WSUS not working properly with SSL
-
Friday, October 05, 2012 8:25 AM
Hi!
I have configured an "Internet facing" WSUS With Windows Server 2012 and WSUS With SSL. The WSUS is set up With an external FQDN and corresponding SSL (internal CA signed) certificate.
I have changed my WSUS GPO and Clients are able to Connect to the WSUS and get their updates (both on the LAN and over the Internet).
My problem is that since I configured the WSUS for SSL, I can no longer Access it from the MMC on my WSUS server. I also get the error 12012 "The API Remoting Web Service is not working" error in the event log on the server.
I am, however, able to Connect to the WSUS MMC from another server (2008R2) and I am able to manage the server from there, but I would like to be able to do it from the WSUS server itself also.
Thanks,
Robert
All Replies
-
Friday, October 05, 2012 12:03 PM
Remove the server from the console then connect again, but this time use the 443 port option from the drop-dwon box.
Adrian Costea - MCP, MCTS, MCSA 2003, MCITP: Windows 7
My Blog: www.vkernel.ro/blog
-
Friday, October 05, 2012 12:33 PM
I have removed the server and tried to re-add it with it's Public name. I have also checked the SSL Box (using port 8531), but getting the error:
Cannot Connect to 'UPDATE.DOMAIN.COM'. Please make sure the Post-Installation task is completed successfully in that server. If it was, please verify if the server is using another port og different Secure Sockets Layer (SSL) setting.
- Edited by Syntetisk Friday, October 05, 2012 12:34 PM
-
Thursday, October 11, 2012 10:08 AMI am having the exact same problem! I also can't figure out how to for sure change it back to port 80/443 (which I would very much prefer).
-
Thursday, October 11, 2012 10:39 AMReinstall WSUS using default site witch is running on port 80.
Adrian Costea - MCP, MCTS, MCSA 2003, MCITP: Windows 7
My Blog: www.vkernel.ro/blog
-
Friday, October 12, 2012 5:08 AMModerator
Hi,
What is your current situation?My suggestion would be log onto this machine using the account which you start installation.After the installation and reboot,maybe you don't log onto the WSUS server to finish the post-Installation task?Are there any errors in the eventlog?If there are nothing else to provide,i suggest you try a reinstallation with the remaining DB,LOG files and update files to see whether you can connect locally.
Regards,
Clarence
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
- Marked As Answer by Clarence ZhangModerator Monday, October 22, 2012 2:51 AM
- Unmarked As Answer by Syntetisk Monday, October 22, 2012 6:00 AM
-
Monday, October 22, 2012 6:02 AM
Hello,
The error I get in the WSUS server Application log is: Event ID 12012, The API Remoting Web Service is not working.
-
Wednesday, October 24, 2012 12:18 AM
I have removed the server and tried to re-add it with it's Public name. I have also checked the SSL Box (using port 8531), but getting the error:
Cannot Connect to 'UPDATE.DOMAIN.COM'. Please make sure the Post-Installation task is completed successfully in that server. If it was, please verify if the server is using another port og different Secure Sockets Layer (SSL) setting.
I am having the same problem. Have tried EVERYTHING. I can get SSL working with WSUS on 2008R2 no problem, so I know that to get it to work on server 2012 must require some level of tweaking. Also, once I enable SSL, even after rolling back changes, I cannot access the server anymore via the MMC (gives the error above)
I did the following steps to try and get it working (without any luck of course):
To configure SSL on the WSUS server by using IIS 7.0
-
On the WSUS server, open Internet Information Services (IIS) Manager.
-
Expand Sites, and then expand the Web site for the WSUS server. We recommend that you use the WSUS Administration custom Web site, but the default Web site might have been chosen when WSUS was being installed.
-
Perform the following steps on the APIRemoting30, ClientWebService, DSSAuthWebService, ServerSyncWebService, and SimpleAuthWebService virtual directories that reside under the WSUS Web site.
- In Features View, double-click SSL Settings.
- On the SSL Settings page, select the Require SSL checkbox. Ensure that Client certificates is set to Ignore.
- In the Actions pane, click Apply.
-
Close Internet Information Services (IIS) Manager.
-
Run the following command from <WSUS Installation Folder>\Tools: WSUSUtil.exe configuressl <Intranet FQDN of the software update point site system>.
