Environment
- App Control Console: All Supported Versions
- App Control Agent: All Supported Versions
Symptoms
Cause
The SSL Certificate bound to the Resource Download Location specified is invalid (expired, incorrect Common Name, Untrusted Root, etc).
ERROR_WINHTTP_SECURE_FAILURE: 12175
One or more errors were found in the Secure Sockets Layer (SSL) certificate sent by the server.
Resolution
- Verify the Resource Download Location in System Configuration > Advanced is still accurate, and contains the necessary files.
- Verify the IIS Certificate bound to Port 443 is not expired, and formatted correctly:
- Common Name shown should match Server Address from the General tab.
- Expiration Date should be in the future.
- A matching Certificate should be listed in the Trusted Communication Certificates list at the bottom of the Security tab, and Trusted.
- Verify the required ports for App Control are available to the Server Address. By default these are 41002 and 443.
- Verify the TLS protocol on the App Control Server and Agents
- Verify whether a Proxy or other Network Appliance is between the Agents and App Control Server.
- If a certificate exists on the Proxy or other Network Appliance, it must be imported & Trusted in the Trusted Communication Certificates list.
- If SSL Inspection is enabled the Agents will reject the modified packets.
- If any other authentication (such as 2FA) is enabled for network traffic on ports 41002 or 443 the Agents may fail to properly communicate.
- If the issue persists, the Agent Communication Certificate may need to be manually imported on the endpoints.
Additional Notes
- In some installations the Resource Download Location can be modified to use http:// instead of the https:// although this configuration is not recommended for security purposes.
- More details on WinHTTP Errors can be found here.
Related Content