Overview π₯
When the Liongard Kaseya VSA Inspector fails with the error:
Unable to reach target system because of UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate. This probably means the hostname/port is wrong, the target is down, there is a problem with its certificate, or the network is not working. This is not a problem in the Liongard inspector."
it means the secure TLS/SSL connection between Liongard and the Kaseya VSA server cannot be established because the serverβs certificate chain is incomplete, invalid, or untrusted.
This article explains the root causes, how to fix the issue safely, and how to prevent it from occurring again.
Why This Happens? π€
This error is generated by Node.js / OpenSSL when the certificate chain cannot be validated back to a trusted root authority.
The most common causes are:
Cause | Description |
Self-signed certificate | Certificate is not issued by a trusted public CA |
Missing intermediate certificates | The server does not present the full chain |
Untrusted root CA | The agent system does not trust the issuing CA |
Expired certificate | Certificate is past its validity date |
Misconfigured TLS chain | Incorrect certificate order in configuration |
Certificate Chain βοΈβπ₯
Trusted Root CA
β
Intermediate Certificate
β
Server Certificate (Kaseya VSA)
β
Liongard Agent (Validation Fails if any link is missing)
If any link in the chain is broken, the inspector will fail with this error.
Steps to Resolution π¨βπ»
Step 1 β Validate the Certificate Chain
Ensure the Kaseya VSA server is using a properly signed certificate (not self-signed) and that the full chain is installed.
Use these tools to validate:
Tool | Purpose |
Checks missing intermediates and chain order | |
Deep TLS and chain validation | |
Visualizes the certificate chain |
Step 2 β Check Certificate Expiration
Verify:
Field | What to Check |
Expiration Date | Certificate must be valid and not expired |
Signature Algorithm | Must be modern and supported |
Issuer | Must be a trusted CA |
If expired, renew the certificate from your CA.
Step 3 β Install the Full Chain on Kaseya VSA
Ensure the server includes:
β
Server certificate.
β
Intermediate certificate(s).
β
Proper chaining order.
Missing intermediates are the most common cause of this error.
Step 4 β Validate the Liongard Agent Trust Store
The Liongard agent system must trust the issuing CA.
Scenario | Action |
Public CA | Update OS root certificate store |
Private / internal CA | Import the root CA into the OS trust store |
This is required when using internal PKI or private CAs.
Step 5 β Do NOT Bypass SSL Validation
β οΈ Important Security Warning
Do NOT disable strict SSL verification by setting:
Strict-SSL = false
Risk | Impact |
Man-in-the-middle attacks | High security exposure |
Data interception | Sensitive info can be stolen |
Compliance failure | Violates security best practices |
Bypassing validation should only be used for temporary internal testing and never in production.
Step 6 β Re-Run the Inspector
After correcting the certificate chain:
Save changes
Re-run the Kaseya VSA inspector
Confirm status = Completed
Troubleshooting Matrix π
Symptom | Likely Cause | Fix |
Self-signed cert detected | No trusted CA | Replace with trusted CA cert |
Missing intermediates | Incomplete chain | Install full chain |
Certificate expired | Outdated cert | Renew cert |
Works in browser but fails in Liongard | OS trust store missing CA | Import CA |
Outcome
After correctly installing and validating the certificate chain:
β
Inspector completes successfully
β
Secure TLS handshake succeeds
β
No more UNABLE_TO_VERIFY_LEAF_SIGNATURE errors
Best Practices π§βπ«
Practice | Benefit |
Use trusted public CA | Prevents trust issues |
Monitor certificate expiry | Avoids unexpected outages |
Install full chain | Ensures compatibility |
Keep OS trust store updated | Maintains CA trust |
Avoid SSL bypass | Protects system security |
When to Contact Support π¦
Contact Liongard Support if:
The error persists after chain correction
You cannot determine missing certificates
SSL test tools show conflicting results
What to Collect Before Contacting Support
Required Info | Description |
Inspector logs | Error output and timestamps |
SSL test results | From KeyCDN / SSL Labs |
Certificate screenshots | Chain configuration |
Agent OS details | Version and build |
References π
Third-Party Link Disclaimer βΌοΈ
We may reference external third-party resources solely as additional guidance.
Liongard does not own, control, or guarantee the accuracy, security, or reliability of third-party sites. Please use them at your own discretion and risk.