Common issues and troubleshooting for your Automator service
There are several reasons why Keeper Commander is unable to communicate with your Automator service:
- Ensure that the automator service is open to Keeper’s IP addresses. The list of IPs that must be open are found at this Network Config page. We recommend also adding your own IP address so that you can troubleshoot the connection.
- Ensure that the SSL certificate is loaded. Check the Automator log files which will indicate if the certificate is loaded by the service restart. If the IP address is open to you, you can run a health check on the command line using curl, for example:
- Check that the subject name of the certificate matches the FQDN.
- Check that your SSL certificate includes the CA intermediate certificate chain. This is the most common issue that causes a problem. Keeper will refuse to connect to Automator if the intermediate certificate chain is missing. You can do this using openssl like the following:
openssl s_client -showcerts -servername automator.company.com -connect automator.company.com
This command will clearly show you the number of certificates in the chain. If there's only a single cert, this means you did not load the full chain. To resolve this, see Step 4 of the Create Certificate step by step instructions page.
This may occur if the healthcheck request URI does not match the SSL certificate domain. To allow the healthcheck to complete, you need to disable SNI checks on the service. This can be accomplished by setting the disable_sni_check=true in the Automator configuration.