Protection Engine Enrollment fails due to an untrusted certificate
search cancel

Protection Engine Enrollment fails due to an untrusted certificate

book

Article ID: 202820

calendar_today

Updated On:

Products

Protection Engine for Cloud Services Protection Engine for NAS

Issue/Introduction

When enrolling your Symantec Protection Engine (SPE) server to the cloud console via the command line or enroll.bat, the enrollment fails with error "Failed to start Symantec CAF service."

  • Using Enroll.bat fails with the error: Failed to start Symantec CAF service.
  • cafagent.log contains the following:
cafservice.CAFEnrollManager | Error | caf::CAFEnrollManager::EnrollDevice::<lambda_>::operator ():111 | Error details: {"0":{"0":"ProxyModeDefault (8)","1":"EpmpClientErrorCodes: HttpTransportNetworkError (20)","2":{"0":"windows","1":-2146893019,"2":"The certificate chain was issued by an authority that is not trusted.\r\n"}},"1":{"0":"ProxyModeDefault (8)","1":"EpmpClientErrorCodes: HttpTransportNetworkError (20)","2":{"0":"windows","1":-2146893019,"2":"The certificate chain was issued by an authority that is not trusted.\r\n"}},"2":{"0":"ProxyModeDefault (8)","1":"EpmpClientErrorCodes: HttpTransportNetworkError (20)","2":{"0":"windows","1":-2146893019,"2":"The certificate chain was issued by an authority that is not trusted.\r\n"}},"3":{"0":"ProxyModeDefault (8)","1":"EpmpClientErrorCodes: HttpTransportNetworkError (20)","2":{"0":"windows","1":-2146893019,"2":"The certificate chain was issued by an authority that is not trusted.\r\n"}},"4":{"0":"ProxyModeDefault (8)","1":"EpmpClientErrorCodes: HttpTransportNetworkError (20)","2":{"0":"windows","1":-2146893019,"2":"The certificate chain was issued by an authority that is not trusted.\r\n"}},"5":{"0":"ProxyModeDisabled (16)","1":"EpmpClientErrorCodes: HttpTransportNetworkError (20)","2":{"0":"windows","1":-2146893019,"2":"The certificate chain was issued by an authority that is not trusted.\r\n"}},"6":{"0":"ProxyModeAutoDetect (2)","1":"EpmpClientErrorCodes: HttpTransportNetworkError (20)","2":{"0":"windows","1":-2146893019,"2":"The certificate chain was issued by an authority that is not trusted.\r\n"}}}

  • A packet capture of the enrollment process shows a failed TLS handshake. The certificate from the TLS handshake appears to be issued by your firewall.

Resolution

This issue is resolved in SPE 8.2.2.

If you are a new customer trying to enroll in Cloud console, please open a Support case for further assistance.

    •