The article describes two issues that have a common cause.
On September 30, 2021, the Let's Encrypt old root certificate [DST Root CA X3] expired.
Let's Encrypt introduced a new root certificate [ISRG Root X1] in advance, but for compatibility with the old devices that don't receive updates anymore they also implemented a cross-signature for the old root certificate [DST Root CA X3].
Symptoms
Scenario #1 - Update/Installation
- The auto-update fails with "Failed to download the installation file from the management server at https://dl.managed-protection.com/u/baas/4.0/15.0.29805/AcronisCyberProt...
OR
- "Certificate from CUSTOM_URL did not pass the verification." when Installing agent components on multiple tenants and machines.
Scenario #2 - Registration
- You have enabled the Custom URL branding by using the Let's Encrypt certificate
- The registration using the branded URL fails with the following error message:
"msg" : "ensure agent registration: setting up registration state: datacenter discovery: Get https://*CUSTOM_URL*/api/l/accounts?login=USERNAME: x509: certificate signed by unknown authority"
- As part of troubleshooting, you attempt the registration with the default URL and receive this error:
"msg" : "ensure agent registration: setting up registration state: setting user token: Post https://it01-cloud.acronis.con/api/2/idp/token: x509: certificate signed by unknown authority"
Cause
The problem appears on Windows machines with lazy certificate loading which is invoked only when browser access a web page with given certificate, more information can be found in this article.
Acronis Agent installer needs to 'invoke' all root certificates lazy load by calling the following command line for every url:
1. https://dl.managed-protection.com/
2. embedded agent registration URL
This issue is resolved.
More information
If the issue persists, please collect the following and contact Acronis Support:
- Output of the registration command
- Output of openssl s_client -showcerts -connect CUSTOM_URL:443 (see this article)
- Output of certificates via Powershell: Get-ChildItem Cert:\LocalMachine\Root | ft