Troubleshooting Certificate Manager

If Certificate Manager is not performing as expected, you might need to troubleshoot issues or change settings.

Collect logs

Collect troubleshooting packages

The information is saved as ZIP files that you can download with your browser.

To download logs:

  1. From the Certificate Manager Overview page, click Help .
  2. From the Troubleshooting tab, select the solutions for which to gather troubleshooting packages and click Create Packages.
    By default, all solutions are selected.
  3. When the packages are ready, click Download Packages.
    ZIP files of all the selected packages download to the local download directory.

    Some browsers might block multiple downloads by default. Make sure to configure your browser to permit multiple downloads from the Tanium Console.

  4. Contact Tanium Support to determine the best option to send the ZIP files. For information, see Contact Tanium Support.

Tanium Certificate Manager maintains logging information in the Certificate Manager.log file in the \Program Files\Tanium\Tanium Module Server\services\Certificate Manager directory.

Collect action logs

Collect the action log and other tools files from the endpoint to send to Tanium Support.

  1. To collect the action log for the Deploy Certificate Audit [Windows] or Deploy Certificate Audit [Non-Windows] actions, use Tanium Client Management to directly connect to an endpoint and collect the Tanium Client Action Logs. For more information, see Tanium Client Management User Guide: Collect troubleshooting information.
  2. Collect the following file and folder from the <Tanium Client>\Tools\CertificateManager folder:
    • sslaudit.db
    • sensor_data
  3. Contact Tanium Support to determine the best option to send the files. For more information, see Contact Tanium Support.

Cannot view all chart panels in the dashboard

Issue

If users cannot view all chart panels in the Certificate Manager dashboard in Tanium Reporting, the user permissions might not have sufficient permissions.

Solution

In addition to the Certificate Manager roles, users must also have sufficient management rights, such as All Computers.

For more information about Certificate Manager roles, see Set up Certificate Manager users.

Unexpected certificate audit results

Issue

If an endpoint shows the following error in the Protocol column, you might have to refresh a certificate audit on that endpoint: Error: Protocol and cipher suites do not exist. Run the Certificate Audit package.

Certificate audit status shows Failed for some endpoints.

Solution

  1. Verify that a certificate audit completed successfully.
  2. If the States of machines section shows any Failed statuses, click Show Client Status Details.
  3. Select one or more endpoints that show a Failed action status and click Get action log for selected machines.
  4. Review the action log to determine the cause of the failure.

Error: EC_KEY_new_by_curve_name

Issue

Older Linux endpoints with OpenSSL versions earlier than 1.0.1 cannot successfully run the Deploy Certificate Audit [Non-Windows] package. The following error is found in the action log: undefined symbol: EC_KEY_new_by_curve_name

Solution

Upgrade to OpenSSL 1.0.1 or later.

ERROR - lsof was not found

Issue

To include the owning process data for Linux endpoints, the lsof command is required. If a Linux endpoint does not have lsof installed, the following errors are found:

  • from the Certificate Manager - Coverage Status Details sensor: Missing lsof command
  • in the action log : ERROR - lsof was not found.

Solution

Use either of the following options to confirm the error and then install lsof.

  1. Check the Certificate Manager - Current Coverage Status Details report.
    1. From the Main menu, go to Modules > Certificate Manager > Overview.
    2. In the Certificate Manager Endpoint Coverage chart of the Overview section, click Needs Attention.
  2. Check the action log for the Deploy Certificate Audit [Non-Windows] action. For more information about how to view the action log, see Tanium Console User Guide: Investigate action-related issues.

Uninstall Certificate Manager

  1. From the Main menu, go to Administration > Configuration > Solutions.
  2. Select the check box in the Certificate Manager section, and then click Uninstall and follow the process.
  3. Return to the Solutions page and verify that the Import button is available for Certificate Manager.

Contact Tanium Support

To contact Tanium Support for help, sign in to https://support.tanium.com.