Environment
- App Control Server: All Supported Versions
- App Control Agent: All Supported Versions
Symptoms
- Agent upgrade attempts generating errors when downloading, similar to:
Error: Failed to download upgrade package: https://ServerAddress/hostpkg/pkg.php?pkg=/ParityHostAgent.msi. WinHttpSendRequest Error[12175:]
- Miscellaneous files from Resource Download Location (RDL) fail to download, similar to:
Failed to download Server Cert List file from URL [https://ServerAddress/hostpkg/pkg.php?pkg=TrustedCertList.pem]: Error[WinHttpSendRequest Error[12175:]
Cause
The SSL Certificate bound to the Resource Download Location specified is invalid (expired, incorrect Common Name, Untrusted Root, etc).
ERROR_WINHTTP_SECURE_FAILURE: 12175
One or more errors were found in the Secure Sockets Layer (SSL) certificate sent by the server.
Resolution
- Verify the Resource Download Location in System Configuration > Advanced is still accurate, and contains the necessary files.
- Verify the IIS Certificate bound to Port 443 is not expired, and formatted correctly:
- Common Name shown should match Server Address from the General tab.
- Expiration Date should be in the future.
- A matching Certificate should be listed in the Trusted Communication Certificates list at the bottom of the Security tab, and Trusted.
- Verify the required ports for App Control are available to the Server Address. By default these are 41002 and 443.
- Verify the TLS protocol on the App Control Server and Agents
- Verify whether a Proxy or other Network Appliance is between the Agents and App Control Server.
- If a certificate exists on the Proxy or other Network Appliance, it must be imported & Trusted in the Trusted Communication Certificates list.
- If SSL Inspection is enabled the Agents will reject the modified packets.
- If any other authentication (such as 2FA) is enabled for network traffic on ports 41002 or 443 the Agents may fail to properly communicate.
- If the issue persists, the certificate may need to be manually imported on the endpoints.
Additional Notes
- In some installations the Resource Download Location can be modified to use http:// instead of the https:// although this configuration is not recommended for security purposes.
- More details on WinHTTP Errors can be found here.
Related Content