SSL Error: The remote certificate is invalid according to the validation procedure

NOTE – The actual certificates needed may change, but the fundamental concept should always be relevant.

An exception occurred in MaintaintConnection|{ "exception": {"Message":"SSL Error The remote certificate is invalid according to the validation procedure.", "Data":{}, "InnerException":{"Message":"The remote certificate is invalid according to the validation procedure.",

When a connection is made (in general), a device will check what certificate is presented by the target address and then make sure that certificate is deemed to be "trusted" by the device, as configured by the trusted certificates on the device. This Error typically means that the certificate it found for the URL was not in the list of trusted certificates on the device.

NOTE – It could also mean that the device trying to connect simply has the wrong time configured. SSL requests from the future will not be approved =). Check system time and fix it if it is off.

SOLUTION 1

IF the partner has shell access to the device, try the following commands in powershell

certutil.exe -generateSSTFromWU C:\Temp\roots.sst

$sstStore = ( Get-ChildItem -Path C:\Temp\roots.sst )
$sstStore | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root

This will force the device to update it's certs via contacting Windows Update. See below article for context, though it appears the commands in this article are not formatted right. Above is the simpler and tested set of commands.

https://woshub.com/updating-trusted-root-certificates-in-windows-10/#h2_3

SOLUTION 2

The above should resolve the majority of these cert issues, but if needed you can review the certs that are currently trusted in Windows MMC. You'll need to do this on a screenshare with the partner to the affected device.

Type MMC in the Windows Run box and click the toolbox icon
Go to file > add snap in and select certificates > Computer account

Under Trusted Root Certificate Authorities, you can see which certs are trusted by the device (though bear in mind there is some variance in names etc)
$NO sslshopper.com/ssl ... Q 1 C New Chrome available : Tired of managing certificates? Automate it with ZeroSSL Learn about ZeroSSL Automation 01 cc.centrastage.net appliances may require access to the URL of the service a Check SSL hat you add the centrastage.net and the rmm.datto.com 01cc.centrastage.net resolves to 52.16.45.168 Console1 - [Console Root\Certificates (Local Computer)\Trusted Root Certification Authorities\ Certi ... X The certificate should be trusted by all major v installed). File Action View Favorites Window Help 5 x The certificate was issued by DigiCert. Write re < Trusted Root Certification Authorities Issued To Issued ^ Actions The certificate will expire in 336 days. Certificates Remind Enterprise Trust E DigiCert CS RSA4096 Root G5 DigiCe > Certificates > ba DiaiCert Global Root CA More Acti ... The hostname (01cc.centrastage.net) is correct Intermediate Certification Authorities DigiCe Trusted Publishers DigiCert Global Root G2 DigiCe > Untrusted Certificates ElDigiCert Global Root G3 DigiCe DigiCert Global ... ^ Server Common name: *. centrastage.net SANs: *. centrastage.net > Third-Party Root Certification Authorities ElDigiCert High Assurance EV Ro ... DigiCe Organization: Datto, Inc. V More Acti ... Elninif art Trusted Ront GA 7 ‹ Minifa Location: Norwalk, Connecticut, US Valid from December 5, 2023 to January 3, 202 Serial Number: 013bf44142ce46ec0b99246a1b ..... Signature Algorithm: sha256WithRSAEncryption https://pinotage.centrastage.net Issuer| DigiCert Global G2 TLS RSA SHA256 2020 CA1 https://pinotage-realtime.centras https://pinotage.rmm.datto.com https://pinotagermm.centrastag Chain Common name: DigiCert Global G2 TLS RSA SHA256 2020 CA1 Organization: DigiCert Inc 01cc.centrastage.net Location: US Valid from March 29, 2021 to March 29, 2031 Serial Number: 0cf5bd062b5602f47ab8502c23ccf066 ts.centrastage.net Signature Algorithm: sha256WithRSAEncryption Issue : DigiCert Global Root G2 ry https://cpt.centrastage.net https://cpt.centrastage.net.s3.a$

You can use sites like https://www.sslshopper.com/ssl-checker.html to confirm which certificate is being presented by our servers, but as of writing they all seem to be the same DigiCert (see below). Note that some platforms have multiple cc servers, but log.txt will show you which the agent is attempting connection to. If needed, certificates can be manually imported to the device in MMC.
1. NOTE – when checking for which certs are needed with the website online, make sure you're checking the "Control" servers, which are the ones with "cc" in the title typically. Don't use the URL for the web portal because that will only affect user logon activity. Device connectivity connects to a completely different URL entirely:

Browse this section