Solutions to the most common SSL Error

Below you will find the most common SSL Error which can occur and a more detailed explanation on what causes this and how to resolve it.

Please be aware that this covers only the error messages within the AppTec Client and not any other error you may receive on another OS or software.

In case you are not using our OnPremise solution and instead using our Cloud solution, contact support@nullapptec360.com if you receive this error. If you read this and you are not the AppTec administrator of your company, contact your administrator.

Important: Please understand that we are not a certificate vendor or a certificate provider. We do not sell or renew SSL certificates. If you have a question or problem with your specific SSL certificate, contact your certificate provider.

Also it is important to understand that the devices will receive the certificate and have to trust them. Therefore it can be possible that some devices trust a specific CA or certificate and others don’t.

Invalid SSL Configuration

Problem Description: The device is trying to connect to the server and can reach the server, but rejects the connection for security reasons because it could not verify the trustworthiness of the server certificate.

Troubleshooting:
Below you will find various problem sources including a way to figure out if this is your problem and a way to solve it. If you are not sure what your problem could be, start with the first entry and go through it top to bottom. The entries are sorted by number of occurences in the past years, so the most common problem is the first entry and the least common problom is at the bottom.

In case you are unclear what any of the instructions mean or you are not sure what to do exactly, it is always recommend to ask your certificate vendor for help. After all they are the one who made your certificate and are working with certificate every day. So they always can help you with certificate problems!

Problem Description: Usually your server certificate is only one part of a bigger certificate chain.
The big root certificate authorities (aka root CA) do not sign certificates themselves. They sign intermediate CAs which will sign your server certificate, so your certificate vendor. For a more detailed explenation click here.
But your device is only aware of the root CA and only trusts them. Since your server certificate is only signed by your intermediate CA, this alone will not be enough. This is why the certificate points to an intermediate certificate which points to the root CA (in rare cases you have 2 intermediate certificates). This is called a certificate chain.
The server delievers the first 2 parts of this chain, your server certificate and the intermediate certificate (you get this from your certificate vendor). The last and most important part is saved on the device.
If there is no intermediate certificate, the device does not know which root CA your certificate belongs to, therefore it will not trust the connection.

Is this my Problem?
To find out if this is your problem, we will use OpenSSL, which is already installed on the appliance, so you do not have to install any additional software.
Open the VM so you see the GUI of the machine itself and open a terminal or connect with SSH.

Click the marked button to open a terminal:

In the Terminal enter the following:
“MY.MDM.SERVER” is your FQDN of the appliance. You can check this in Step 1 on the appliance configuration under “Hostname” if you are not sure.
“SSLPORT” refers to your SSL Port. By default this is 443. But you can change this. If you are not sure, you can check this in step 3 of the appliance configuration under Server Ports -> SSL Port.

openssl s_client -connect my.mdm.server:port

“my.mdm.server” refers your FQDN of the appliance. You can check this in Step 1 on the appliance configuration under “Hostname” if you are not sure. Example: mdm.apptec360.com
“port” refers to your SSL Port. By default this is 443. But you can change this. If you are not sure, you can check this in step 3 of the appliance configuration under Server Ports -> SSL Port.

Example:

openssl s_client -connect emmconsole.com:443

This will output a lot of information about your certificate. Scroll up a bit since we only need the certificate chain. Look for this part:

Now let’s take a look into this.

0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=CH/1.3.6.1.4.1.311.60.2.1.2=Basel-Stadt/serialNumber=CHE-148.513.391/C=CH/ST=Basel-Stadt/L=Basel/O=AppTec GmbH/CN=www.emmconsole.com
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust EV RSA CA 2018
1  s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust EV RSA CA 2018
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA

We have 2 certificates here. The server certificate starting with a 0 (zero) and the intermediate certificate with a 1 (one). The s:/ contains the information about the certificate itself and the i:/ points to the next certificate in the chain. If you are missing your intermediate certificate you will only get 1 result (2 lines) in the certificate chain. If this is the case, continue with the problem solution. Otherwise check one of the other sections, since you seem to have an intermediate certificate.

Problem solution: First of all, get the intermediate certificate from your certificate vendor! In some cases this will be sent with the certificate itself. If this is not the case check the website of your certificate vendor or contact your vendor directly.
Once you got your intermediate certificate, open up apptec.conf in the firefox on the virtual machine. This will open the appliance configuration. (alternatively you can access this from your own computer. See chapter “Configure from external host” in our manual)  Go to step 2.
Depending on your resolution it is possible that you have to scroll down a bit to see the upload button for the intermediate certificate:

Upload your intermediate certificate. Go to step 5 and press “Configure appliance” so the new certificate will be applied. Wait 30~60 seconds. Now the intermediate certificate should be applied and the connection should work properly!

