10 Replies Latest reply on Sep 12, 2014 1:13 PM by Lawrence Garvin

    Eval of Patch Manager - Package failing during validation on client

    david.speer

      All servers in hierarchy are 2008 R2.

      I published the update to upstream server.

      Update validation clearly fails during windows update.

       

       

      Certificate and API validation passes.

      certValidation.png

      Deployed Adobe full 11 to two windows 7 lab guests

      approvedForCollection.png

       

      WSUS Lab GPO (Including publishing cert into trusted publisher)

      LAB_GPO.png

      Windows Update Log from the client:

      WindowsUpdate.PNG

       

      Trusted Publisher - Code signing cert is present in both the Computer & User store on affected client.

      Cert chain is ok.

      TrustedPublisher.png

       

       

      Advice is appreciated.

      Thanks,

        • Re: Eval of Patch Manager - Package failing during validation on client
          Lawrence Garvin

          Client error 0x800b0109, covered in KB Article #3641.

           

          What's configured in the GPO is not near as relevant as what's actually APPLIED to the client.

          Assuming the certificate expiring August 2016 is the correct certificate, the logical conclusion here is that the GPO didn't actually get applied,

          and thus the option Allow signed updates.. is not actually enabled.

           

          Do you have an RSOP from the CLIENT?

           

          One note... the certificate listed in the GPO does not match the certificate displayed at the client.

          The certificate in the GPO is issued to us01.skanska.org; it seems the machine name is actually  01.skanska.org based on all of the other images.

          1 of 1 people found this helpful
            • Re: Eval of Patch Manager - Package failing during validation on client
              david.speer

              The GPO is being applied, it also delivered the cert in the screenshot.

              I just erased the full server name, it's just something I do for security reasons.

              What i actually have noticed is that the tool for some reason pushed a self signed cert when i use this tool and attempt to pull in my code signing cert.

              I confirmed that it pushed this self-signed cert (not the intended one we issued from the CA to all the servers)

               

              At least now i get why we're not validating .

              I had already tried to refresh the update server under the "update services node" in the product.

              certImportFail.png

                • Re: Eval of Patch Manager - Package failing during validation on client
                  david.speer

                  Attached RSOP for allow signed updates.

                  RSOP.PNG

                  • Re: Eval of Patch Manager - Package failing during validation on client
                    Lawrence Garvin

                    What i actually have noticed is that the tool for some reason pushed a self signed cert when i use this tool and attempt to pull in my code signing cert.

                    Is your Enterprise CA certificate stored in the "WSUS" store of the WSUS Server?

                    If so, delete the self-signed certificate from the "WSUS" store and do a Refresh Update Server to cache the CA-based cert.

                      • Re: Eval of Patch Manager - Package failing during validation on client
                        david.speer

                        Confirmed tried that process to refresh. Validated that no cert was present when viewing it in the Update Services node.

                         

                        SoftwarePublishCert_UpdateServices.PNG

                         

                        I flip back to the Server Publishing Setup Wizard tool tool.

                        It doesn't automatically populate the cert issued from the Cert Authority.

                        I then attempted to import the code signing cert on the Administration and Reporting Node.

                        It automatically generated a new self-signed cert.

                         

                        One interesting thing on the template I use from my CA, i have Digital signature listed under key as shown below.

                        This is not available in the self-signed cert.

                        I'll update and publish an update to the template tomorrow.

                        Maybe this extra Key Usage for Digital Signature is glitching the process.

                        . KeyUsage.png

                          • Re: Eval of Patch Manager - Package failing during validation on client
                            david.speer

                            I've reissued the certificate template for this and it didn't change the outcome.

                            It keeps trying to make a self signed cert instead of using my internal CA cert.

                            I suspect it just behaves differently on server 2008 than on Server 2012.

                            If we proceed I'm just going to use the self signed certificate.

                            • Re: Eval of Patch Manager - Package failing during validation on client
                              Lawrence Garvin
                              Confirmed tried that process to refresh. Validated that no cert was present when viewing it in the Update Services node.

                              To be true, this doesn't really indicate that the cert is not present in the store on the WSUS server; it merely means that the Patch Manager server does not have a cached copy of any cert that may exist.


                               

                              I then attempted to import the code signing cert on the Administration and Reporting Node.

                               


                              I'm not sure which function you're referring to on the Administration and Reporting node, but Patch Manager ONLY creates self-signed certificates, so if you're using a utility that creates a certificate, then that's what you're going to get.


                               

                              It keeps trying to make a self signed cert instead of using my internal CA cert.

                               


                              Yes. It will. *YOU* must manually import the Enterprise CA cert into the WSUS store, by one of the following methods:

                              • The Certificates MMC Snap-in Import Certificate tool
                              • The FREE SolarWinds WSUSCertificateMangement tool
                              • Auto-Enrollment from your Certificate Authority (and it'll need to be configured to know to put the certificate in the WSUS store).


                              You cannot import an Enterprise CA-based cert, or a Third-Party Cert, into the WSUS store using Patch Manager.




                      • Re: Eval of Patch Manager - Package failing during validation on client
                        Lawrence Garvin

                        One thing I just discovered.... these URLs are incorrect. They must be IDENTICAL.

                        Either you're using SSL, or you're not.

                         

                        9-11-2014 7-33-44 AM.png

                          • Re: Eval of Patch Manager - Package failing during validation on client
                            david.speer

                            It was very puzzling. Got it sorted though.

                            I used the SCUP documentation and resources to get it sorted.

                            Even through the Root CA and subordinate were in my Trusted root authorities (and the cert validated) I *STILL* had to add the code signing cert there into Trusted Root Certification Authorities as well.

                            Highlighted the (3) paths the cert needs to be in on the WSUS box.

                            CertStores.JPG

                              • Re: Eval of Patch Manager - Package failing during validation on client
                                Lawrence Garvin

                                I *STILL* had to add the code signing cert there into Trusted Root Certification Authorities as well.

                                YES... the publishing certificate (the public key side -- the CER file) MUST be installed in both Trusted Root Certification Authorities and Trusted Publishers.

                                And if the certificate is not self-signed, then the entire authority chain must also be in the appropriate stores: Root Certs in Root Certification Authorities, and Intermediate Certs in Intermetica Certification Authorities.

                                The private key side (the PFX) goes in the WSUS store.

                                Once you get the PFX in the WSUS store, the Patch Manager tools will  properly distribute that certificate to the correct stores and systems if you let it.

                                9-12-2014 1-12-43 PM.png