4 Replies Latest reply on Nov 3, 2015 5:10 AM by tliedtke

    Get Gateway Certificate in OS Deployment


      Hello LANDesk Community and administrators,


      you already pointed me in the right direction a few times so I hope you can help me one more time.

      Our devices should be deployed ready to go, this includes the gateway (CSA) certificate.


      A scheduled package or manually execution of BrokerConfig.exe -r works flawlessly.

      Even if you just open a command line and enter brokerconfig.exe -r it works.

      Just the os deployment action seems to fail in every case.

      You can find detailed information below.


      Is there another simple method to supply a machine with the gateway certificate in os deployment?



      Client and Core certificates are presend and names of the .0 files are identic.

      Rebuilding all agents did not solve the problem.



      Provisioning agent creates proxy.state in C:\Program Files (x86)\LANDesk\Shared Files\cbaroot\broker

      1 - Execute File creates broker.key and broker.csr in C:\Program Files (x86)\LANDesk\Shared Files\cbaroot\broker

      Broker.key and broker.csr are removed again after failing to get the certificate.


      Best Regards,

      Timo Liedtke


      PS: Hopefully that is the last problem I will discover after upgrading to 9.6 SP 2.





      ===== Detailed Information =====


      1 - Ecexute File in System Configuration2 - Distribute Software in System Configuration3 - Distribute Software in System Configuration
      After installing the provisioning agent and reboot.After installing the final agent and 120s wait, batchfile.As last action after rebooting the device, batchfile.

      Target: %%programfiles(x86)%%\landesk\ldclient\brokerconfig.exe

      Parameter: -r

      Working directory: %%programfiles(x86)%%\landesk\ldclient

      @echo off

      "%programfiles(x86)%\landesk\ldclient\brokerconfig.exe" -r

      exit /B %ERRORLEVEL%

      @echo off

      "%programfiles(x86)%\landesk\ldclient\brokerconfig.exe" -r

      exit /B %ERRORLEVEL%

      12:32:17 BrokerConfig Started with 1st param:  no params

      13:23:03 BrokerConfig Started with 1st param:  -r

      13:23:03 PostCertificate() posting cert to host LANDESK04.bruchweg.local, proxy

      13:23:03 PostCertificate() StartSession returned 0

      13:23:03 PostCertificate() request returned 0

      13:23:03 PostCertificate() Write returned 0

      13:23:03 PostCertificate() Response returned 0, status of 202

      13:28:03 GetCertificate() File did not appear after 300 seconds

      13:41:00 BrokerConfig Started with 1st param:  no params

      12:32:17 BrokerConfig Started with 1st param:  no params


      13:28:04 Bat file output :

      C:\Program Files (x86)\LANDesk\LDClient\sdmcache\deploy\DSL\LDMS Gateway>call "get CSA Certificate.bat"

      13:28:04 Installation result 8DB5002D

      13:28:04 RunPackageInstall: stop on returncode=8db5002d of package=Get CSA Certificate

      13:28:04 processing of package is complete, result -1917517779 (0x8db5002d - code 45)


      12:07:02 Bat file output :

      12:07:02 Installation result 8DB50142

      12:07:02 RunPackageInstall: stop on returncode=8db50142 of package=Get CSA Certificate

      12:07:02 processing of package is complete, result -1917517502 (0x8db50142 - code 322)


      Error code 45 seems not to be present in Windows (see System Error Codes (0-499) (Windows) ) or in LANDesk error codes list.

      8DB5002D seems not to be known either and surpisingly even the all knowing Google failed me this time.

      Maybe somebody here knows about this error code?


      Error code 322 is misleading I guess since it states ERROR_DEVICE_NO_RESOURCES (The target device has insufficient resources to complete the operation).

      Only thing I can think of is that LANDesk is busy with the deployment and can not take the certificate request at this time.

      However I doubt that directly as first action after a reboot.


      Please find the log files attached.

