For the on-prem Kinetic users with Automation Studio. Anyone seen this error before? Renewed the SSL cert and now AS won’t connect. The certificate is from a CA and valid. Works fine for other integrations and in the browser/client. So I don’t think it’s an issue with the certificate.
Have remove and re-added the cert to the app instance several times. Restart the app instance. Restarted the VM host. Deleted and recreated the connection in AS. Sort of out of ideas.
Did you go into your integrations portal to check that your OnPrem agent/group is still connected?
We don’t use the agent. It’s a direct connection to a Kinetic instance via a DMZ/App Gateway. Restricted to Workato IPs.
Epicor support doesn’t know what’s wrong either. They have to contact Workato for support… this is fun.
And Workato support doesn’t have any idea.
This almost looks like a wrong algorithm issue with the cert.
Is it a new cert? Is it self issued?
New certificate. Was just a renewal of a multi-year wildcard. Not self signed - from a public CA (Sectigo).
Did you remove the expired certificate from the server?
Yes. It’s gone. The endpoint works fine for everything except Workato.
It looks to me like Sectigo has made some changes to its certification path. https://www.sectigo.com/knowledge-base/detail/Sectigo-new-Public-Roots-and-Issuing-CAs-Hierarchy/kA0Uj0000004IrBKAU
Maybe Workato needs to update public root CA’s.
That’s what it looks like to me. It’s something on their end. But they won’t believe me.
I did see that announcement and noticed the chain was different. But didn’t have any problems anywhere except Workato. We have several other integrations that all work fine with the new certificate.
If you were using the Workato http connector, there is a configuration you could use to complete the certificate chain. However the Kinetic connector doesn’t appear to have the Use custom TLS/SSL certificate settings.
Here’s a thought, create a new connection to your production Kinetic in your test environment. Confirm the problem.
Create a new http connection to your kinetic URL using the custom TLS/SSL settings and see if you can get any type of connection. If you can, then you’ve got something to take back to Workato.
It would also be worth trying the Kinetic connector again in test after loading the custom CA. It’s possible that loading it to the http connector placed it on the server and it will then be there for the Kinetic connector.
It’s something with the Kinetic connector!
I create just a basic HTTP connector and it connects right away. Using the same certificate and endpoint. If I go back to the Kinetic connector - fails.
Did you have to use the Custom SSL/TLS setting? Did you try creating a new Kinetic connector?
Didn’t even have to use the custom SSL/TLS. Connected with the same endpoint and default settings. Once it connected I went back to the Kinetic connector and tried connecting - fail.
So, then went back to the HTTP connector and uploaded custom SSL/TLS. It connected fine. Went back to Kinetic Connector - fail.
I was wondering whether the configured Kinetic connector may somehow be tied to the old certification path and whether creating a new Kinetic connector might get the new path. Grasping at straws, but nothing to lose in the test environment.
I’ve been testing with a new Kinetic Connector each time. Thinking that maybe something isn’t being cleared behind the scenes.
Not a solution, but maybe it’s enough info for Workato to figure out the solution.
Waiting to hear back from Workato support via Epicor Support. Because we can’t contact Workato directly.
Yep…been there.
