How to resolve when the error "The remote certificate is invalid according to the validation procedure"?
Issue Description: "The remote certificate is invalid according to the validation procedure", while trying to connect Robot to Orchestrator .
Diagnosing Procedure:
- Open a browser and go to the Orchestrator URL
- If the certificate is self-signed, it will show a 'Not secure' icon in the browser. Here is an example:
- If the above message is present (it may very in how it looks depending on the browser) click the not secure icon and view the certificate.
- Check to see if the certificate is trusted. An invalid certificate will look like:
- Check to see if the certificate is trusted. An invalid certificate will look like:
- If the certificate is not trusted, go to the section Importing Self-Signed Certificates
- After adding the certificate to the trust store (if needed) re-open the browser and go back to the Orchestrator URL.
- Check to see if the Orchestrator URL still shows 'Not Secure' (Its import to close the browser completely and then re-open it. If this is not done, it will still show 'Not secure')
- If the Orchestrator URL still shows 'Not Secure' but there is no warning that has to be accepted, the warnings need to be re-enabled.
- Re-enable the security warnings
- In most browsers this can be found by clicking the 'Not Secure' icon (Or it might just be a lock icon with a warning)
- Usually the warning looks something like:
- Re-enable the security warnings
- Once warnings are re-enabled, go to the site, and click the Advanced option. Once this is done, it should show the exact reason why the certificate is not trusted.
- If the Error is something like NET::ERR_CERT_COMMON_NAME_INVALID go to the section Common Name Invalid
- The error might reveal the issue, but if it does not, please open a ticket with UiPath Support so they can assist. When opening a ticket, please include the following:
- Screenshot of the certificate warning in the browser (if any)
- Robot Event viewer logs
- eventvwr->Applications - All logs around the time the issue occurred.
Common Name Invalid
- This means that the domain name of the site that is being accessed, does not have a corresponding entry in the certificates Subject Alternative Name Attribute (SAN)
- In the past, a certificate only required, that the domain name of the site that is being accessed in the Subject/Common Name field, however, this changed with RFC2818. Sometime in 2020 all browsers started supporting this requirement.Open up the certificate as described in Step 3 of the Diagnosing section
- i.e In the browser click the not secure icon and view the certificate.
- In the past, a certificate only required, that the domain name of the site that is being accessed in the Subject/Common Name field, however, this changed with RFC2818. Sometime in 2020 all browsers started supporting this requirement.Open up the certificate as described in Step 3 of the Diagnosing section
- Next, in the dialog window, go to the 'Details' section
- Look for the Subject Alternative name Attribute. The Orchestrator domain name should be listed there.
- For example, if the Orchestrator domain name is orch.uipath.com, there should be an entry that says: DNS Name=orch.uipath.com
- If the name is not present, the certificate needs to be re-issued. See How to use a Certificate for Https Protocol
- Your domain admin should be able to help in resolving this
- Note: Wild care certificates are only valid for a single level of a domain. For example, an entry like: *.uipath.com is valid for orch.uipath.com but not dev.uipath.com.
- The other possibility is that the Orchestrator hostname is defined incorrectly. For example. perhaps the domain name defined for Orchestrator in the URL is orch.uipath.com, but it should be orchestrator.uipath.com.
- In this case the certificate probably needs to be re-issued, or the URL for Orchestrator changed:
- See How to Change the Orchestrator / Identity Server URL
- Note: In this case, both the Orchestrator and Identity Server URL would need to be updated.
- In this case the certificate probably needs to be re-issued, or the URL for Orchestrator changed:
Importing Self-Signed Certificates
- Export the certificate used in the Orchestrator machine.
- This can be done from the browser, after viewing the certificate, go to 'Details' and select 'Copy to File...'
- Copy the certificate on the Robot machine from where it is tried to connect to Orchestrator
- Start a new MMC from the run command
- File --> Add/Remove Snap-In
- Click Add
- Choose Certificates and click Add
- Check the "Computer Account" radio button. Click Next
- Choose the client computer on the next screen. Click Finish
- Click Close
- Click OK
- Now install the certificate into the Trusted Root Certification Authorities certificate store. This will allow all users to trust the certificate.