The first thing you want to test is opening https://dist.0patch.com in Internet Explorer (not some other web browser) on the affected computer, because 0patch Agent is using the same networking functions as Internet Explorer. If the page does not open at all, you probably have problems with proxy of firewall (see reason #1 below). If you see a security warning about an invalid certificate, reason #3 below is the most likely culprit.
Reason #1: Proxy server or firewall
The most frequent reason for this is the Agent being behind a proxy server, or a firewall blocking outgoing requests from Agent to server.
Make sure to configure your firewall and/or proxy server as described in 0patch User Manual in section "Network Connectivity". (Make sure to specify the proxy port number in decimal, not hexadecimal, which is Registry Editor's default numeric type.)
Check if your computer has a system proxy configured (run netsh winhttp show proxy). 0patch Agent will honor system proxy settings.
Reason #2: TLS1.0 not allowed
Note: this issue only applies to Windows 7, Windows 8, Server 2008 R2 and Server 2012.
According to https://docs.microsoft.com/en-us/windows/win32/winhttp/option-flags, only SSL3 and TLS1.0 are enabled in Windows 7 and Windows 8 by default. This likely also applies to their server counterparts, Server 2008 R2 and Server 2012. Our Agent is using the default system settings and selects TLS 1.0 just as any other WinHTTP-based app on the same computer would. This works as long as TLS 1.0 is enabled on the computer (which it is by default). However, one can disable TLS 1.0 manually or via Group Policy, or install a product which disables TLS 1.0 such as Internet Information Services.
The solution to this is presented in this article, which provides a downloadable "Easy Fix" that creates a registry value DefaultSecureProtocols under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp, and sets it to 0xA00. This instructs all WinHTTP applications (including 0patch Agent) that they should be using TLS 1.1 or TLS 1.2. (To download the "Easy Fix", find the Easy Fix section in the article, then click the blue Download button.)
If you're seeing "WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR" in 0patchService.log under c:\ProgramData\0patch\Logs\, we recommend downloading and running the "Easy Fix" app mentioned above.
Reason #3: Expired Sectigo root certificate
Note: this issue primarily applies to Windows XP and Server 2003, but some users had certificate-related problems on newer Windows systems and installing correct root certificates helped.
If none of the above helped you solve the problem, please email firstname.lastname@example.org and provide the following information:
- Are you trying to (1) register 0patch Agent manually by typing in email and password to 0patch Console, or (2) installing it silently using Account Key?
- Attach 0patchConsole.log and 0patchService.log from C:\ProgramData\0patch\Logs (or C:\Documents and Settings\All Users\Application Data\0patch\Logs on older Windows)