TLS failures in Niagara typically fall into three categories: (1) trust problems (untrusted CA or missing chain), (2) certificate lifecycle problems (expired, not-yet-valid, or hostname mismatch), or (3) protocol and port mismatch (fox vs foxs vs foxwss, HTTP vs HTTPS). Use this checklist to diagnose quickly.
You cannot connect to a station or platform securely; Workbench shows TLS errors; the browser shows certificate warnings; or station-to-station links fail after security changes.
| Connection type | Protocol | Notes |
|---|---|---|
| Browser (Web UI) | HTTP / HTTPS | Standard web ports |
| Workbench to Station | fox / foxs | fox = unencrypted, foxs = TLS |
| Station-to-Station driver | foxs | Typically encrypted |
| WebSocket-based | foxwss | If enabled; uses standard web ports |
| Protocol | Default port | Notes |
|---|---|---|
| fox (unencrypted) | 1911 | Not recommended for production |
| foxs (TLS) | 4911 | Niagara secure baseline |
| foxwss (Fox over WebSocket) | 443 | Leverages standard HTTPS port |
If you see certificate-related UI errors (including help or webstation access issues), check Workbench certificate management. Unapproved hosts and certificates must be approved or regenerated before smooth operation. This is the same failure mode seen in "Cannot Load Help" issues.
After hardening changes (HTTPS-only enforcement, stronger authentication policies), station-to-station connections may fail unless all supervisors and JACEs are updated to the new credentials and to HTTPS/foxs endpoints.
| Symptom | Action |
|---|---|
| Valid certificate, but not trusted | Fix trust chain or approve in Workbench |
| Expired or wrong hostname | Re-issue and redeploy across Fox/Web/Platform endpoints |
| Port mismatch | Update connection string to correct protocol and port |