The article describes two issues that have a common cause.

On September 30, 2021, the Let's Encrypt old root certificate [DST Root CA X3] expired. 

Let's Encrypt introduced a new root certificate [ISRG Root X1] in advance, but for compatibility with the old devices that don't receive updates anymore they also implemented a cross-signature for the old root certificate [DST Root CA X3].

Symptoms

Scenario #1 - Update/Installation

• The auto-update fails with "Failed to download the installation file from the management server at https://dl.managed-protection.com/u/baas/4.0/15.0.29805/AcronisCyberProt...

OR

• "Certificate from CUSTOM_URL did not pass the verification." when Installing agent components on multiple tenants and machines.

 

Scenario #2 - Registration

• You have enabled the Custom URL branding by using the Let's Encrypt certificate
• The registration using the branded URL fails with the following error message:

    "msg" : "ensure agent registration: setting up registration state: datacenter discovery: Get https://*CUSTOM_URL*/api/l/accounts?login=USERNAME: x509: certificate signed by unknown authority"

Full error message

C:\Program Files\BackupClient\RegisterAgentTool>register_agent.exe -o register -cloud -a https://*CUSTOM_URL* -u USERNAME -p PASSWORD  
level=err; message=akk error: Internal server error has occurred, http = .httpCode = 500, .domain = AGENT_CORE, .code = UNKNOWN_CA
Failed
500
    "code” = "UNKNOWN_CA",
    "debug” :
    {
    "msg" : "ensure agent registration: setting up registration state: datacenter discovery: Get https://*CUSTOM_URL*/api/l/accounts?login=USERNAME: x509: certificate signed by unknown authority"
    "domain" : "AGENT_CORE"

 

• As part of troubleshooting, you attempt the registration with the default URL and receive this error:

     "msg" : "ensure agent registration: setting up registration state: setting user token: Post https://it01-cloud.acronis.con/api/2/idp/token: x509: certificate signed by unknown authority"

Full error message

C:\Program Files\BackupClient\RegisterAgentTool>register_agent.exe -o register -cloud -a https://cloud.acronis.com -u USERNAME -p PASSWORD
level=err; message=akk error: Internal server error has occurred, http = .httpCode = 500, .domain = AGENT_CORE, .code = UNKNOWN_CA
Failed
500
    "code” = "UNKNOWN_CA",
    "debug” :
    {
    "msg" : "ensure agent registration: setting up registration state: setting user token: Post https://it01-cloud.acronis.com/api/2/idp/token: x509: certificate signed by unknown authority"
    },
    "domain" : "AGENT_CORE"

 

Cause

The problem appears on Windows machines with lazy certificate loading which is invoked only when browser access a web page with given certificate, more information can be found in this article.

Acronis Agent installer needs to 'invoke' all root certificates lazy load by calling the following command line for every url:

1. https://dl.managed-protection.com/
2. embedded agent registration URL

 

This issue is resolved.

More information

If the issue persists, please collect the following and contact Acronis Support:

1. Output of the registration command
2. Output of openssl s_client -showcerts -connect CUSTOM_URL:443 (see this article) 
3. Output of certificates via Powershell: Get-ChildItem Cert:\LocalMachine\Root | ft