On-prem servers can't connect to Azure Automation anymore because of certificate problem

Question

Hello,

We have been using Azure Update Management to monthly patch our on-prem servers for a few years. Log Analytics Agent with Hybrid Runbook Worker is installed on the on-prem machines and use a Log Analytics Gateway as proxy for connection.

Since a few weeks, servers are not seen anymore in Azure and appear as "Disconnected".

When checking the Operations Manager event log on on-prem servers, we can see regularly events 4001 with following statement:

"Connecting to the service opinsightsweuomssa.blob.core.windows.net failed. Please check that the computer has Internet access or that a HTTP proxy has been configured for the system. The query will be retried later. The article KB3126513 has additional troubleshooting information for connectivity issues. "

Also we can see events ID 1230 with statement

"New configuration cannot be loaded, the error is 0x80FF0036(0x80FF0036). Management group xxxx "

On the gateway side, we can see in log events 106 with following statement

"2023-07-08 05:16:26 [11] ERROR TcpConnection - Server certificate chain does not include a trusted root certificate. Cert count in chain: 3. Root cert: CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US"

Followed by an event stating that suspicious connection was closed

On the gateway,e tried to manually install the 4 intermediate certificates for DigiCert Global Root G2 as described in https://learn.microsoft.com/en-us/azure/security/fundamentals/azure-ca-details?tabs=certificate-authority-chains#certificate-authority-details

But this did not solve the problem, we get events 4004 with following error:

HTTP operation failed with error "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider." (0x800B0109). The query will be retried later. The article KB3126513 has additional troubleshooting information for connectivity issues.

Can you please help? Thank you!

Answer 1

@jeja , thank you for sharing detailed information about the issue. You seem to be on the right track. The main issue here seems to be related to the following as mentioned in your question:

On the gateway side, we can see in log events 106 with following statement "2023-07-08 05:16:26 [11] ERROR TcpConnection - Server certificate chain does not include a trusted root certificate. Cert count in chain: 3. Root cert: CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US"

When installing the certificate on the Gateway Server from the link as shared (Azure Certificate Authority details), ensure that you are using the Store location as "Local Machine" as shown below:

Hope this helps.

In case the solution above does not help, I would suggest creating a support ticket, so that it can be investigated 1:1 by one of our support engineers. Please let me know if you face issues creating the support ticket.