# Ways to Troubleshoot SSL Error

**Last Updated On**: 14 May 2026  
**6 minutes read**

How to troubleshoot SSL errors affecting agent-server communication.

## Problem

Your agent-server communication has failed due to an SSL error.

## Resolution

To resolve SSL connection errors, verify the following scenarios. Contact support only if none of the steps below resolve the issue.

1. [Invalid Certificate Authority (CA)](#invalid-ca)
2. [Common Name (CN) / Subject Alternative Name (SAN) mismatch](#common-name-cn--subject-alternative-name-san-mismatch)
3. [Invalid certificate validity dates](#invalid-date-on-the-certificate)
4. [Proxy server certificate issues](#proxy-server-certificate)

## 1. Due to Invalid CA

This occurs when the server certificate is signed by an untrusted Certificate Authority.

**Note:** For troubleshooting macOS agents, also verify steps under [Common Name or SAN mismatch](#common-name-cn--subject-alternative-name-san-mismatch).

### Invalid CA in Central Server

If agent-server communication fails:

**Step 1:**

- If using an SSL proxy, ensure its root certificate is installed in the agent’s trust store.

**Step 2:**

- If using an Enterprise CA, verify its root certificate exists in the agent machine trust store.
- If using a Third-Party CA, ensure your system has access to update the Certificate Trust List (CTL). If the system is isolated, manually update the CTL as per OS documentation.

If the browser shows an SSL error:

- Browsers maintain separate trust stores.
- Manually add the Root Certificate to the browser’s trust store if required.

## 2. Due to Common Name or Subject Alternative Name (SAN) Mismatch

This occurs when the certificate name does not match:

1. The domain name resolved from the server IP, or
2. The domain name used by the agent to reach the server, or
3. The domain name entered in the browser address bar.

### Central Server Certificate Mismatch

If agent-server communication fails:

- Obtain a certificate that includes the server's domain name in the **Subject Alternative Name (SAN)** field.
- This applies to both the Central Server and SSL proxy server (if used).

If browser shows this error:

- Updating only the Common Name (CN) will not fix the issue.
- Ensure the correct domain name is added in the SAN field of the certificate.

## 3. Due to Invalid Date on the Certificate

This occurs when the certificate:

- Is not yet valid (future “Valid From” date)
- Has expired (“Valid To” date in the past)
- Or system date/time is incorrect

Verify the following:

- Ensure agent machines have correct current date and time.
- Ensure server machines have correct current date and time.
- Verify “Valid From” and “Valid To” fields of the certificate.
- Upload a new certificate if expired or incorrectly dated.

## 4. Proxy Server Certificate

If your network uses a proxy server, ensure proper SSL configuration:

- **Import Proxy Root Certificate:**
  - Import the proxy server’s root certificate in **Agent Settings**.
  - Only `.cer` or `.crt` formats are supported.
  - Import only the root certificate (not intermediate/leaf separately).

- **Multiple Certificate Chains:**
  - If multiple chains exist, import the root certificate.
  - Intermediate certificates must be bundled within the leaf certificate.

- **Proxy Certificate Renewal:**
  - If the proxy root certificate expires, import the renewed certificate immediately.