How to test HTTPS connectivity from a Windows Server to https://cert-manager.com

If a Windows Server cannot access https://cert-manager.com our Network Agent and MS Agent will not work – they will show “Not connected” in SCM. Our Network Agent and MS Agent use the HTTPS protocol to connect to SCM. If a firewall or web proxy are not allowing this HTTPS connection from the Windows Server to https://cert-manager.com, then the agents will simply not work.

We cannot test connectivity between a server and SCM using the ping command because ping does not use the HTTPS protocol. Ping uses the ICMP protocol, so just because a server can connect to cert-manager.com via ICMP does not meanthe server can connect to SCM using HTTPS.

We should not use a web browser to test connectivity between a server and SCM because a browser might already have a web proxy configured. Our Network Agent and MS Agent will not use a browser’s proxy settings to connect, so just because you can visit https://cert-manager.com using the server’s web browser does not mean the Network and MS Agent will be able to connect.

The correct way to test connectivity from a Windows server to SCM is using OpenSSL.exe. (Win32 OpenSSL "light" 3MB version is fine) Simply download that and install it using the default settings, the actual openssl.exe file will be installed to: “C:\Program Files (x86)\OpenSSL-Win32\bin\openssl.exe”

You can now use a command prompt (cmd.exe) to run the command below. Do not use PowerShell because the space in the “Program Files” is not handled correctly, even if you use the double quotes. Just use cmd.exe

echo QUIT | "C:\Program Files (x86)\OpenSSL-Win32\bin\openssl.exe" s_client -connect cert-manager.com:443

A successful connection will quickly output:
CONNECTED(000001E0)
[..] (long output was removed for brevity)

An unsuccessful connection will take some time to output:
22272:error:0200274C:system library:connect:reason(1868):crypto\bio\b_sock2.c:110:
22272:error:2008A067:BIO routines:BIO_connect:connect error:crypto\bio\b_sock2.c:111:
connect:errno=0
Common problems and solutions:

1. Problem: Server is behind a web proxy and cannot access https://cert-manager.com directly.
   1. Solution: Configure the web proxy settings in the “agent.properties” file and restart the agent’s Windows service.

2. Problem: Server is behind a firewall which blocks the outbound connection.

   1. Solution: Network/System administrator should configure their firewall to allow the outbound connection to cert-manager.com on TCP port 443. Running a traceroute “tracert cert-manager.com” command may help to show where the issue is.