Forum Discussion
Win 2025 - MCC Install Failure
Instead, you can validate the certificate chain by running:
openssl s_client -connect geomcc.prod.do.dsp.mp.microsoft.com:443 -showcerts
This will show what cert is being included on the check. Based on these results the customer will have the evidence on how they should proceed. Importing MS certs is not necessary and the requests to *.prod.do.dsp.mp.microsoft must avoid going through their proxy.
------------------------------
For example, we had one customer run the Open SSL command above with the additional proxy parameter:
openssl s_client -connect geomcc.prod.do.dsp.mp.microsoft.com:443 -proxy [proxy_name] -showcerts"
And found a "temporary failure in name resolution" error. They ran the command again, this time replacing the proxy hostname with an IP address instead. Only then did the openssl command work.
As a result, they changed the "-proxyurl" in the MCC installation script to the IP address instead of the proxy hostname. This fully resolved the issue.
MicrosoftHi, thank you for bringing up this issue and suggesting workarounds. However, we do not recommend importing the MS certificate into the proxy.
The MCC installer pins to the MS certificate and ensures that valid endpoints from Microsoft are being used. As long as the URL is bypassed in the customer's proxy, the check will succeed.
Open SSL client does not send an http request; it only completes the TLS handshake to get the full cert chain. Receiving only 1 cert means the TLS handshake was intercepted and stamped with a different set of certs. Our prod URLs will have a full cert chain including intermediate leaf that chains back to the well-known root that we are checking against.