Troubleshoot Secure Relay Installation

Installation failure of multiple Secure Relays and a Secure Relay on a standalone server

Cause: During upgrade, the installer does not pick up the environment variable for the Ceti host IP address and defaults to "127.0.0.1".
Error message — Connection failed due to an unexpected error during transmission.

Fix:
1. Verify the environment variable 'TENABLE_CASSIOPEIA_CETI_Service__Broker__Host' on the Directory Listener server.
2. Ensure that it is set to the IP address of the Security Engine Node. If the variable is set to the default '127.0.0.1', it causes the Secure Relay installation to fail.
3. After you update the environment variable 'TENABLE_CASSIOPEIA_CETI_Service__Broker__Host', restart the Ceti service.
4. Begin the Secure Relay installation again. Otherwise, it rolls back and leaves the Relay and Envoy services installed and block any further installation.

Invalid CetiDNS name

Cause: The IP Address of the Ceti Server was not set during the upgrade or installation of the Security Engine Node server. The installer defaults to “127.0.0.1”:
Error message — Connection failed: Unable to connect to the remote server.

For the "tenable_envoy_server" service in a paused state: Identify the application currently occupying the port 0.0.0.0:443 using the PowerShell command netstat -anob | findstr 443. If you find another application, either remove it or stop it to resolve the conflict and allow proper functioning of the "tenable_envoy_server" service.

Fix:

Log into the Security Engine Node server.
- If you use a split Security Engine Node architecture, log into the server that runs the Eridanis service.
Open Environment Variables and locate the variable name ERIDANIS_CETI_PUBLIC_DOMAIN.
Edit the variable value for ERIDANIS_CETI_PUBLIC_DOMAIN to insert the IP address or hostname of the Directory Listener:
- Update the environment variable ERIDANIS_CETI_PUBLIC_DOMAIN to match the IP address or hostname of the Directory Listener. This synchronization facilitates seamless communication between the components deployed on separate servers.
- The Variable value for “ERIDANIS_CETI_PUBLIC_DOMAIN” changes from 127.0.0.1 to the IP address or hostname of the Directory Listener listener.test.lab.

Open Services and stop the service tenable_Eridanis.

Start the service tenable_Eridanis.

Log into the Secure Relay server. Exit the Secure Relay installer if it is already open and begin the Secure Relay installation again.

Caution: Be sure to exit the installer and start a fresh installation. If you do not exit the installer and continue with the installation, it breaks the installation process, and you can't proceed further (blocker).

No "Trust Relationship" for SSL/TLS secure connection

Cause: The installer cannot find the CA certificates on the local server.
Error message — Connection failed: The underlying connection was closed: Could not establish a trust relationship for the SSL/TLS secure channel.
Fix:
1. Access the source system (Directory Listener server) or repository where trusted CA certificates reside and locate the trusted CA certificates, typically in directories such as:
  - Default self-signed certificate location: “installation_drive”:\Tenable\Tenable.ad\DefaultPKI\Certificates\ca
  - Custom certificate location: “installation_drive”:\Tenable\Tenable.ad\Certificates
2. Copy the trusted CA certificate files from the source system (Directory Listener server) to the local server (Secure Relay server).
3. Import the certificates into the trusted certificate store of the Secure Relay server.
4. After a successful import, exit the Secure Relay installer and begin the installation again.
  
  Caution: Be sure to exit the installer and start a fresh installation. If you do not exit the installer and continue with the installation, it breaks the installation process, and you can't proceed further (blocker).