21.0 upgraded UNIX won't start | certificate verify failed (SSL routines, tls_process_server_certificate))
search cancel

21.0 upgraded UNIX won't start | certificate verify failed (SSL routines, tls_process_server_certificate))


Article ID: 247209


Updated On:


CA Automic Workload Automation - Automation Engine CA Automic One Automation


After upgrading a Linux agent from 12.3 to 21.0, the agent will not start. the logfile shows the following:

U02000072 Connection to system ‘SYSTEM’ initiated.
U02000379 Initiating connection to server ‘SYSTEM’ using websocket URI: SERVERNAME:8443/agent’.
U02000377 Certificate loading from file …

U02000398 Loading certificated from the directory ‘./security’ that is specified in the parameter ‘AgentSecurityFolder’.\
U02000376 Could not parse certificate ‘./security/AGENTNAME.pem’. Please make sure that the certificated in PEM format.
U02000313 Communication error with partner ‘*SERVER’, error: ‘TLS-handshake/337047585(certificate verify failed (SSL routines, tls_process_server_certificate))’.
U02000010 Connection to Server ‘SYSTEM/unknown’ terminated.
U02000010 Connection to server ‘SYSTEM/[IP ADDRESS]:8443’ terminated.
U02000074 Connecting to system ‘SYSTEM’ is not possible.
U02003073 Agent Prozess ‘AGENT,PID=136418’ shutdown has been initiated.
U02000041 Shutdown agent ‘AGENTNAME’.
U02000002 Agent ‘AGENTNAME’ version ’21.0.3+hf.1.build.23’ ended abnormally


The agent originally showed up in the Administration perspective as 12.3.  After deleting the agent from the AWI, the error persists.


Release : 21.0

Component: Automation Engine

Sub-Component: Agent Unix


Three possible causes:

Missing SAN (DNS) in the Server Certificate in SSLCertDir
The agent's ini file has an incorrect or missing trustedCertFolder= setting being used to connect to the JCP
There is a missing intermediary or root certificate
Keystore is in the wrong format (JKS vs PKCS12)

To see more information about the certificate, go to the server the JCP is on and run the following command:

keytool -v -list -keystore [full path to where the keystore is located]\[keystore filename and extension]


The certificates SAN needed to include:

IP Address for the AE server
Servername for the AE server
Fully qualified domain name (FQDN) fro the AE server

Intermediary and root certificate (if used an Internal CA or self-signed) should be present as well on the SSLCertDir or trustedCertFolder

trustedCertFolder= must be the correct folder where the certificate that matches the JCP keystore is located