Troubleshooting Zero Trust

Symptom: Error when executing the deployment script at the target host: Failed to authenticate with PrivX: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)

You are missing the CA certificate or -chain from the CA trust anchor that is used to verify the PrivX certificate on the target host. Copy your enterprise signing CA certificate to the CA store. If you're using self-signed certificate, copy the PrivX CA certificate from PKM PrivX settings page and place it to the CA store. For example in CentOS you should copy the certificate to /etc/pki/ca-trust/source/anchors/ and run update-ca-trust.

Symptom: Error: failed to register host to PrivX: HTTP 400: Host is not redeployable. Enable deployable flag via admin console and try again.

This often happens when machines are cloned and have the same instance ID. Check the Instance ID from the deployment script output:

Using locally available information

**     Using default SSH port
**     Instance ID:     5d6a9270011c4fed8708372a5fa95704
**     Common name:     dhcp-11-22-33-192.example.com

Search the instance ID from the PrivX host list, and if there is a match that has different name, please generate a new machine ID by following these instructions:

cat /etc/machine-id
5d6a9270011c4fed8708372a5fa95704

rm /etc/machine-id

systemd-machine-id-setup
Initializing machine ID from random generator

cat /etc/machine-id
1cc4f5df42f64af0b95e75c92dcd6bc6

This error can also happen if you are deploying an already deployed host. If you are aiming to re-register the same host again, you must first remove the host from the PrivX. You can remove the host in PrivX GUI on the Administration→Hosts page.

Symptom: If Key Manager authorization is completed succesfully, but PrivX logs the error "Matching-host-key-not-found"

For some reason PrivX deployment script has not stored the correct host key. You can fix this by opening a connection from PrivX GUI to the host, and storing the host key, or by manually adding the host key to the host record.

It is also possible you have deployed a non-existent user. Check whether the target user exists on the target host by running:

# getent passwd | grep username

Symptom: Add Zero Trust authorization job logs error with the following line: No Zero Trust - capable client products available on the host

The indicated host does not have OpenSSH version 6.9 or greater. The host must have OpenSSH version 6.9 or greater.

Symptom: User migration is prevented

This is caused by unsatisfied prerequisites. See the evaluation error message in the migration window to see what needs to be fixed. Common issues include:

The source host is missing the supported SSH version
The source user has more than one private key
Target user is not found in PrivX

Symptom: Error when executing the deployment script at the target host: Failed to authenticate with PrivX: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)​

Symptom: Error: failed to register host to PrivX: HTTP 400: Host is not redeployable. Enable deployable flag via admin console and try again.​

Symptom: If Key Manager authorization is completed succesfully, but PrivX logs the error "Matching-host-key-not-found"​

Symptom: Add Zero Trust authorization job logs error with the following line: No Zero Trust - capable client products available on the host​

Symptom: User migration is prevented​

Symptom: Error when executing the deployment script at the target host: Failed to authenticate with PrivX: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)

Symptom: Error: failed to register host to PrivX: HTTP 400: Host is not redeployable. Enable deployable flag via admin console and try again.

Symptom: If Key Manager authorization is completed succesfully, but PrivX logs the error "Matching-host-key-not-found"

Symptom: Add Zero Trust authorization job logs error with the following line: No Zero Trust - capable client products available on the host

Symptom: User migration is prevented