This article helps you resolve a common SSL/TLS error that may occur when a FlexNet Beacon is unable to connect to required Flexera One endpoints. The error typically appears when a required certificate revocation check fails due to network restrictions or missing root certificates.

Symptoms

You may see the following error in the Beacon UI or logs:

The remote certificate is invalid according to the validation procedure

This often indicates that a certificate revocation server required by the Flexera certificate chain is being blocked by a firewall or security software.

Flexera One Beacon endpoints

Ensure connectivity to the following endpoints over port 443:

• US
  • https://beacon.flexnetmanager.com
  • https://data.flexnetmanager.com
• EU
  • https://beacon.flexnetmanager.eu
  • https://data.flexnetmanager.eu
• APAC
  • https://beacon.flexnetmanager.au
  • https://data.flexnetmanager.au

NOTE: For UAT environments, use beacon.uat and data.uat subdomains.

Troubleshooting

Use the following steps to troubleshoot this issue.

Step 1: Verify certificates are trusted

1. Use SSL Labs to analyze the endpoint certificate chain.

• The links provided below are for US Production, but the checked URL can be changed for the other environments:

• For data.flexnetmanager: https://www.ssllabs.com/ssltest/analyze.html?d=data.flexnetmanager.com
• For beacon.flexnetmanager: https://www.ssllabs.com/ssltest/analyze.html?d=beacon.flexnetmanager.com

While testing you’ll see something like this:

2. Once the test is complete, click into the test results by selecting the IP address or hyperlink.
3. Expand Certification Paths. The Root CA should be recorded within In trust store.

Step 2: Download the certificate chain for testing

1. Use the Download links to save the server and root certificates.

This opens a page that looks like the following:

-----BEGIN CERTIFICATE----- MIIEMzCCAxugAwIBAgISBIawuM3yzWDlru1cycwAD9e5MA0GCSqGSIb3DQEBCwUAMDIxCzAJBgNV …yV9/5+Yn8sgl+QEmpejDW9O5vJ2icBIU5cX0H3ae9Xl2flcTMnCXKFemRT3/LItp7aNL+nE= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAwTzELMAkGA1UE BhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQD EwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAwWhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQG … i5Lc5da149p90IdshCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxP Fin+HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6ZvMldlTTKB 3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqXnLRbwHOoq7hHwg==

-----END CERTIFICATE-----

2. Copy and paste the contents into a text editor and save as .cer files for use with certutil.

If the certificate is not present within the Certificate Manager, you can install it and attempt to test the connection again in the Beacon.

Step 3: Check certificate revocation status

If the test connection is still failing, you can validate the certificate revocation servers using the .cer file you downloaded. Run these steps on the Beacon server to confirm whether certificate revocation checks are failing due to blocked URLs or missing root/intermediate certificates. 

1. Open Command Prompt as Administrator.
2. Run:

certutil.exe -verify -URLFetch <Certificate exported as file> e.g. certutil.exe -verify -URLFetch {filepath}\beacon.cer

3. Review the output. Look for any failing OCSP or CRL (revocation) URLs.
4. Test any failing URLs in a web browser from the Beacon server to confirm they are blocked.

For this test, the OCSP revocation site is failing. http://r3.o.lencr.org