Reply
Active Contributor
Thumpabar
Posts: 6
0

Server certificate rejected: unknown

Howdy fine users of LMI!

 

My work PC "used" to be "Enabled - online" and I could connect from home...a while back, now it always shows "Enabled but Offline".  I thought it was just me and something i've loaded but if I use a 3G dongle, it works fine.  Using the corporate network it doesn't want to work anymore.  I have read that others have similar connection issues since upgrading and their solution is to continue to use an old version.  I do not have an old version to go back to. :(

 

I have tried all the suggestions of obvious stuff, like plugging in the LAN cable, firewall and some other things.

 

The proxy test passes and my login details are correct.

 

the log states many of the following errors;

2010-08-02 15:17:31.143 - Error     - LogMeIn - WebSvc -  - Server certificate rejected: unknown
2010-08-02 15:23:59.166 - Info      - LogMeIn - WebSvc -  - Trying to acquire gateway data from DNS.
2010-08-02 15:24:00.351 - Info      - LogMeIn - WebSvc -  - Connecting to web gateway control.app02-14.logmein.com:443...
2010-08-02 15:24:00.351 - Info      - LogMeIn - Socket -  - Using proxy: proxy.company.com:9090
2010-08-02 15:24:01.085 - Info      - LogMeIn - WebSvc -  - Verifying server certificate...
2010-08-02 15:24:01.085 - Error     - LogMeIn - WebSvc -  - Server certificate rejected: unknown
2010-08-02 15:30:02.108 - Info      - LogMeIn - WebSvc -  - Connecting to web gateway control.app02-10.logmein.com:443...
2010-08-02 15:30:02.108 - Info      - LogMeIn - Socket -  - Using proxy: proxy.company.com:9090
2010-08-02 15:30:05.741 - Info      - LogMeIn - WebSvc -  - Verifying server certificate...
2010-08-02 15:30:05.741 - Info      - LogMeIn - WebSvc -  - Server certificate accepted: control.app02-10.logmein.com
2010-08-02 15:30:05.743 - Error     - LogMeIn - WebSvc -  - Failed to log in to web gateway: HTTP/1.1 400 Bad Request
2010-08-02 15:36:52.766 - Info      - LogMeIn - WebSvc -  - Connecting to web gateway control.app51.logmein.com:443...
2010-08-02 15:36:52.766 - Info      - LogMeIn - Socket -  - Using proxy: proxy.company.com.au:9090
2010-08-02 15:36:54.291 - Info      - LogMeIn - WebSvc -  - Verifying server certificate...
2010-08-02 15:36:54.291 - Error     - LogMeIn - WebSvc -  - Server certificate rejected: unknown

Anybody have any ideas??

 

Getting the corporate firewall modified to allow something/additional ports is not an option!

 

Thanks, Jeff.

 

Active Contributor
Thumpabar
Posts: 6
0

Re: Server certificate rejected: unknown

ooops...probably should say that I'm using Win7 x64, IE8, BitDefender Total Security 2010 with all Win7 & BD patches to date.

Active Contributor
Thumpabar
Posts: 6
0

Re: Server certificate rejected: unknown

Anybody? 

 

Nobody has EVER came across this issue or these certificate messages before?

Advisor
ByronDaniel
Posts: 62
0

Re: Server certificate rejected: unknown

It could be one of 3 things:

 

1. The Time and/or date is incorrect on that computer.

2. The LogMeIn software is corrupt and needs a reinstall

3. There's a firewall blocking LogMeIn (Fix described below)

 

LogMeIn addresses common security concerns as follows:

  • There is no need to open any extra ports on your corporate or personal firewall, as all communications between the technician and the customer's computer make use of the standard web protocol (HTTP).
  • An encrypted connection is established between technician and customer using established Internet protocols (256-bit SSL).
  • Support sessions are initiated by the customer: a technician cannot examine a customer's computer without being invited to do so by the customer.
  • Once the support session has ended, all access rights to access the customer's computer are removed.
  • Sessions can be recorded to provide a trail of a technician's actions.
  • Nothing is permanently installed on the customer's computer.  A small Applet is downloaded when the session starts and is removed when the session ends. The only exception to this is if the Calling Card Applet is installed onto the customer's computer.  In this case, the Applet remains on the machine, but it is the customer who initiates support sessions by launching the Calling Card.

LogMeIn Rescue and other LogMeIn products use the following IP ranges over SSL:

74.201.74.1 - 74.201.75.254
216.52.233.1 - 216.52.233.254
69.25.20.1 - 69.25.21.254
64.94.18.1 - 64.94.18.254
77.242.192.1 - 77.242.193.254

note Note:
These ranges are for all LogMeIn products.  Also, they are subject to change without notice.
Byron Daniel | Customer Support Representative
LogMeIn, Inc.
www.LogMeIn.com | www.twitter.com/logmeinhelp
p. +1-800-993-1790
Active Contributor
Thumpabar
Posts: 6
0

Re: Server certificate rejected: unknown

Hi Byron,

 

Thanks for the response!

