none
WSUS does not synchronize from Microsoft Update

    Question

  • Hi,

    I installed WSUS Server (W2003 R2 Std - full patched)
    Same install as I always do without any problems
    If I try sync WSUS Server with Microsoft Update than sync failed with error:

    WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
    at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
       at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
       at Microsoft.UpdateServices.ServerSync.ServerSyncCompressionProxy.GetWebResponse(WebRequest webRequest)
       at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
       at Microsoft.UpdateServices.ServerSyncWebServices.ServerSync.ServerSyncProxy.GetAuthConfig()
       at Microsoft.UpdateServices.ServerSync.ServerSyncLib.InternetGetServerAuthConfig(ServerSyncProxy proxy, WebServiceCommunicationHelper webServiceHelper)
       at Microsoft.UpdateServices.ServerSync.ServerSyncLib.Authenticate(AuthorizationManager authorizationManager, Boolean checkExpiration, ServerSyncProxy proxy, Cookie cookie, WebServiceCommunicationHelper webServiceHelper)
       at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.SyncConfigUpdatesFromUSS()
       at Microsoft.UpdateServices.Serve

    I did not set up any SSL or did not do anything other than usual.
    Reinstall did not help.

    Who can help me? What did i do wrong? 


    • Edited by Magic2ik Thursday, August 01, 2013 2:06 PM
    Thursday, August 01, 2013 2:05 PM

Answers

  • And after searching for some time I found out ESET Endpoint Antivirus was cousin this problem.
    When I install ESET Endpoint Antivirus on the server same error again.

    But when I remove it sync is working again.
    Time to see what Eset can do

    • Marked as answer by Magic2ik Thursday, September 05, 2013 5:42 PM
    Thursday, September 05, 2013 5:41 PM

All replies

  • Hi,

    I installed WSUS Server (W2003 R2 Std - full patched)
    Same install as I always do without any problems
    If I try sync WSUS Server with Microsoft Update than sync failed with error:

    WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
    at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
       at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
       at Microsoft.UpdateServices.ServerSync.ServerSyncCompressionProxy.GetWebResponse(WebRequest webRequest)
       at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
       at Microsoft.UpdateServices.ServerSyncWebServices.ServerSync.ServerSyncProxy.GetAuthConfig()
       at Microsoft.UpdateServices.ServerSync.ServerSyncLib.InternetGetServerAuthConfig(ServerSyncProxy proxy, WebServiceCommunicationHelper webServiceHelper)
       at Microsoft.UpdateServices.ServerSync.ServerSyncLib.Authenticate(AuthorizationManager authorizationManager, Boolean checkExpiration, ServerSyncProxy proxy, Cookie cookie, WebServiceCommunicationHelper webServiceHelper)
       at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.SyncConfigUpdatesFromUSS()
       at Microsoft.UpdateServices.Serve

    I did not set up any SSL or did not do anything other than usual.
    Reinstall did not help.

    Who can help me? What did i do wrong? 


    You have this error because the Server Certificate supplied by the Server during an HTTPS (SSL) request could not be verified.

    Check at this blog to troubleshoot your server's certificate problems.

    TiGrOu.

    • Proposed as answer by elTiGrOu Friday, August 02, 2013 3:15 PM
    Thursday, August 01, 2013 3:02 PM
  • Magic2ik,

    Did you solve this problem?   I have the same issue..

    Thanks.

    - BW

    Friday, August 02, 2013 2:36 PM
  • Did you solve this problem?   I have the same issue..

    The guidance provided by elTiGrOu is the correct guidance. The issue is caused, most likely, because the root certificates have not been updated on the WSUS server, and thus the new SSL certificate needed to synchronize is not trusted.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Friday, August 02, 2013 3:00 PM
  • Thanks for replying Lawrence.. I have taken care of the certificate issue but now I am getting this error when I attempt to Sync:

    TypeInitializationException: The type initializer for 'Microsoft.UpdateServices.ServerSyncWebServices.ServerSync.ServerSyncProxy' threw an exception. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send.
    at Microsoft.UpdateServices.Internal.ClassFactory.CreateInstance(Type type, Object[] args)
       at Microsoft.UpdateServices.ServerSync.ServerSyncLib.GetWebServiceProxyInternal(UpdateServerConfiguration serverConfig, WebServiceCommunicationHelper webServiceHelper, Boolean useCompressionProxy)
       at Microsoft.UpdateServices.ServerSync.ServerSyncLib.GetWebServiceCompressionProxy(UpdateServerConfiguration serverConfig, WebServiceCommunicationHelper webServiceHelper)
       at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.RetrieveSubscriptionData()
       at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.ExecuteSyncProtocol(Boolean allowRedirect)

    Any help would be greatly appreciated, thank you.

    - BW

    Friday, August 02, 2013 7:04 PM
  • Is there a firewall, proxy server, or web filter between the WSUS server and the Internet that might be trying to intercept that SSL traffic?

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Saturday, August 03, 2013 1:26 AM
  • There is a firewall, but nothing has changed since the last successful sync.. which was only a few days ago.  The SSL was never configured to download the updates, so I'm still unsure why it was getting the "Could not establish trust relationship for the SSL/TLS secure channel" error.. The default web site and the wsus update sites in IIS was looking at a "expired" certificate.. which I took care of that issue, but now I am getting "An unexpected error occurred on a send" error..  I'm really at a loss, I've setup and managed several wsus severs before but these issues really have me stumped.

    - BW

    Saturday, August 03, 2013 4:24 AM
  • No, I did not solve the problem.
    My certificate in the ‘Trusted Root Certification Authorities’ store.

    Firewall and anti-virus are switched of at the moment.
    No proxy is used

    Can use some help..