Problem Description: Usually your server certificate is only one part of a bigger certificate chain.
The big root certificate authorities (aka root CA) do not sign certificates themselves. They sign intermediate CAs which will sign your server certificate, so your certificate vendor. For a more detailed explenation click here.
But your device is only aware of the root CA and only trusts them. Since your server certificate is only signed by your intermediate CA, this alone will not be enough. This is why the certificate points to an intermediate certificate which points to the root CA (in rare cases you have 2 intermediate certificates). This is called a certificate chain.
The server delievers the first 2 parts of this chain, your server certificate and the intermediate certificate (you get this from your certificate vendor). The last and most important part is saved on the device.
If the intermediate certificate is wrong and does not belong to your certificate, the certificate chain will break and the device is not able to determine whether or not your certificate can be trusted.
Maybe you downloaded the wrong intermediate certificate from your certificate vendor or you changed your certificate vendor and forgot to renew the intermediate certificate.

Is this my Problem?
To find out if this is your problem, we will use OpenSSL, which is already installed on the appliance, so you do not have to install any additional software.
Open the VM so you see the GUI of the machine itself and open a terminal or connect with SSH.

Click the marked button to open a terminal:

In the Terminal enter the following:
“MY.MDM.SERVER” is your FQDN of the appliance. You can check this in Step 1 on the appliance configuration under “Hostname” if you are not sure.
“SSLPORT” refers to your SSL Port. By default this is 443. But you can change this. If you are not sure, you can check this in step 3 of the appliance configuration under Server Ports -> SSL Port.

openssl s_client -connect my.mdm.server:port

“my.mdm.server” refers your FQDN of the appliance. You can check this in Step 1 on the appliance configuration under “Hostname” if you are not sure. Example: mdm.apptec360.com
“port” refers to your SSL Port. By default this is 443. But you can change this. If you are not sure, you can check this in step 3 of the appliance configuration under Server Ports -> SSL Port.

Example:

openssl s_client -connect emmconsole.com:443

This will output a lot of information about your certificate. Scroll up a bit since we only need the certificate chain. Look for this part:

Now let’s take a look into this.

0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=CH/1.3.6.1.4.1.311.60.2.1.2=Basel-Stadt/serialNumber=CHE-148.513.391/C=CH/ST=Basel-Stadt/L=Basel/O=AppTec GmbH/CN=www.emmconsole.com
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust EV RSA CA 2018
1  s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust EV RSA CA 2018
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA

We have 2 certificates here. The server certificate starting with a 0 (zero) and the intermediate certificate with a 1 (one). The s:/ contains the information about the certificate itself and the i:/ points to the next certificate in the chain.
If the information behind an i:/ is not the same as the information behind the s:/ in the next line, your server certificate and your intermediate certificate do not belong together.

Problem solution: First of all, get the correct intermediate certificate from your certificate vendor! In some cases this will be sent with the certificate itself. If this is not the case check the website of your certificate vendor or contact your vendor directly.
Once you got your correct intermediate certificate, open up apptec.conf in the firefox on the virtual machine. This will open the appliance configuration. (alternatively you can access this from your own computer. See chapter “Configure from external host” in our manual)  Go to step 2.
Depending on your resolution it is possible that you have to scroll down a bit to see the renew button for the intermediate certificate:

Upload your intermediate certificate. Go to step 5 and press “Configure appliance” so the new certificate will be applied. Wait 30~60 seconds. Now the correct intermediate certificate should be applied and the connection should work properly!

Problem Description: Usually your server certificate is only one part of a bigger certificate chain.
The big root certificate authorities (aka root CA) do not sign certificates themselves. They sign intermediate CAs which will sign your server certificate, so your certificate vendor. For a more detailed explenation click here.
But your device is only aware of the root CA and only trusts them. Since your server certificate is only signed by your intermediate CA, this alone will not be enough. This is why the certificate points to an intermediate certificate which points to the root CA (in rare cases you have 2 intermediate certificates). This is called a certificate chain.
The server delievers the first 2 parts of this chain, your server certificate and the intermediate certificate (you get this from your certificate vendor). The last and most important part is saved on the device.
If the intermediate certificate is wrong and does not belong to your certificate, the certificate chain will break and the device is not able to determine whether or not your certificate can be trusted.
In rare cases you need to intermediate certificates for this chain to be complete. Some certificate vendors will send the 2 required intermediate certificates as 2 seperate files, but you can only upload one file as an intermediate certificate.

