Certificate trust issues

Symptoms:

• The Itron Platform installer or Web UI installer rolls back.
• Browser indicates an untrusted site (any NET::ERR_CERT_* errors, such as COMMON_NAME_INVALID, DATE_INVALID, or AUTHORITY_INVALID).
• An HTTP 525: SSL/TLS Handshake Failed message or similar error messages appear in log files.

Possible causes:

• DNS name casing issues (case sensitivity).
• Self-signed certificate has not been added to the Trusted Root CAs.
• Allowed TLS Protocol versions/Cipher suites are lower/older than the requested ones.

Resolution:

• DNS name in certificate should:
  • be fully qualified (domain name).
  • be lowercase.
  • resolve to the IP address of the (standalone) web server or the IP address of the common load balancer of multiple web servers.

• Generate a self-signed certificate with the following recommended method.

  New-SelfSignedCertificate -DnsName "fully.qualified.domainname.com" -CertStoreLocation "cert:\LocalMachine\My" -FriendlyName "SomethingFriendly"

• Enable TLS v1.2. Refer to the following Microsoft topic:

  https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-server#bkmk_protocol