SSL connection failure

[Always-Testing-Things]

We are having a problem with the DevOps establishing an SSL connection with our primary SPP. This happens when attempting to navigate to the DevOps web portal and it redirects to the SPP appliance we setup to use. Credentials are provided and the page loops from the DevOps portal back to the sign-on page for the SPP appliance.

The log below is what we are getting when the SSL certificate on our primary SPP is setup with valid SSL cert the company purchased. When we change the SSL certificate to the Self-Sign cert on the SPP, the connection starts working and we can load the DevOps web portal. All functionality works when this change is done. Switching back to the valid SSL cert, breaks the connection.

To note, we can setup the full DevOps from start to finish and import the certs from the SPP, but this problem starts after the certs are imported from the SPP with verifying TLS.

Current version of DevOps running is: SafeguardDevOpsService_8.2.3.17267_Release

2026-03-06 00:00:33.478 [E] [Background Maintenance] The SSL connection could not be established, see inner exception.
System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Security.Authentication.AuthenticationException: The remote certificate was rejected by the provided RemoteCertificateValidationCallback.
at System.Net.Security.SslStream.SendAuthResetSignal(ReadOnlySpan1 alert, ExceptionDispatchInfo exception) at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions) at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken) at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken) --- End of inner exception stack trace --- at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.InjectNewHttp11ConnectionAsync(QueueItem queueItem) at System.Threading.Tasks.TaskCompletionSourceWithCancellation1.WaitWithCancellationAsync(CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpClient.g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
at OneIdentity.SafeguardDotNet.Authentication.AuthenticatorBase.ApiRequest(HttpMethod method, String url, String postData, String authToken, Boolean getTtl)
at OneIdentity.SafeguardDotNet.Authentication.CertificateAuthenticator.GetRstsTokenInternal()
at OneIdentity.SafeguardDotNet.Authentication.AuthenticatorBase.RefreshAccessToken()
at OneIdentity.SafeguardDotNet.Safeguard.Connect(String networkAddress, IEnumerable`1 certificateData, SecureString certificatePassword, RemoteCertificateValidationCallback validationCallback, Int32 apiVersion)
at OneIdentity.DevOps.Logic.BackgroundMaintenanceLogic.GetSgConnection() in D:\a\1\s\SafeguardDevOpsService\Logic\BackgroundMaintenanceLogic.cs:line 45
at OneIdentity.DevOps.Logic.BackgroundMaintenanceLogic.StartAddOnBackgroundMaintenance(CancellationToken cancellationToken) in D:\a\1\s\SafeguardDevOpsService\Logic\BackgroundMaintenanceLogic.cs:line 79

[MattBeaudinQC]

Hi @Always-Testing-Things ,

I set up Safeguard DevOps Service in my lab using a CA-signed certificate on SPP and was not able to reproduce the issue.

The stack trace indicates the DevOps Service is rejecting the SPP server certificate during TLS handshake (“remote certificate was rejected…”). This usually occurs when the certificate chain cannot be built to a trusted root (missing/intermediate CA not provided or not trusted), or if the certificate name/SAN does not match the SPP address being used.

For the purchased certificate:

• Does SPP present the full certificate chain (including any intermediate CA certificates)?
• Is the issuing root + intermediate CA installed/trusted on the machine running Safeguard DevOps Service?
• Does the certificate SAN include the exact FQDN used by DevOps Service to reach SPP (not just the CN)?

Also, it would be helpful to know what you're trying to solve with Secrets Broker because Safeguard itself does offer a similar solution: https://docs.oneidentity.com/bundle/safeguard-for-privileged-passwords_administration-guide_8.2/page/guides/administrationguide/assetplatform-configure.htm

Matt