Ways to Troubleshoot SSL Error
How to troubleshoot SSL error in agent-server communication.
Problem
Your agent-server communication was hampered due to an error in SSL.
Resolution
To resolve the error in SSL connection, you can try the following. Please contact support only if none of the following works for you.
1. Due to Invalid CA
This error occurs when your server certificate has been issued (signed) by an untrusted Certificate Authority.
Invalid CA in Distribution server
If your organization uses an SSL proxy, check if the root certificate of the SSL proxy server is in your agent machine's trust store. If not, install it in the trust store. If it is already in the trust store contact customer support.
Invalid CA in Central server
If your agent-server communication has failed:
Step 1:
If your organization uses an SSL proxy, check if the root certificate of the SSL proxy server is in your agent machine's trust store. If not, install it in the trust store. If it is already in the trust store, proceed to Step 2.
Step 2:
If you have imported an SSL certificate into the central server perform the following based on the type of the certificate:
- If the certificate is signed by an Enterprise CA, check if this Enterprise CA root certificate is in the trust store of the agent machine.
- If the certificate is signed by a Third Party CA, your operating system might have failed to request the Certificate Trust List (CTL). This can happen if your system has been isolated with no direct access to the internet. If the system is supposed to be isolated, perform a manual update of your CTL. The method to do so varies based on the Operating System. Please refer to the OS specific documentation to do the changes or contact your administrator.
If your browser shows this error when visiting the Central Server web console:
Most browsers have their own certificate trust store that is independent of the trust store of the operating system. This error happens when the Root certificate is not in the trust store of the browser. You can manually add the Root Certificate of the Central server to the trust store of your browser. The method to do so varies based on the browser you are using. Please refer to the browser specific documentation.
2. Due to Common Name or Subject Alternative Name mismatch
This error occurs when your server presents a certificate with a name that does not
1. Match the domain name to which your server IP has resolved (or)
2. Match the domain name using which the agent tried to reach the server (or)
3. Match the domain name that you have entered in the browser's address bar.
Common Name or subject alternate name mismatch in Distribution server certificate:
If a common name or subject alternative name mismatch exists in the distribution server certificate, please contact customer support.
Common Name or subject alternate name mismatch in Central server certificate:
If your agent-server communication has failed:
You'll need to get a certificate with the domain name of the server machine added into the 'Subject Alternate Names' (SANs) field of your certificate.
This needs to be done for the Central Server as well as the SSL proxy server at your organization (if any).
If your browser shows this error when visiting the Central Server web console:
Please note: Getting a certificate with a new 'common name' (CN) won't fix the problem. Most browsers (like Chrome) don't check this field anymore. You'll need to get a certificate with the domain name of the server machine added into the 'Subject Alternate Names' (SANs) field of your certificate. This needs to be done for the Central Server as well as the SSL proxy server at your organization (if any).
3. Due to Invalid Date on the Certificate
This error occurs when your server presents a certificate that is not valid yet or has expired. It could also mean that the date and time have been incorrectly set in the client or server machine.
The following needs to be checked in the distribution server, central server, and the SSL proxy server at your organization (if any).
- Ensure that the Date and Time of the agent machines are set to the current date and time.
- Ensure that the Date and Time of the server machines are set to the current date and time.
- Check the 'Valid From' field of the certificate being used by the server. It shouldn't be a future date. If this is the case in the Distribution Server, contact support. If this is the case in the Central Server or your SSL proxy server, upload a certificate with a proper 'Valid From' date into the server.
- Check the 'Valid to' field of the certificate being used by the server. It shouldn't be a past date. If this is the case in the Distribution Server, contact support. If this is the case in the Central Server or your SSL proxy server, upload a certificate with a proper 'Valid to' date into the server.
4.Proxy Server Certificate
If you use a proxy server in your network setup, it's essential to ensure secure communication through the proxy. Here are the steps to follow for configuring the proxy server certificate:
- Import Proxy Server's Root Certificate:
- In the "Agent settings" or "OSDSettings" tab, you must import the proxy server's root certificate. Note that only certificates in the .cer or .crt format are allowed for this purpose. Importing the root certificate is crucial; there's no need to import leaf or intermediate certificates individually.
- Dealing with Multiple Chain Certificates:
- If the proxy server's certificate contains multiple certificate chains, you should import the root certificate. Any intermediate certificates required for the chain must be included within the leaf certificate itself.
- Renewal of Proxy Root Certificate:
- If the proxy server's root certificate expires, you must import the new certificate to maintain secure communication.
Yes No