NOTE – The actual certificates needed may change, but the fundamental concept should always be relevant.
An exception occurred in MaintaintConnection|{ "exception": {"Message":"SSL Error The remote certificate is invalid according to the validation procedure.", "Data":{}, "InnerException":{"Message":"The remote certificate is invalid according to the validation procedure.",
When a connection is made (in general), a device will check what certificate is presented by the target address and then make sure that certificate is deemed to be "trusted" by the device, as configured by the trusted certificates on the device. This Error typically means that the certificate it found for the URL was not in the list of trusted certificates on the device.
NOTE – It could also mean that the device trying to connect simply has the wrong time configured. SSL requests from the future will not be approved =)
With the partner on a screenshare, you can see which devices are trusted on the device as below
- Type MMC in the Windows Run box and click the toolbox icon
- Go to file > add snap in and select certificates > Computer account
- Under Trusted Root Certificate Authorities, look for DigiCert Root CA G2
- You can use sites like https://www.sslshopper.com/ssl-checker.html to confirm which certificate is being presented by our servers, but as of writing they all seem to be the same DigiCert (see below). Note that some platforms have multiple cc servers, but log.txt will show you which the agent is attempting connection to
-
It should be on the partner to update their certs and get the necessary ones, but you can help them very quickly and easily update their certs using Windows Update by following this article:
https://woshub.com/updating-trusted-root-certificates-in-windows-10/- Create a location for updated certs to be downloaded, like C:/Certs
- Run this command to download an updated list of trusted certs from Microsoft
- certutil.exe -generateSSTFromWU C:\Certs\roots.sst
-
Updated SST file.
CertUtil: -generateSSTFromWU command completed successfully.
- You can use PowerShell script to install all certificates from the SST file and add them to the list of trusted root certificates on a computer:
-
$sstStore = ( Get-ChildItem -Path C:\ps\rootsupd\roots.sst )
$sstStore | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root
-
$sstStore = ( Get-ChildItem -Path C:\ps\rootsupd\roots.sst )
- Run the certmgr.msc snap-in and make sure that all certificates have been added to the Trusted Root Certification Authority. You should see the number of certs increase.