Failed to complete ACM activation (ERR/5).

[gfrankliu]

I am using "meshcmd" on my local Linux (Debian 11) workstation to activate ACM against my test meshcentral server in the cloud.

$ sudo ./meshcmd amtconfig --url wss://my-meshcentral-url/apf.ashx --id 'my-group-id'                                                                                         
DHCP error, timeout
Setting up MEI...
Started LMS...
Starting Intel AMT configuration...
Started APF tunnel...
Checking Intel AMT state...
Getting ready for ACM activation...
Performing ACM activation...
Failed to complete ACM activation (ERR/5).

What is ERR/5? Is there a way to print more details from the meshcmd?

$ sudo ./meshcmd amtinfo
DHCP error, timeout
Intel AMT v12.0.64, pre-provisioning state.
Wired Enabled, DHCP, 84:8B:CD:00:00:00
Trusted DNS suffix: ext.mydomain.com
Connection Status: Outside, CIRA: Disconnected.

The server group is configured:

Type | Intel® AMT only, no agent

Intel® AMT | Simple Admin Control Mode (ACM) + CIRA

[si458]

i believe this commit MIGHT fix your issue - https://github.com/Ylianst/MeshCentral/commit/a17fd2f26872c83e6a1ec1a2ac350efdf67552d5 you can try it out by doing a backup of your meshcentral, then doing npm install Ylianst/MeshCentral to install the master branch

[gfrankliu]

My issue was actually fixed back in July by this PR: https://github.com/Ylianst/MeshCentral/commit/1ead77ef8dc8b535a7a774a90a093643bb747371

[si458]

Oh dear, we just reversed that commit to fix amt activation for others!? So it might break ur setup!? Please can u verify?

[gfrankliu]

As mentioned in https://github.com/Ylianst/MeshCentral/pull/5243 , our private CA uses sha256, but since the BIOS/MEBx can only accept SHA1 hash, we have to take the sha1 fingerprint of the CA openssl x509 -noout -fingerprint -sha1 -inform pem -in our_private_ca.crt to put in MEBx, even though the CA (signer) and provisioning certs are both sha256 certificates.

That's the root cause of our ACM activation issue, and it was fixed in that PR. Now that our system is live, I can't bring it down for testing. I will need to setup another environment in order to try out, but I am pretty sure reverting the PR will break again. If you use a self-signed CA, you should be able to try it. If not, I will setup another server next week to verify. Thanks!

[si458]

to be honest, im having trouble trying to replicate the original issue - https://github.com/Ylianst/MeshCentral/discussions/5297 i have 2 AMT v12 machines, but it seems to activate every time no problem in ACM mode, with or without the patch? i just cant get it to call the signAcmRequest function, but that function only calls every time the device sends the json action of meiState but mpsControlMessage is failing because the tag assigned to the socket on connect doesnt seem to include the nodeid ? so i have no idea how to call it to replicate it to verify it? its driving me insane! i have no idea how i replicated it the first time around?

[gfrankliu]

@graikhel-intel helped me solve my original issue with https://github.com/Ylianst/MeshCentral/pull/5243 I see he's already commenting in https://github.com/Ylianst/MeshCentral/discussions/5297

In your test, how did you input your self-signed CA in AMT machine? In my case, I manually typed in the SHA1 hash via the BIOS/MEBx screen. In my machine, the AMT only accepts SHA1, not sure if yours supports SHA2 hash in MEBx now?

[amoljagdalepucsd]

@gfrankliu @graikhel-intel I am facing issue activating intel AMT on remote devices. but not getting what is the root cause. do we need to add some certificate while Activating AMT from hosted server. I have raised question for discussion . please have look and help me.(https://github.com/Ylianst/MeshCentral/discussions/5899)