Is this my Problem?
To find out if this is your problem, we will use OpenSSL, which is already installed on the appliance, so you do not have to install any additional software.
Open the VM so you see the GUI of the machine itself and open a terminal or connect with SSH.

Click the marked button to open a terminal:

In the Terminal enter the following:
“MY.MDM.SERVER” is your FQDN of the appliance. You can check this in Step 1 on the appliance configuration under “Hostname” if you are not sure.
“SSLPORT” refers to your SSL Port. By default this is 443. But you can change this. If you are not sure, you can check this in step 3 of the appliance configuration under Server Ports -> SSL Port.

openssl s_client -connect my.mdm.server:port

“my.mdm.server” refers your FQDN of the appliance. You can check this in Step 1 on the appliance configuration under “Hostname” if you are not sure. Example: mdm.apptec360.com
“port” refers to your SSL Port. By default this is 443. But you can change this. If you are not sure, you can check this in step 3 of the appliance configuration under Server Ports -> SSL Port.

Example:

openssl s_client -connect emmconsole.com:443

This will output a lot of information about your certificate. Scroll up a bit since we only need the certificate chain. Look for this part:

Now let’s take a look into this.

0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=CH/1.3.6.1.4.1.311.60.2.1.2=Basel-Stadt/serialNumber=CHE-148.513.391/C=CH/ST=Basel-Stadt/L=Basel/O=AppTec GmbH/CN=www.emmconsole.com
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust EV RSA CA 2018
1  s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust EV RSA CA 2018
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA

We have 2 certificates here. The server certificate starting with a 0 (zero) and the intermediate certificate with a 1 (one). The s:/ contains the information about the certificate itself and the i:/ points to the next certificate in the chain.
As you can see the order of this chain is also important.

Do I need a second intermediate certificate?
If you already have 2 intermediate certificate files, skip this and jump to the problem solution.
Maybe you are not sure whether or not you even need a second intermediate certificate. The easiest way is to just ask your certificate vendor.
You can determine this quite easily by looking at your certificate chain. Compare the i:/ of the first certificate (second line) and the s:/ of the second certificate (third line). If the content is the same, like in our example, check the second i:/ (fourth line). If it mentions the word “Root” or “Root CA”, you do not need any additional certificate and high likey have one of the other problems. If the second i:/ (fourth line) does not mention the word “Root” or “Root CA”, you high likely need an additional intermediate certificate. Contact your certificate vendor.

Problem solution:
The easiest way is to just contact your certificate vendor and ask for the intermediate certificates as one file.
First of all, get the intermediate certificates from your certificate vendor! In some cases this will be sent with the certificate itself. If this is not the case check the website of your certificate vendor or contact your vendor directly.
Once you got your intermediate certificates, you have to determine the correct order of the certificates, if your certificate vendor did not give you this information.
Open up apptec.conf in the firefox on the virtual machine. This will open the appliance configuration. (alternatively you can access this from your own computer. See chapter “Configure from external host” in our manual)  Go to step 2.
Depending on your resolution it is possible that you have to scroll down a bit to see the upload/renew button for the intermediate certificate:

Upload one of your intermediate certificates. If the common name contains “Root” or “Root CA” this is the second intermediate certificate and the not yet uploaded one is the first intermediate certificate. Write this down or rename them accordingly. Otherwise it is the other way around. But to get sure, upload the other one too. If none of them mention “Root” or “Root CA” we recommend contacting your certificate vendor for advice to get completely sure.
Make a backup of your first intermediate certificate and open the original in a text editor. Also open the second intermediate certificate in a text editor.
The content should look like this:

—–BEGIN CERTIFICATE—–
MIIEszCCA5ugAwIBAgIQCyWUIs7ZgSoVoE6ZUooO+jANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
[…]
44JhJgWhBnFMb7AGQkvNq9KNS9dd3GWc17H/dXa1enoxzWjE0hBdFjxPhUb0W3wi
8o34/m8Fxw==
—–END CERTIFICATE—–

Copy the whole content from the second intermediate certificate to the end of the first one in a new line. So the next line aber the “END CERTIFICATE” is “BEGIN CERTIFICATE”. Save this and upload your complete intermediate certificate. Go to step 5 and press “Configure appliance” so the new certificate will be applied. Wait 30~60 seconds. Now the intermediate certificate should be applied and the connection should work properly!