The Remote Certificate Is Invalid Because Of Errors In The Certificate Chain: UntrustedRoot

When trying to connect the Robot to Orchestrator via the machine key option, the below error is encountered: "RemoteException wrapping System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: UntrustedRoot"

Scenario 1: Most likely, Orchestrator is using a self signed certificate and this certificate must be imported to the Robot machine as well. Usually, the error encountered in the Assistant when connecting the Robot to Orchestrator refers to the Orchestrator certificate (most likely, a self-signed one) not being present in the Robot machine.

Fix this by importing this certificate into the Robot machine, by following the steps below,

  1. Access the Orchestrator URL in a browser window
  2. Click on the secure/not secure prompt near the URL
  3. Open the certificate:

g1.png

  1. Go to the Details tab and then click on Export > save the certificate in a location of choice

gg.png

  1. Open certlm.msc, right click the Personal folder > All tasks > Import > select the previously generated certificate and import it

  1. In the same window, right click the Trusted Root folder > All tasks > Import > select the previously generated certificate and import it again.

  1. Now try connecting the Robot again, the error should be no longer present.


Scenario 2: Observe this in a scenario where the Orchestrator certificate is not expired.
  1. Check if environmental variables are present for proxy defined when there is no proxy in the environment.
Eg: HTTPS_PROXY
image.png
  1. To access Environment variable,
  • In Windows 11, go to Settings > System > About > Advanced system settings > Environment Variables.
  • In Windows 10, access them through the Control Panel or by right-clicking on This PC and selecting Properties.


Scenario 3: If there is a network device like firewall, VPN etc which sits between Robot and Orchestrator that is hearing the traffic, the certificate of the network device needs to be installed in the Trusted Root Authorities folder of the Robot machine for the connection to Orchestrator to be successful.

Steps to follow in this case:
  1. Login to your Orchestrator on a browser
  2. Follow step 2 and 3 from Scenario 1 and open General tab.
For example, the following is a certificate seen on the browser of Automation Cloud by Fortinet.
image.png
  1. Go to the details tab and follow Step 4 in scenario 1. Save it to Desktop. Double click and open it. Go to Certification path and check.
image.png
  1. Observe FortiGate here. Select FortiGate and open the certificate
e image.png
  1. Go to details and export this certificate to Desktop. Copy this certificate to Robot/Studio machine
  2. Follow Step 6 from Scenario 1
  3. Restart the machine
  4. Now connect the Robot to Orchestrator .

Here the network device acts as a web server to Robot and a web client to Orchestrator. So, install the network device's cert in Trusted Root Authority folder of the Robot machine.

Note: Any other CA than our standard one would indicate that there is a monitoring application or network appliance and the CA certificate from that has to be installed on all the Robot machines.

Automation Cloud: Standard certificate for Automation Cloud currently: (here in this case, Let's Encrypt)
image.png


On - Prem Orchestrator: Anything other than whatever is configured in IIS or load balancer.
3 Likes