Do you have a proxy/transparent proxy that your appliance traverses through to get to update-manifests.ironport.com over port 443?

Go through a WSA or ASA?

Are you able to run updateconfig and then run hidden command of dynamichost to show which manifest server you are pointed to, to assure correct host.  Then from the main CLI prompt, run telnet update-manifests.cisco.com 443.  Does this complete?

Other things to check, depending on where your appliance sits on your network, from your desktop (cmd, terminal), try to use openssl to assure you can communicate over port 443 and get the certificate call returned from the URL.

Example:

robsherw$ openssl s_client -connect update-manifests.ironport.com:443
CONNECTED(00000003)
depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=San Jose/O=Cisco Technology, Inc./OU=Security Cloud Operations/CN=update-manifests.ironport.com
   i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
 1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE7jCCA9agAwIBAgIQSOTqAhjv1YEV+ddndpJrATANBgkqhkiG9w0BAQUFADA8
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMRYwFAYDVQQDEw1U
aGF3dGUgU1NMIENBMB4XDTE0MTAzMTAwMDAwMFoXDTE1MTAzMTIzNTk1OVowgaIx
CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHFAhTYW4g
Sm9zZTEfMB0GA1UEChQWQ2lzY28gVGVjaG5vbG9neSwgSW5jLjEiMCAGA1UECxQZ
U2VjdXJpdHkgQ2xvdWQgT3BlcmF0aW9uczEmMCQGA1UEAxQddXBkYXRlLW1hbmlm
ZXN0cy5pcm9ucG9ydC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQC6zl4/kOJ8Noa4gsU2FQSyOIDhKl4kE/gl/ZJPNwkTJu1lwzUO8I+XEd4CEFu5
rd0OmZASzncGmmEIpcwv6wIX89wN8N3TVmfihxD3/KKUmV4YkNuxuFFFdvOLO+HH
py281TliH3UQtLHFlhUi5XR/QmzA4t4qZa8SFdkXz9kXyYxIIng5gCGNnz6JaPfy
LXO6XRPxU/BtHOjmHzMw3pWI9OaT7kN3srx+Ly0qnR/0rLhTqwQti05+BJEyQ/FZ
L8mZkoFEu/Kmk8JsuF6r56yPrFqUZ6b7byCunku4Xl4DizijuvMTbmcfYsgu2x58
rGcJaP43XBU+Sikbsa5OztnbAgMBAAGjggGDMIIBfzAoBgNVHREEITAfgh11cGRh
dGUtbWFuaWZlc3RzLmlyb25wb3J0LmNvbTAJBgNVHRMEAjAAMHIGA1UdIARrMGkw
ZwYKYIZIAYb4RQEHNjBZMCYGCCsGAQUFBwIBFhpodHRwczovL3d3dy50aGF3dGUu
Y29tL2NwczAvBggrBgEFBQcCAjAjDCFodHRwczovL3d3dy50aGF3dGUuY29tL3Jl
cG9zaXRvcnkwDgYDVR0PAQH/BAQDAgWgMB8GA1UdIwQYMBaAFKeig7s0RUA9/NUw
TxK5PqEBn/bbMCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly90Yi5zeW1jYi5jb20v
dGIuY3JsMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBXBggrBgEFBQcB
AQRLMEkwHwYIKwYBBQUHMAGGE2h0dHA6Ly90Yi5zeW1jZC5jb20wJgYIKwYBBQUH
MAKGGmh0dHA6Ly90Yi5zeW1jYi5jb20vdGIuY3J0MA0GCSqGSIb3DQEBBQUAA4IB
AQARiYu0UKIF6Yejj6oN2UXmTsJ+I8mkTo16eyXVFqgPHJOf2lMl0oXQgRGfbZ/y
d+GPLraip8+SI+v/xkLxDh/bnhqasVCEa3/2VBgPGIhQFID5K2ES2myapnhUGko1
rTLF1qlqMb6O2n2086cv+DK+/EnZ1m26SungOD+Emd5QR/Eugzrb6/q5mFI8FGQJ
+9Nu2PUvv/VK+aHfVL7YTYnjQeog8moBnNtZDGemE0UzvOwgDFvHriCGDUI/fPL6
vfg/iNnFm4RTN6QA+GUcjNsAaVxTOFKsB2Y6Gzwa2+ZwrpbL4NY0mqdIjbAUY5pB
XC0AHXEAF+KFt2PN/X+oYD+I
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San Jose/O=Cisco Technology, Inc./OU=Security Cloud Operations/CN=update-manifests.ironport.com
issuer=/C=US/O=Thawte, Inc./CN=Thawte SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 4204 bytes and written 410 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 1508DCFE484082138D133748342EF0452B0D1535F8B0678C237CFB904BB2DF97
    Session-ID-ctx: 
    Master-Key: A487D920EEC75C6FFA7D751364B0E5EE4EB89634D94C84BC50D7ECB9AE2DC4A9B7C193E489E3B9247CACEE37A5AE2C50
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1439401181
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

-Robert