Reason #1: Proxy server
The most frequent reason for this is the Agent being behind a proxy server, or a firewall blocking outgoing requests from Agent to server.
Make sure to configure your firewall and/or proxy server as described in 0patch User Manual in section "Network Connectivity".
Reason #2: TLS1.0 not allowed
Note: this issue only applies to Windows 7, Windows 8, Server 2008 R2 and Server 2012.
According to https://docs.microsoft.com/en-us/windows/win32/winhttp/option-flags, only SSL3 and TLS1.0 are enabled in Windows 7 and Windows 8 by default. This likely also applies to their server counterparts, Server 2008 R2 and Server 2012. Our Agent is using the default system settings and selects TLS 1.0 just as any other WinHTTP-based app on the same computer would. This works as long as TLS 1.0 is enabled on the computer (which it is by default). However, one can disable TLS 1.0 manually or via Group Policy, or install a product which disables TLS 1.0 such as Internet Information Services.
The solution to this is presented in this article, which provides a downloadable "Easy Fix" that creates a registry value DefaultSecureProtocols under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp, and sets it to 0xA00. This instructs all WinHTTP applications (including 0patch Agent) that they should be using TLS 1.1 or TLS 1.2. (To download the "Easy Fix", find the Easy Fix section in the article, then click the blue Download button.)
If you're seeing "WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR" in 0patchService.log under c:\ProgramData\0patch\Logs\, we recommend downloading and running the "Easy Fix" app mentioned above.
Reason #3: Expired Sectigo root certificate
Note: this issue primarily applies to Windows XP and Server 2003, but some users had certificate-related problems on newer Windows systems and installing correct root certificates helped.