71004: Acronis Cyber Protect Cloud: Update/Registration fails due Let's Encrypt certificate without cross-sign

use Google Translate

Operating Systems: 

    Last update: 23-11-2022

    The article describes two issues that have a common cause.

    On September 30, 2021, the Let's Encrypt old root certificate [DST Root CA X3] expired. 

    Let's Encrypt introduced a new root certificate [ISRG Root X1] in advance, but for compatibility with the old devices that don't receive updates anymore they also implemented a cross-signature for the old root certificate [DST Root CA X3].


    Scenario #1 - Update/Installation


    • "Certificate from CUSTOM_URL did not pass the verification." when Installing agent components on multiple tenants and machines.


    Scenario #2 - Registration

    • You have enabled the Custom URL branding by using the Let's Encrypt certificate
    • The registration using the branded URL fails with the following error message:

        "msg" : "ensure agent registration: setting up registration state: datacenter discovery: Get https://*CUSTOM_URL*/api/l/accounts?login=USERNAME: x509: certificate signed by unknown authority"


    • As part of troubleshooting, you attempt the registration with the default URL and receive this error:

         "msg" : "ensure agent registration: setting up registration state: setting user token: Post https://it01-cloud.acronis.con/api/2/idp/token: x509: certificate signed by unknown authority"



    The problem appears on Windows machines with lazy certificate loading which is invoked only when browser access a web page with given certificate, more information can be found in this article.

    Acronis Agent installer needs to 'invoke' all root certificates lazy load by calling the following command line for every url:

    1. https://dl.managed-protection.com/
    2. embedded agent registration URL


    This issue is resolved.

    More information

    If the issue persists, please collect the following and contact Acronis Support:

    1. Output of the registration command
    2. Output of openssl s_client -showcerts -connect CUSTOM_URL:443 (see this article
    3. Output of certificates via Powershell: Get-ChildItem Cert:\LocalMachine\Root | ft