ENTRA003 - Microsoft Graph TLS/SSL Certificate Error
Agent error code #ENTRA003 indicates that the agent's TLS handshake with login.microsoftonline.com or graph.microsoft.com failed. The certificate presented by the endpoint could not be verified against the system trust store.
This error is distinct from connection failures (#ENTRA000) and timeouts (#ENTRA004). It indicates the TCP connection succeeded but the TLS layer rejected the certificate.
Common causes include:
- A TLS-intercepting proxy (corporate Zscaler, Netskope, Palo Alto, etc.) is sitting between the agent and Microsoft and re-signing the certificate with a CA the agent does not trust
- The system root CA bundle on the agent host is missing, outdated, or corrupt
- The agent host's system clock is significantly skewed, so the Microsoft certificate appears not-yet-valid or expired
Steps to Resolve
Verify the System Clock
- On the agent host, run
date -uand confirm the time is within a few seconds of UTC - If clock skew is more than a minute, enable NTP (
timedatectl set-ntp trueon most Linux distros) and re-sync
Inspect the Certificate Chain
- From the agent host, run:
openssl s_client -showcerts -connect graph.microsoft.com:443 -servername graph.microsoft.com </dev/null - Confirm the issuer chain ends at a Microsoft root (e.g. DigiCert Global Root G2 or Microsoft RSA Root Certificate Authority 2017)
- If the chain shows a corporate CA, a TLS proxy is in the path. Either bypass it for
*.microsoft.comor install its root CA in the system trust store
Refresh the System CA Bundle
If the chain looks correct but verification still fails, the system CA bundle may be stale:
- Debian/Ubuntu:
apt-get install --reinstall ca-certificates && update-ca-certificates - RHEL/CentOS:
yum reinstall ca-certificates && update-ca-trust extract - Alpine:
apk add --no-cache ca-certificates && update-ca-certificates
For the full setup, see the Microsoft Entra ID setup guide.
Still Having Issues?
We can help you out, contact us at support@knocknoc.io.