      Note that server and network names are changed.

        • 1. Re: Get Gateway Certificate in OS Deployment
          nick.evans SupportEmployee

          Hi Tliedtke,

          I want to make sure I understand your question correctly. Are you trying to image a machine, and it is failing one of the tasks, that you are attributing to a missing certificate? You mentioned the *.0 files which are the certificate files the Clients use for agent communication. Are you trying to copy these into location seperate from an agent install?

          If your agent is configured to include your CSA information, including an agent install action in your provisioning template, should install the agent and copy into place the certificate.

          If I'm off base, can you provide more details about what you are trying to accomplish, how you are going about doing it, and what it is doing (vs what you expect it to do)?

          • 2. Re: Get Gateway Certificate in OS Deployment

            Our goal is that the machine will have a registered CSA certificate after the process.


            Regarding your Questions:

            Yes, the problem lies within the imaging / os provisioning.

            I am not entirely sure that the certificate is actually missing but at least the brokerconfig.exe does not find any certificate on the client.

            I do not copy the .0 file to a different location, they are included in the agent configuration and paths are not changed or modified.

            The provisioning agent has no CSA communication enabled, it contacts the core via IP (previosuly FQDN but thatmde no difference).

            The final agent has CSA communication enabled + "dynamically determine connection route".



            I will outline the problem a little further:

            As previously said we want the machines to be "ready to go", so everything basic included when the os deployment is finished.

            That includes a working certificate to communicate with the LANDesk Gateway appliance, also known as Cloud Service Appliance (CSA).


            In system configuration step we have the following actions:

            - Delete unattend.xml

            - Configure agent provisioning

            - Execute file gateway cert

            - Reboot

            - Installation of Dell Command Update

            - Installation of drivers

            - Reboot

            - Configure agent standard

            - Wait of 120s

            - vulscan.exe for patchisntallation

            - Reboot


            As you can see we have a provisioning agent with limited functionality for the deployment process and later the full agent including all configurations.

            Please note that only variant 1 from the first post is described here, variant 2 and 3 will have their respective actions after wait of 120s / the last reboot.


            The problem lies within the action "Execute file gateway cert":



            Result from provisioning history:

            Execution status: Success

            Internal status: 0

            External status: -2146435027


            If you start brokerconfig.exe on the client it states that the certificate is not installed.

            So this step in all its variants as described in the first post seems not to be working.


            Intresting enough just executing the command line brokerconfig.exe -r manually works without any problem.

            Even when being within provisioning as local administrator.


            However I can not see any difference to the screenshot provided above.

            From my view of things either both should work or none of them.

            Is there any difference?


            Maybe something in the process changed by updating from 9.6 to 9.6 sp2?

            • 3. Re: Get Gateway Certificate in OS Deployment

              A little update:


              When executing the "Execute file gateway cert" from above no all files are created in C:\Program Files (x86)\LANDesk\Shared Files\cbaroot\broker.


              Proxy.state.xml already exists because of the provisioning agent.

              Broker.key and broker.csr are created but are removed after the certificate can not be obtained.

              Broker.crt is missing.


              Broker.conf.xml is added later by the final agent (provisioning agent does not include csa information at this point).

              However this file seems to be empty at first and is filled short time later.


              The same action "Execute file gateway cert" will fail as well when bein executed after the final agent and broker.conf.xml is present.


              However now it gets interesting:

              When I include the action "Execute file gateway cert" two times - on after the provisionign agent and a second time after the final agent - I get a working broker.crt...

              Just including one of the actions, may it be after the provisioning or after the final agent fails in every attempt so far.

              • 4. Re: Get Gateway Certificate in OS Deployment

                Since I could not resolve this issue with and without the LANDesk Support Team I will stick with the workaround.

                1x brokerconfig -r after provisioning agent and 1x brokerconfig -r after the final agent is installed.


                I hope the support team comes up with the reason why it is happening later.