- Edited by hewyii Wednesday, October 24, 2012 1:25 AM
-
-
Monday, November 12, 2012 8:46 AM
I have removed the server and tried to re-add it with it's Public name. I have also checked the SSL Box (using port 8531), but getting the error:
Cannot Connect to 'UPDATE.DOMAIN.COM'. Please make sure the Post-Installation task is completed successfully in that server. If it was, please verify if the server is using another port og different Secure Sockets Layer (SSL) setting.
If you can connect w/o SSL using port 8530, then think you need to add ssl binding in IIS on port 8531
c:\windows\system32\inetsrv\appcmd set site "Default Web Site" /+bindings.[protocol='https',bindingInformation='*:8531:']
-
Monday, November 12, 2012 8:49 AM
I am not able to connect w/o SSL, as I have already done the bindings you are asking about, and also required SSL on some of the directories in IIS (as per the deployment guide).
- Edited by Syntetisk Monday, November 12, 2012 8:49 AM
-
Monday, November 12, 2012 8:58 AM
Remove WSUS then reinstall using these guides:
Install WSUS 3.0 on Windows Server 2008 R2
http://www.vkernel.ro/blog/install-wsus-3-0-on-windows-server-2008-r2
Configure WSUS to use SSL
http://www.vkernel.ro/blog/configure-wsus-to-use-ssl
Adrian Costea - MCP, MCTS, MCSA 2003, MCITP: Windows 7
My Blog: www.vkernel.ro/blog
-
Monday, November 12, 2012 10:54 PMModerator
Did you install the SSL certificate on the WSUS server (as a client)?My problem is that since I configured the WSUS for SSL, I can no longer Access it from the MMC on my WSUS server.
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
SolarWinds Head Geek
Microsoft MVP - Software Distribution (2005-2012)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin -
Monday, November 12, 2012 10:57 PMModerator
Reinstall WSUS using default site witch is running on port 80.
Something I recently learned.. which I'm still in shock over...
The default installation port for WSUS on Windows Server 2012 is 8530. :-//
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
SolarWinds Head Geek
Microsoft MVP - Software Distribution (2005-2012)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin -
Monday, November 12, 2012 11:05 PMModerator
I did the following steps to try and get it working (without any luck of course):
This is only part of what needs to be done. I'm not sure where this copy-and-paste came from, but the complete procedure can be found in the current WSUS Deployment Guide (July 2011) in the section Secure the WSUS 3.0 SP2 Deployment, which contains this (edited for relevancy) follow-up section:
Configure SSL on client computers
When you configure SSL on client computers, you should consider the following issues:
- You must include a URL for a secure port on the WSUS server. Because you cannot require SSL on the server, the only way to make sure that client computers can use a security channel is by using a URL that specifies HTTPS. If you use any port other than 443 for SSL, you must include that port in the URL also. For example, https://<ssl-servername>specifies a WSUS server that uses port 443 for HTTPS. https://<ssl-servername>:8531 specifies a WSUS server that uses a custom SSL port of 8531. </ssl-servername></ssl-servername>
- The certificate on a client computer must be imported into the Local Computer Trusted Root CA store or Automatic Update Service Trusted Root CA store. If the certificate is imported to the Local User's Trusted Root CA store only, Automatic Updates will
fail server authentication.
- <ssl-servername><ssl-servername>The client computers must trust the certificate that you bind to the WSUS server. Depending on the type of certificate that is used, you might have to set up a service to enable the client computers to trust the certificate that is bound to the WSUS server. For more information about certificates, see Additional SSL resources.</ssl-servername></ssl-servername>
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
SolarWinds Head Geek
Microsoft MVP - Software Distribution (2005-2012)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin -
Monday, November 12, 2012 11:07 PMModerator
Remove WSUS then reinstall using these guides:
Install WSUS 3.0 on Windows Server 2008 R2
http://www.vkernel.ro/blog/install-wsus-3-0-on-windows-server-2008-r2
Configure WSUS to use SSL
It really is preferred, that when posting in Microsoft forums, that you use links to the Microsoft official documentation.
http://technet.microsoft.com/en-us/library/dd939849(v=ws.10).aspx
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
SolarWinds Head Geek
Microsoft MVP - Software Distribution (2005-2012)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin -
Tuesday, November 13, 2012 7:00 AM
OK..
