A customer sees the following in CEM agent logs while testing a new CEM implementation:
Operation 'CEM: Connect' failed.
Original host: NotificationServer.org:443
Real host: InternetGateway.org:443
Error type: TLS Handshake error
Error code: The certificate chain was issued by an authority that is not trusted (0x80090325)
Error note: 'InternetGateway.org' server's certificate is not valid, thumbprint mismatch
Gateway HTTPS connection info:
Serial number: [Serial number here]
Thumbprint: [Thumbprint here]
In at least one occurrence of this issue, the thumbprint listed in the CEM agent error doesn't/didn't match any thumbprints in the customer's environment
Another possible symptom is that internal agents can connect through the gateway while on the internal network
DNS name resolution problem. Customer had an invalid public IP assigned to the Internet Gateway in external DNS. While connected internally, agents were able to resolve the Internet Gateway name to the correct IP.
Since the public IP is not resolving correctly, the certificate we tried to verify doesn't actually exist on the Internet Gateway. The agent was comparing an expected certificate thumbprint to the thumbprint of some other publicly available device on the internet.
Update external/internal DNS records to resolve the correct public IP address for the Internet Gateway