- CheckMates
- :
- Products
- :
- General Topics
- :
- Re: Error: Update failed. Contract entitlement che...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Error: Update failed. Contract entitlement check failed. Gateway can not access internet
|
6 SG's and 3 SMS's has at this very time same error - anyone else has it just now or something has happened on the CP Clould side?
would appreciate heads up.
|
||||||||||
|
cheers
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To sum up
1. Indeed there was a CRL (Certificate revocation list) challenge (Certificate is naturally 3rd party certificate and therefore CRL check is also dependent on the same 3rd party) that caused failure on updates downloads
2. Indeed the response took more than desired
3. During the incident, we did identify the issue fast but it was not as easy to resolve and one would have hoped
4. We take this incident seriously and I am confident that we will avoid this single point of failure in the future.
Thank you for the feedback and collaboration
Dorit
BTW Its also opportunity for other IT leaders in the forum to leverage the same lesson and check if there is critical service that is dependent on CRL check.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see the same with our 4 appliances
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Jerry , it seems there is a issue with the update services from checkpoint. multiple customers complains about this issue and we are facing it as well.
After askning TAC I receved an feedback: "currently having an issue with our cloud and this is the reason for the issue"
I hope it will be solved soon.
Best regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted workaround for the problem earlier today if you are interested:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any chance this is resolving the cloud emulation problem also ??
Probably not but has anyone tried it??
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@_Val_ remind us this morning ...
Wolfgang
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cheers to all ! EOT and awaiting a "fix" 😛
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No worries. Happy it works for you as well 😀
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All back to normal
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Services are restored. It was an third party issue, just FYI
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Third-party is involved in delivering updates? Should I be worried ? 🤔
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
#cpprod_util CPPROD_SetValue "CPshared//6.0//reserved//libCurl" crl_disable 1 01
am I right Hristo? 🙂
reg. 3rd Party - that's how you call it but in fact it is usually someone called "Supplier" and that isn't anything to worry about 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, that command will re-enable CRL checks in curl_cli. But it is 1 0 1 and not 1 01, sorry I fixed it in my post.
You may run curl_cli -v ... after that to test it.
I am personally going to leave it disabled. Don't care too much if CheckPoint certificates are revoked as long as updates are working 🙂
I was joking about the third-party... Think, even your ISP is such one. 😀
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
* Trying 23.217.5.127...
* Connected to updates.checkpoint.com (23.217.5.127) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5:!aECDH:!EDH
* *** Current date is: Fri Jun 5 08:12:04 2020
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* err is -1, detail is 2
* *** Current date is: Fri Jun 5 08:12:04 2020
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* err is -1, detail is 2
* *** Current date is: Fri Jun 5 08:12:04 2020
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* err is -1, detail is 2
* *** Current date is: Fri Jun 5 08:12:04 2020
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* servercert: Activated
* servercert: crl_disable from registry: 1
* servercert: CRL validation was disabled
* Server certificate:
* subject: CN=*.checkpoint.com
* start date: Jun 4 13:23:27 2020 GMT
* expire date: Sep 7 13:23:27 2022 GMT
* issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign RSA DV SSL CA 2018
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* servercert: Finished
< HTTP/1.1 200 OK
< Content-Type: text/xml;charset=UTF-8
< Content-Length: 410
< Server: Apache-Coyote/1.1
< Date: Fri, 05 Jun 2020 07:12:05 GMT
< Connection: keep-alive
<
* Connection #0 to host updates.checkpoint.com left intact
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><checkpoint:BusinessFault xmlns:checkpoint="urn:downloadcenter"><checkpoint:BusinessFault><checkpoint:code>002</checkpoint:code><checkpoint:message>Request Invalid</checkpoint:message><checkpoint:details>XML Translation Failed</checkpoint:details></checkpoint:BusinessFault></checkpoint:BusinessFault></soap:Body></soap:Envelope>
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There was as CRL issue with signing CA. Which is public, third party. Jerry kinda hinted to in the comments below
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
we did know that from the start. you point is?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@_Val_ My point is that investigation started in the morning and notification it is identified and fix implemented came in the evening.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Jerry Here's output when it is enabled:
* servercert: crl_disable from registry: 0
* servercert: crl_download_timeout: 10
* servercert: crl_weak_validation: 1
* servercert: Calling cp_verify_certificate
* servercert: cp_verify_certificate returned: CURLE_OK
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cheers guys!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe Dorit has addressed this point already.
Thank you for your feedback.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
because it is now fixed, AFAIK.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Jerry Look what it says:
* servercert: crl_disable from registry: 1
* servercert: CRL validation was disabled
