Nessus Manager Certificates and Nessus Agent

When you link an agent to Nessus Manager, you can optionally specify the certificate that the agent should use when it links with Nessus Manager. This allows the agent to verify the server certificate from Nessus Manager when the agent links with Nessus Manager, and secures subsequent communication between the agent and Nessus Manager. For more information on linking Nessus Agent, see Nessuscli.

If you do not specify the certificate authority (CA) certificate at link time, the agent receives and trusts the CA certificate from the linked Nessus Manager. This ensures that subsequent communication between the agent and Nessus Manager is secure.

The CA certificate the agent receives at linking time saves in the following location:

  • /opt/nessus_agent/var/nessus/users/nessus_ms_agent/ms_cert.pem

  • C:\ProgramData\Tenable\Nessus Agent\nessus\users\nessus_ms_agent\ms_cert.pem

  • /Library/NessusAgent/run/lib/nessus/users/nessus_ms_agent/ms_cert.pem

Troubleshooting

If the agent cannot follow the complete certificate chain, an error occurs and the agent stops connecting with the manager. You can see an example of this event in the following sensor logs:

  • nessusd.messages - Example: Server certificate validation failed: unable to get local issuer certificate

  • backend.log - Example: [error] [msmanager] SSL error encountered when negotiating with <Manager_IP>:<PORT>. Code 336134278, unable to get local issuer certificate, error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

Scenario: Agent can't communicate to manager due to broken certificate chain

A common reason your certificate chain may break is that you change the server certificate on Nessus Manager but do not update the CA certificate. The agent is then unable to communicate to the manager upon restart. To resolve this issue, do one of the following:

  • Unlink and relink the agent to Nessus Manager, which resets the certificate so the agent gets the correct CA certificate from Nessus Manager.

  • Manually upload the correct cacert.pem file from Nessus Manager into the custom_CA.inc file in the agent plugin directory:

    • /opt/nessus_agent/lib/nessus/plugins

    • C:\ProgramData\Tenable\Nessus Agent\nessus\plugins

    • /Library/NessusAgent/run/lib/nessus/plugins

  • Generate a new server certificate on Nessus Manager using the CA for which the agent already has the CA certificate, so that the certificate chain is still valid.