A Windows Client is not updating after trying to deploy a new Client using the Auto-Update feature. In the log.log file of the Client, the following errors appear:
[2021-06-03T13:10:41.564Z] Info : Certificate verification failed. Checking certificate chain for errors.
[2021-06-03T13:10:41.565Z] Info : Chain error: NotTimeValid A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
[2021-06-03T13:10:41.565Z] Warn : Installer was downloaded but not verified
Details
The AppGate Engineering team have identified an issue that disables a customer's ability to use the Auto-Update feature in the AppGate SDP Client on Windows machines. This issue is due to an expired certificate causing the auto-update feature of the AppGate SDP Windows Client to no longer apply updates after Wednesday, June 2, 6:00 am EDT (2pm GDT).
Note that this issue will not impact a customer's user access through the client or system operations in any way outside of the auto-update feature.
Products Affected
AppGate SDP Client for Windows configured to update using the Auto-Update feature. AppGate SDP Clients on operating systems other than Windows are not impacted. This issue does not affect Clients running SDP Version 5.5.x and later.
Suggested Action
The AppGate Engineering Team has released a new Windows Client for our supported AppGate SDP versions which allows customers to seamlessly continue to use the Auto-Update features. Administrators need to deploy these (or more recent) releases to their clients using standard software deployment techniques. Once a Client is updated to one of these fixed releases or later, Administrators can resume using the Auto-Update feature for future versions of the Client. Please refer to our Admin Guide for more details on how to configure the Auto-Update Client, including the triggers for a client to initiate the update, as well as how to monitor the adoption of the new client Auto Update
AppGate SDP Client downloads with Auto-Update feature fixes available:
Additional Notes Regarding the Upgrade Process
Customers should only update their Clients within the same minor release branch currently deployed, or within one minor version higher. Upgrading by more than one minor version may cause the upgrade to fail and roll back to the existing Client version.
Although AppGate is unable to recommend which software deployment techniques to use, some common techniques include performing manual updates, Configuration Manager, GPO, PsExec , jamf , etc…
In some cases, the upgrade of the v5.4 Client user interface executable does not upgrade successfully even though all other components of the Client are successfully upgraded. This issue only impacts the version number being displayed in the "About" section of the Client, as no other user interface functionality was changed with this release of the Client. This issue occurs if the user interface is locked by another process at the time of the upgrade and is specific to v5.4 of the product. To validate whether a Client was successfully updated to v5.4.1, perform a query on your Security Information & Event Management (SIEM) utility for the following log event type:
event_type:"authorization_succeeded"
and log fields with the following field returning the client version:
device_claims.clientVersion.