 

1. My time has and always is correct (personally, I can't see how sooo many PC times are incorrect causing issues!)

2. I have re-installed LogMeIn and it appears OK and functioning just fine using a USB 3G connection

3. I cannot see any "Fix described below" ?

 

Do I have to open these IP address in BitDefender? Currently 'lmiguardian.exe' is set to Allow All on Any Port using Any Adapter.  I have set BitDefender Firewall to off and it still doesn't connect, but using a 3G connection it works perfectly with BD Firewall on.

 

Is there an older version I can try to troubleshoot if its something in the latest versions like others are hinting at?

Active Contributor
Thumpabar
Posts: 6
0

Re: Server certificate rejected: unknown

also 'logmein.exe' is set to Allow All on Any Port using Any Adapter.

Active Contributor
Thumpabar
Posts: 6
0

Re: Server certificate rejected: unknown

I deleted all my certificated other than the 2 issued by my company and tried creating a LogMeIn certificate using the command below...

 

To list available CA certificates:
  logmein cert -listca

To list available server certificates:
  logmein cert -listsc

To create a CA certificate only:
  logmein cert -createca [COMMONNAME] [COUNTRY]

To create a self signed server certificate:
  logmein cert -createca [COMMONNAME] [COUNTRY] -createsc [HOSTNANME] [ALTHOSTNAME ...]

 

now I get the following errors in the logs

 

2010-08-12 15:01:36.783 - Error     - LogMeIn - Socket - ???.??.?.??:9090/websvc - SSL cert error (/C=??/ST=??/L=??/O=??/CN=LS Root/emailAddress=??@company.com.au): unknown error 0x13: self signed certificate in certificate chain
2010-08-12 15:01:36.798 - Error     - LogMeIn - WebSvc -  - Failed to connect to web gateway: The data is invalid.  (13)

 

any ideas? Anyone?

 

Regards,

 

Jeff.

Advisor
ToddD
Posts: 67
0

Re: Server certificate rejected: unknown

Hi Thumpabar,

 

Unfortunately, it is not possible to get LogMeIn to function by writing your own certificate. To resolve this, you will want to delete the certificate you wrote, uninstall LogMeIn, and reboot the computer. After rebooting, you can reinstall LogMeIn by signing into your account at https://secure.logmein.com and clicking the 'Add Computer' button. These steps at a minimum should return you to the point of being able to use the 3g connection properly.

 

As for your original issue, according to the log you provided, it appears as though your corporate network is blocking LogMeIn. I noticed you said that getting changes made to the corporate network is not an option. Unfortunately, that would be the only solution if you would like to connect via the corporate network.

 

If you get in contact with your IT department and inform them of the situation and they need information as to what IP ranges to allow in the firewall so that LogMeIn will be accessible, please provide them the following:

 

74.201.74.1 - 74.201.75.254

216.52.233.1 - 216.52.233.254

69.25.20.1 - 69.25.21.254

64.94.18.1 - 64.94.18.254

77.242.192.1 - 77.242.193.254

212.118.234.0 – 212.118.234.254

 

These are the IP ranges for all LogMeIn services and products.

 

I apologize for the confusion in previous responses.

 

Regards,

 

Todd Dyer

Team Lead, Customer Support

Todd Dyer
Team Lead, Customer Support
LogMeIn, Inc.
New Contributor
Sandymount
Posts: 1
0

Re: Server certificate rejected: unknown

Owing to the increased use of SSL/TLS and HTTPS (which all require certificates) in order to keep Internet communications private, corporate proxy servers are not able to inspect the traffic which allows users to effectively bypass the proxy filtering and security. To get around this, the proxy 'breaks' the secure connection in the middle allowing it to unencrypt traffic and inspect it.

It does this by opening it's own private connection to LogMeIn.com using LogMeIn's certificate and then creating a second connection to the client PC using a corporate certificate dynamically generated and purporting to be LogMeIn.com's certificate (when it isn't).

The LogMeIn client is expecting the LogMeIn.com website to display a LogMeIn certificate - instead it's being presented with a corporate certificate claiming to be LogMeIn.com and balks with an error - "that certificate is not acceptable - it's not the real LogMeIn certificate".

Corporates can't allow direct secure communcations that are incapable of being inspected and LogMeIn wouldn't undermine their security by allowing this kind of filtering. Unless one of them relents, there's no LogMeIn behind a HTTPS Inspection enabled proxy firewall.