Certificate Support
Cloud Agent installed on AIX may throw the following error for the certificate ca-bundle.crt
when trying to communicate with the Qualys Enterprise TruRisk Platform. This happens when the certificate files are not present on the host asset, or the certificate files are present at the following default location.
/var/ssl/certs/ca-bundle.crt
Error Message:
2017-09-26 06:45:09.499 [qualys-cloud-agent][28901532]:[Information]:Cert OS: AIX, CA
path:/var/ssl/certs/ca-bundle.crt
2017-09-26 06:45:09.502 [qualys-cloud-agent][28901532]:[Error]:cloud-agent terminated: exception in
main(): File not found: /var/ssl/certs/ca-bundle.crt
Error Details:
SSL CA cert (path? access rights?): error setting certificate verify locations: CAfile: /var/ssl/certs/ca-bundle.crt CApath: none
2025-06-30 10:37:55.540 -0400 [qualys-cloud-agent][6750580]:[Error]:[1800]:Http request failed:Problem with the SSL CA cert (path? access rights?): error setting certificate verify locations: CAfile: /var/ssl/certs/ca-bundle.crt CApath: none
2025-06-30 10:37:55.540 -0400 [qualys-cloud-agent][6750580]:[Error]:[1800]:Http request failed: error code: 0
2025-06-30 10:37:55.540 -0400 [qualys-cloud-agent][6750580]:[Debug]:[1800]:Setting Compression to: 1
2025-06-30 10:37:55.540 -0400 [qualys-cloud-agent][6750580]:[Error]:[1800]:CAPI request failed:
2025-06-30 10:37:55.540 -0400 [qualys-cloud-agent][6750580]:[Error]:[1800]:CAPI event failed
To fix this issue, you must manually install the certificate files in the appropriate location on the host asset. You can either use the certificate files from your existing RHEL or CentOS assets or download the certificate files from the following location: Extract CA Certificates.
- Run curl command from Linux machine:
curl --remote-name --time-cond cacert.pem
https://curl.se/ca/cacert.pem - Rename curl output from
cacert.pem
toca-bundle.crt
. - Copy the certificate file as
ca-bundle.crt
at the following default location on AIX:/var/ssl/certs/
- If you want to use a non default location, ensure that the directory path is added in the
/etc/opt/qualys/cloud-agent/qagent.config
and set AIX path to/var/ssl/certs/ca-bundle.
crt
in the following manner:
{
"os": "AIX",
"cafile": "/var/ssl/certs/ca-bundle.crt"
}For agent version 1.6, the
qagent.config
file is located at/etc/qualys/cloud-agent/qagent.config
. -
Create a symbolic link to the
ca-bundle.crt
hash. To learn more about creating symbolic links, refer to the IBM AIX: Import CA certificate.OpenSSL and some AIX utilities look for certificates via these hashed filenames when verifying certificate chains.
-
If you are manually adding the certificates (e.g., a CA bundle or root CA), perform the following actions:
Run the following command to print the hash string:
openssl x509 -noout -hash -in /var/ssl/certs/ca-bundle.crt
For example, the above command generates a has string
9d66eef0
. This string is used for creating a symbolic link in
-s ca-bundle.crt <hash>.0
.The AIX/OpenSSL use this symbolic link for for certificate verification.
For example,-s ca-bundle.crt 9d66eef0.0
- Now restart the QAgent Service using following command:
/opt/qualys/cloud-agent/bin/qcagent.sh restart
- Check logs for any SSL/cert issues
tail -f /var/opt/qualys/qualys-cloud-agent.log