On a Windows Server 2008 EC2 instance, the CloudWatch Agent service status was normal, but monitoring metrics could never be reported to CloudWatch. The logs repeatedly showed x509: certificate signed by unknown authority, and the root cause was ultimately traced to outdated system root certificates and insufficient TLS support.