Activation failure on Linux with old CAcertsSolved

I have a number of TFS installations on Ubuntu machines. They have suddenly stopped accepting activations with the error “The secure connection to the activation servers failed due to a TLS or certificate error”. Has something changed on the LimeLM servers to cause this?

We are seeing similar behavior. The error that is emitted:

Error activating product key: (57): The secure connection to the activation servers failed due to a TLS or certificate error. This is most often caused by MITM (man-in-the-middle) attempts on corporate networks or, if on Unix operating systems (macOS, Linux, BSD, etc.), it's caused by out-of-date or missing CA certificates. This means either keeping your system itself up-to-date, or manually updating the CA certs.

Have confirmed on Ubuntu 16.04 and 20.04; no results yet from other versions of Ubuntu or other distributions. These environments were all functional yesterday and stopped working this morning (26 Aug 2021; US Eastern morning).

I believe that this is using TurboActivate 4.4.3.0, but we have several layers on our end; still trying to validate.

Screenshot sent by email

We too have the same problem and it's quite massive. All our ubuntu machines have suddenly stopped accepting activations with the same error. I see a new certificate rolled out at wday.com around the time the machines stopped accepting activations and also TA_isGenuine is failing as well.

Some more details

- Library version checked from 4.3 to latest 4.4.4. 

-It works from Windows (checked on Windows Server 2008R2) but fails from Linux (tested from Ubuntu 16.04 and 18.04)

- All istances failed in the same time range (we check license from time to time when the application run)

, edited

Yes, we pushed out new TLS certs to our end-points (our other cert was expiring in 2 days).

But, we're looking into this now.

@Wyatt: please can you update ? No “pressure” but we have to understand if we have to roll out emergency solution overnight or not depending on your view of the issue

we're looking into this now.

Answer

Everything should work now for older Linux / BSD machines.

The problem was our DDoS protection we use (which is the entry-point to our services – and thus serves our TLS certs) was stripping “superfluous” “leaf nodes” in the certificate chain. This is fine for newer Linux / BSD distributions which have up-to-date CACerts installed on them. But it failed for older Linux / BSD distributions which only had the “root node” but not the leaf-nodes as part of the default CACert package.

Long story short: it's fixed now. Our services will now correctly deliver the entire chain of certs so that older distributions will continue to work.

Newer Linux / BSD distros were unaffected. Windows and macOS were unaffected. And customers visiting our sites in modern browsers were unaffected (regardless of the platform).

Thanks for reporting this.

We are still not able to reach your servers (NOW), for example from Debian 10.3 inside Docker, even after updating CA-certificates package.

What should we do? You “solved” it 13hours ago, but our customers are complaining now, and we are not able to help them.

We are not able to deactivate nor activate any license on Linux computers or within Docker images.

Are you using the latest version of TurboActivate, TurboFloat, and/or TurboFloat Server? If not, start there.

We are not able to update, because of reported problem with compilation - https://wyday.com/forum/t/5036/turboactivate-4-4-4-0-on-ubuntu-16-04/

In other words, you have just killed all older libraries and softwares that are using it, without ANY NOTICE UPFRONT.

We had been using 4.3.3 until yesterday without any problem.

PLEASE, could you revert whatever change you have made? This is total breaking change, which does break our software (in the eyes of our customers).

If you want to use static libraries, I just updated that thread with how you can do it.

TA 4.4.4 (the latest out) is several months old. People have had ample time to update. Even 4.4.0 should work fine (nearly a year old).

And TLS certs have a set lifetime. We don't advertise it, or make a big deal about it (because, it isn't a big deal). But this means, after X months we need to renew the certificates. (And yes, you can see how long the current certs last, and when they expire).

Long story short: protocols and security are ever changing (into better and more secure delivery technologies). That's the good side. The down side is you have to stay on top of those changes.

Or, to be blunt: keep up to date. Use the latest versions of our software and you'll mitigate current and potential future problems. We don't do vanity version number bumps. Any software we release has real fixes and improvements.

, edited

Any software you release has real bugs and compilation issues. Therefore, we are very careful, and takes us a lot of time to test it and finally update, if it is possible at all.