Avaya Aura Web Gateway returns a TLS handshake error when testing the connectivity to a push notification server

Last Updated : Jun 10, 2026 |

Condition

When you test the connectivity to the push notification server, it fails with a TLS handshake error.

Cause

The issue might occur when your company uses an outgoing TLS inspector, such as ZScaler. The TLS inspector uses its own self-signed certificates to connect to the pnp.avaya.com Avaya Push Notification provider address.

Solution

Procedure

  1. From the Avaya Aura® Web Gateway CLI, run the following command to ensure that a TLS inspector is used: 
    openssl s_client -connect pnp.avaya.com:443

    If the command output does not display an Entrust certificate in the certificate chain, it means that the certificate is provided by a third-party.

    The following example shows a command output when Avaya Aura® Web Gateway uses built-in RHEL certificates for Avaya Push Notification service:

    Certificate chain
 0 s:C = US, ST = New Jersey, L = Morristown, O = "Avaya, Inc.", CN = pnp.avaya.com
   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
 1 s:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
 2 s:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2

    apnp.avaya.com uses a different CA certificate, so if that FQDN is used, you should see the AvayaITserverCA2 certificate in the chain. For example:

    openssl s_client -connect apnp.avaya.com:443
CONNECTED(00000005)
depth=2 O = Avaya, OU = IT, CN = AvayaITrootCA2
verify return:1
depth=1 DC = com, DC = avaya, DC = global, CN = AvayaITserverCA2
verify return:1
depth=0 C = US, ST = NJ, O = Avaya, CN = apnp.avaya.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = NJ, O = Avaya, CN = apnp.avaya.com
   i:DC = com, DC = avaya, DC = global, CN = AvayaITserverCA2
 1 s:DC = com, DC = avaya, DC = global, CN = AvayaITserverCA2
   i:O = Avaya, OU = IT, CN = AvayaITrootCA2
 2 s:O = Avaya, OU = IT, CN = AvayaITrootCA2
   i:O = Avaya, OU = IT, CN = AvayaITrootCA2
  2. If a third-party certificate is used, import the TLS inspector CA certificates into the Avaya Aura® Web Gateway truststore.

    For more information, see Managing truststore certificates.