Agent Error: x.509 certificate signed by unknown authority

Follow

When a newly installed device does not show up in the Automox console, it is likely the result of the Automox agent being unable to communicate with the Automox API. While this can be due to a number of different issues, one potential reason is that the Automox agent is unable to establish a secure connection with the Automox API, which is indicated by following error found within the agent logs:

x.509 certificate signed by unknown authority

This error, while rare, usually indicates that the Let's Encrypt root CA certificate may not be installed on the device. Because the Automox agent uses the local system's certificate repository to securely communicate with the Automox API, this is a required certificate.

 

Install the Let's Encrypt Root Certificate

To install this certificate, you must first download it from the Let's Encrypt Chain of Trust site: https://letsencrypt.org/certificates/. At the time of writing, the Active Let's Encrypt root certificate is ISRG Root X1 (self-signed) and will be referred to as isrgrootx1.pem moving forward. Then, with the root certificate in hand, you next need to actually install it. This step is dependent on the operating system of the target device, however the most common commands for each operating system are listed below.

Windows

certutil -addstore -f "ROOT" isrgrootx1.pem

macOS

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain isrgrootx1.pem

Fedora 26+ / RHEL 6+ / CentOS 6+

Before installing the root certificate on an RPM-based operating system, isrgrootx1.pem must first be copied into /etc/pki/ca-trust/source/anchors.

sudo update-ca-trust extract

Ubuntu / Debian

Before installing the root certificate on a Debian-based operating system, isrgrootx1.pem must first be copied into /usr/local/share/ca-certificates/.

sudo update-ca-certificates

SLES

Before installing the root certificate on the SUSE Linux Enterprise Server operating system, isrgrootx1.pem must first be copied into /usr/share/pki/trust/anchors/.

sudo update-ca-certificates

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.