DotNET agent (version 20.11.0.20 (Build 990020)) fails to connect to Cloud Proxy with logs showing:

[VERBOSE] [IntroscopeAgent.ConnectionThread] Attempting to connect to Introscope Enterprise Manager dx-apm-proxy-proving.vip.companyname.net:443,com.wily.isengard.postofficehub.link.net.HttpsTunnelingSocketFactory (3).
[ERROR] [IntroscopeAgent.Agent] SSL Certificate Error: RemoteCertificateNameMismatch. The connection will be rejected. To ignore this error set agentManager.ssl.certPolicy=AcceptLogError
[WARN] [IntroscopeAgent.ConnectionThread] Failed to connect to the Introscope Enterprise Manager at dx-apm-proxy-proving.vip.companyname.net:443,com.wily.isengard.postofficehub.link.net.HttpsTunnelingSocketFactory (3).
[WARN] [IntroscopeAgent.ConnectionThread] System.Exception: The HTTP Tunneling server cannot be reached at: https://dx-apm-proxy-proving.vip.companyname.net:443/em/transport/services/IsengardHttpTunnelingService ---> System.Net.WebException: The HTTP Tunneling server cannot be reached at: https://dx-apm-proxy-proving.vip.companyname.net:443/em/transport/services/IsengardHttpTunnelingService ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

 [DEBUG] [IntroscopeAgent.Agent] 

System.Exception: The HTTP Tunneling server cannot be reached at: https://dx-apm-proxy-proving.vip.companyname.net:443/em/transport/services/IsengardHttpTunnelingService ---> System.Net.WebException: The HTTP Tunneling server cannot be reached at: https://dx-apm-proxy-proving.vip.companyname.net:443/em/transport/services/IsengardHttpTunnelingService ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
   at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Net.TlsStream.CallProcessAuthentication(Object state)
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
   at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.ConnectStream.WriteHeaders(Boolean async)
   --- End of inner exception stack trace ---
   at System.Net.HttpWebRequest.GetResponse()
   at com.wily.isengard.postofficehub.link.http.client.HttpResponse..ctor(HttpRequest request)
   at com.wily.isengard.postofficehub.link.http.client.HttpRequest.get_Response()
   at com.wily.isengard.postofficehub.link.http.client.CommonsHttpTunnelingClient.connect2(String host)
   --- End of inner exception stack trace ---
   at com.wily.isengard.postofficehub.link.http.client.CommonsHttpTunnelingClient.connect2(String host)
   at com.wily.isengard.postofficehub.link.http.client.CommonsHttpTunnelingClient.connect()
   at com.wily.isengard.postofficehub.link.http.client.CommonsHttpTunnelingClient.connect(ProxyConfiguration config)
   at com.wily.isengard.postofficehub.link.http.client.HttpTunnelingClientLifecycleManager..ctor(HttpTransportAdapter transportAdapter, IModuleFeedbackChannel feedback, IndexedProperties properties)
   at com.wily.isengard.postofficehub.link.HttpOutgoingConnection.connect(String groupName, String credential)
   at com.wily.isengard.postoffice.PostOfficeHub.connectToServerHub(Int64 timeout, String groupName, String credential, TransportConfiguration transportConfig, ServerInstanceLocator serverLocator)
   at com.wily.isengard.postoffice.PostOfficeHub.connectToServerHub(Int64 timeout, String groupName, String credential, ServerInstanceLocator serverLocator)
   at com.wily.isengard.api.IsengardClient.connect(Int64 timeout)
   at com.wily.isengard.api.IsengardClient.connect()
   at com.wily.introscope.agent.connection.IsengardClientConnection.connect()
   at com.wily.introscope.agent.connection.IsengardServerConnectionManager.connectInternalAdvanced(ServerInstanceLocator serverLocator, Boolean hasFallbacks)
   --- End of inner exception stack trace ---
   at com.wily.introscope.agent.connection.IsengardServerConnectionManager.connectInternalAdvanced(ServerInstanceLocator serverLocator, Boolean hasFallbacks)
   at com.wily.introscope.agent.connection.ConnectionThread.attemptAdvancedConnection(Boolean firstConnectionAttempt)

It seems there could be following reasons the Cloud Proxy cert is not trusted by agent:

1) Authority cert was signed with (CA) unknown to .NET. (It is a company CA not a public one.)

2) Cert CN does not provide the exact Cloud Proxy host name.

Questions:

Are both the above possible causes, and is there any way to distinguish?

Will try the suggestion from the above messages to set agentManager.ssl.certPolicy=AcceptLogError as a workaround.

Release : SAAS

Component : Integration with APM

The error message is pointing to not being able to trust the certificate.

If you wish to skip SSL checking on the cert, as per below KB you can add this property to the agent profile.

agentManager.ssl.certPolicy=AcceptLogError

https://knowledge.broadcom.com/external/article?articleId=236826

The .NET Agent log captured some info about the error, e.g. "System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure", and the exception call stack in the DEBUG mode.  

For additional details on the certificate problem or validation, the user may consider trying other external utilities such as curl, telnet, or even a browser to connect to the cloud proxy URL with the intended certificate.