/conf/SAMLAuthentication/SP/QRadarSAML_ca.crt
    /opt/qradar/conf/SAMLAuthentication/SP/QRadarSAML_ca.crt: OK
    /opt/qradar/conf/SAMLAuthentication/SP/QRadarSAML.crt
    /opt/qradar/conf/SAMLAuthentication/SP/QRadarSAML.crt: OK
    /etc/docker/tls/si-docker_ca.crt
    /etc/docker/tls/si-docker_ca.crt: OK
    /etc/docker/tls/si-docker.cert
    /etc/docker/tls/si-docker.cert: OK
    /etc/traefik/tls/docker/traefik-client-docker.cert
    /etc/traefik/tls/docker/traefik-client-docker.cert: OK
    /etc/traefik/tls/traefik_ca.crt
    /etc/traefik/tls/traefik_ca.crt: OK
    /etc/traefik/tls/traefik.cert
    /etc/traefik/tls/traefik.cert: OK
    /etc/tomcat/tls/traefik/tomcat-client-traefik.cert
    /etc/tomcat/tls/traefik/tomcat-client-traefik.cert: OK
    
  5. Run the following command to start the qappmanager utility again:
    /opt/qradar/support/qappmanager
    
  6. Select option 23 to change the application status to RUNNING.
  7. Enter the app ID, for this example is 1154, this time the output display the correct message:
    App instance - start > Choose app instance ID: 1154
    
    Changing app instance 1154 status to RUNNING
    Result
    The application is restarted successfully by using the qappmanager utility. If the application is not restarted successfully after the steps on this technote, contact QRadar Support for assistance.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.4.0;and future releases"}]

Document Information

Modified date:
11 May 2023

UID

ibm16980637