To recap this issue a bit..
I am able to Connect to the WSUS from Clients (both internally and externally over the Internet) AND I am able to Connect to the WSUS console from another server, but NOT from the WSUS server itself.
So my problem is why/how can't I Connect to WSUS console on the server?
-
Tuesday, November 13, 2012 11:10 PMModerator
I am able to Connect to the WSUS from Clients (both internally and externally over the Internet) AND I am able to Connect to the WSUS console from another server, but NOT from the WSUS server itself.
So my problem is why/how can't I Connect to WSUS console on the server?
As asked... but not appearing to be answered.... have you performed the Configure SSL on client computers procedure on the WSUS server so that the WSUS server can be a 'client' of itself.
This procedure is not required just for the WUAgent to be able to talk to an SSL-enabled WSUS server, but also to allow the MMC to be able to talk to the SSL-enabled server. Inasmuch as you can connect from everywhere else, this seems to be the most logical cause.
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
SolarWinds Head Geek
Microsoft MVP - Software Distribution (2005-2012)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin -
Wednesday, November 14, 2012 7:10 AM
Yes, I have.
WSUS settings are controlled through Group Policy, and the WSUS server itself also has this policy applied to it. In regards to certificates, I have used an internal (Microsoft) CA, which is used in conjunction with an Automatic certificate request GPO, so that all Clients have the root CA certificate installed on them, so certificate trust should not be an issue. I can confirm that the SSL (webserver) certificate issued to and used by the WSUS IIS has the internal root CA as root. The internal root CA is also installed in Trusted Root Certification Authorities on both the Computer account, and the User account on the WSUS server.
- Edited by Syntetisk Wednesday, November 14, 2012 7:12 AM
-
Thursday, November 15, 2012 11:37 PMModerator
Yes, I have.
WSUS settings are controlled through Group Policy, and the WSUS server itself also has this policy applied to it. In regards to certificates, I have used an internal (Microsoft) CA, which is used in conjunction with an Automatic certificate request GPO, so that all Clients have the root CA certificate installed on them, so certificate trust should not be an issue. I can confirm that the SSL (webserver) certificate issued to and used by the WSUS IIS has the internal root CA as root. The internal root CA is also installed in Trusted Root Certification Authorities on both the Computer account, and the User account on the WSUS server.
Please forgive my pedantic nature.. but in scenarios like this, I quite often find the fact assumed is the fact bitten by.
- You've used an Enterprise CA to create and distribute a root certificate.
- You created an SSL certificate derived from that root certificate.
- The root CA is installed in the Trusted Root CA store of the Computer account. (As noted in the cited documentation, the root cert in the User store is meaningless.)
But I don't see anywhere that you have confirmed that the *SSL* certificate has been installed in the Computer store of the WSUS server -- in the same manner that it has (apparently) been installed on all of the other systems in your network (as evidenced by their ability to establish an SSL connection to WSUS).
Question: Can the Windows Update Agent of the WSUS server successfully detect/report to the WSUS server?
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
SolarWinds Head Geek
Microsoft MVP - Software Distribution (2005-2012)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin -
Friday, November 16, 2012 7:26 AM
Yes, the SSL certificate used by the WSUS IIS (update.organization.com) is installed in the Computer account personal store of the WSUS server.
No, the WSUS server itself is not registered in the WSUS as a Client.
-
Monday, November 19, 2012 3:40 PMModerator
No, the WSUS server itself is not registered in the WSUS as a Client.
Then, as a diagnostic measure, if not as an operational requirement -- I would start by getting the WSUS server's WUAgent to properly register with the WSUS server.
If the WSUS server is configured (via policy) as a WSUS client, and it's not registered, then I can almost guarantee you that these two conditions:
- WUAgent does not register with SSL-enabled WSUS server.
- Local MMC cannot establish a connection to SSL-enabled WSUS server.
are caused by exactly the same thing.
If the WSUS server is not configured as a WSUS client, the reason why is yet another conversation to be had, but configuring it as a client, and having it successfully register, detect, and report, will eliminate the client-side of the SSL certificate as a consideration and then we can move on to other more obscure possibilities.
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
SolarWinds Head Geek
Microsoft MVP - Software Distribution (2005-2012)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
.png)
