App Control: Download Failures Due To WinHttpSendRequest Error 12175
search cancel

App Control: Download Failures Due To WinHttpSendRequest Error 12175

book

Article ID: 286480

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

  • Agent upgrade attempts generating errors when downloading, similar to:
    	Error: Failed to download upgrade package: https://ServerAddress/hostpkg/pkg.php?pkg=/ParityHostAgent.msi. WinHttpSendRequest Error[12175:]
  • Miscellaneous files from Resource Download Location (RDL) fail to download, similar to:
    Failed to download Server Cert List file from URL [https://ServerAddress/hostpkg/pkg.php?pkg=TrustedCertList.pem]: Error[WinHttpSendRequest Error[12175:]

Environment

  • App Control Server: All Supported Versions
  • App Control Agent: All Supported Versions

Cause

The SSL Certificate bound to the Resource Download Location specified is invalid (expired, incorrect Common Name, Untrusted Root, etc).
ERROR_WINHTTP_SECURE_FAILURE: 12175
One or more errors were found in the Secure Sockets Layer (SSL) certificate sent by the server.

Resolution

  1. Verify the Resource Download Location in System Configuration > Advanced is still accurate, and contains the necessary files.
  2. Verify the IIS Certificate bound to Port 443 is not expired, and formatted correctly:
    • Common Name shown should match Server Address from the General tab.
    • Expiration Date should be in the future.
    • A matching Certificate should be listed in the Trusted Communication Certificates list at the bottom of the Security tab, and Trusted.
  3. Verify the required ports for App Control are available to the Server Address. By default these are 41002 and 443.
  4. Verify the TLS protocol on the App Control Server and Agents 
  5. Verify whether a Proxy or other Network Appliance is between the Agents and App Control Server.
    • If a certificate exists on the Proxy or other Network Appliance, it must be imported & Trusted in the Trusted Communication Certificates list.
    • If SSL Inspection is enabled the Agents will reject the modified packets.
    • If any other authentication (such as 2FA) is enabled for network traffic on ports 41002 or 443 the Agents may fail to properly communicate.
  6. If the issue persists, the certificate may need to be manually imported on the endpoints.

Additional Information

  • In some installations the Resource Download Location can be modified to use http:// instead of the https:// although this configuration is not recommended for security purposes.
  • More details on WinHTTP Errors can be found here.