    Saturday, August 03, 2013 8:36 AM
  • For me there is no proxy used, and firewall an anti-virus are disabled (At the moment).

     
    Saturday, August 03, 2013 8:37 AM
  • Hi,

    Make sure that the time of your WSUS server and other DCs are the same.

    In addition, hope the below thread could be helpful:

    http://www.wsus.info/index.php?showtopic=10962

    Regards,

    Yan Li


    Cataleya Li
    TechNet Community Support

    Monday, August 05, 2013 5:24 AM
  • There is a firewall, but nothing has changed since the last successful sync..

    On the contrary, something has changed since the last successful sync, and it caused your WSUS server to quit synchronizing. You were unaware of what that change was (which is why you posted here), which also makes it highly unlikely that you could be fully cognizant that it was the only change that occurred.

    The SSL was never configured to download the updates, so I'm still unsure why it was getting the "Could not establish trust relationship for the SSL/TLS secure channel" error..

    Okay, so I think I've failed to convey how WSUS communicates with Microsoft. WSUS uses SSL to synchronize. You don't configure anything to make this happen, and you can't configure anything to prevent it from happening. Until May, 2012, this SSL-based synchronization was based on a certificate chain that shipped with the operating system. There was nothing you needed to do to enable that functionality.

    In May, 2012, pursuant to the compromises discovered as a result of the Flame malware, the entire certificate chain used by AU/WU/MU/WSUS/WUAgent was destroyed and an entirely new certificate chain was created exclusively for the Windows Update infrastructure. In order to use that certificate chain, you need the certificates. Certificates are distributed in several different ways, depending on the operating system involved.

    I'm not aware of what you did to attempt to fix this issue, but at its core it requires obtaining the new certificate(s) for the Windows Update infrastructure and installing them on your WSUS server. If the WSUS Server is running WS2008 or WS2008R2, then this is as simple as ensuring that the "Root Certificate Updates" functionality is enabled. For a WS2003-based WSUS server, it will require jumping through a few more hoops (e.g. exporting the certificate from another system that has been updated automatically, or installing KB931125 to a workstation OS and exporting the needed certificate(s)).

    The default web site and the wsus update sites in IIS was looking at a "expired" certificate..

    The SSL certificate stored in IIS for WSUS has Absolutely Nothing to do with the SSL certificate chain used by the WSUS sever to synchronize. They are two completely separate certificate environments for two completely separate purposes.

    One is between Microsoft and your WSUS server (the one that is still failing), the other is for use between your WSUS server and its clients (which apparently didn't matter since the clients were communicating anyway).

    I am getting "An unexpected error occurred on a send" error.. 

    This is your still not fixed WSUS synchronization issue.

    TypeInitializationException: The type initializer for 'Microsoft.UpdateServices.ServerSyncWebServices.ServerSync.ServerSyncProxy' threw an exception. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send.

    This is a different error from the original one, though, which was

    WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

    In the original scenario, the WSUS server did not recognize the MU certificate, or for whatever reason, it thought the certificate was invalid. Something changed .. whatever you did between Aug 1st and Aug 2nd, or maybe not related to anything you did, but to something somebody else did, and now the WSUS server isn't even able to communicate with MU to find out whether the certificate is valid or not.

    The key here is that something unexpected is now occuring during the SEND. It's a different behavior/result, so it requires a change in approach to troubleshooting the problem.

    Thus my question about firewalls, proxy servers, and web filters. There is a firewall (that was expected), but apparently no proxy server or webfilter (this makes it easier). So, the next step is to work with the firewall administrator to determine what is happening with the WSUS server's attempt to sync as it passes through the firewall.

    • Is the firewall blocking the request?
    • Is the firewall passing it through and something else is blocking it?


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Monday, August 05, 2013 9:00 PM
  • Hi,

    Make sure that the time of your WSUS server and other DCs are the same.

    In addition, hope the below thread could be helpful:

    http://www.wsus.info/index.php?showtopic=10962

    Regards,

    Yan Li


    Cataleya Li
    TechNet Community Support

    The time is the same as on the DC
    It this small domain there is no CA running

    Tuesday, August 06, 2013 7:15 AM
  • Any other options left ?
    Thursday, August 08, 2013 2:05 PM
  • Solved my problem by reinstalling the server with Windows Server 2008R2.
    Took me 4 hours, but problems is solved.

    For now its updating again from Microsoft.
    Maybe not the best way, but the simplest way to get it working again


    Saturday, August 10, 2013 3:11 PM
  • This worked for 2 days.

    After 2 days again:

    WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
    at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
       at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
       at Microsoft.UpdateServices.ServerSync.ServerSyncCompressionProxy.GetWebResponse(WebRequest webRequest)
       at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
       at Microsoft.UpdateServices.ServerSyncWebServices.ServerSync.ServerSyncProxy.GetAuthConfig()
       at Microsoft.UpdateServices.ServerSync.ServerSyncLib.InternetGetServerAuthConfig(ServerSyncProxy proxy, WebServiceCommunicationHelper webServiceHelper)
       at Microsoft.UpdateServices.ServerSync.ServerSyncLib.Authenticate(AuthorizationManager authorizationManager, Boolean checkExpiration, ServerSyncProxy proxy, Cookie cookie, WebServiceCommunicationHelper webServiceHelper)
       at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.SyncConfigUpdatesFromUSS()
       at Microsoft.UpdateServices.Serve

    Saturday, August 17, 2013 6:42 AM
  • And after searching for some time I found out ESET Endpoint Antivirus was cousin this problem.
    When I install ESET Endpoint Antivirus on the server same error again.

    But when I remove it sync is working again.
    Time to see what Eset can do

    • Marked as answer by Magic2ik Thursday, September 05, 2013 5:42 PM
    Thursday, September 05, 2013 5:41 PM