none
SCUP + SCCM + WSUS + Signed SSL Cert = "Verification of File Signature failed" When Publishing

    Question

  • I have a box running the following:

    • Windows Server 2008 R2
    • All required roles & features for SCCM
    • SQL 2008 R2 Enterprise
    • WSUS 3.0 SP2
    • SCCM 2007 SP2 R3
    • SCUP 4.5

    The site is running in Mixed Mode, I have SSL enabled for WSUS, and everything is on the same box (publishing locally). The cert I'm using has been signed by InCommon / Comodo and is used in IIS on the Default & WSUS Administration sites. At first, when I was just testing out the capabilities of SCUP, I was using the WSUS Self-Signed cert until I realized that i'd have to push out that cert via GPO to any client where i wanted third party updates to be installed. So that's when I looked into how I could use my signed cert.

    I exported the signed cert. as a .pfx file, hit "Browse", "Create" and typed in the password all in SCUP, and it appears to have been accepted (the Certificate Issuer is listed as "CN=COMODO High-Assurance Secure Server"). The server's local security policy also has the "Allow signed updates from an intranet Microsoft update service location" set to "Enabled". I also imported the same cert from the same .pfx file into the "Trusted Publishers" store for the Computer Account (the cert was originally in the "Personal" store for the Computer Account anyway) by going to the Trusted Publishers store and selecting "Import" (I did not just copy it from the Personal store, unsure if there are any functional differences, but this is the documented way so I'll play along).

    Now, with everything looking like it should work, in SCUP I've got Adobe's Flash Player Catalog as one of the publishers in the Import List (Settings -> Import List). In addition, in Settings -> Advanced -> General Settings, "Prompt for re-signing updates while publishing" is checked. If I set the Publish Flag for today's release of Adobe Flash Player 10.2.153.1 to "Full Content", try to publish it, and select "Yes" when being prompted to re-sign the update, I get this in the UpdatesPublisher.log:

    Publish:  : Exception occured during publishing: Verification of file signature failed for file: \\<server>\UpdateServicesPackages\e49b33e1-1429-4d8d-a796-acdf12c9d80e\d83626bb-2a94-4056-8a91-5a5dd16688ba_1.cab    Updates Publisher    3/22/2011 10:31:36 AM    10 (0x000A)

    However if I set the Publish Flag for the same update to "Metadata Only", it succeeds in Publishing and I get this in the UpdatesPublisher.log:

    Publish:  : BEGIN--- Publishing dependencies for update 'e49b33e1-1429-4d8d-a796-acdf12c9d80e'.
    Updates Publisher    3/22/2011 3:35:40 PM    10 (0x000A)
Publish:  : END --- Publishing dependencies for update 'e49b33e1-1429-4d8d-a796-acdf12c9d80e'.
    Updates Publisher    3/22/2011 3:35:40 PM    10 (0x000A)
Publish:  : Finally publishing the update 'e49b33e1-1429-4d8d-a796-acdf12c9d80e' itself.
    Updates Publisher    3/22/2011 3:35:40 PM    10 (0x000A)
Publish:  : Publishing update: 'e49b33e1-1429-4d8d-a796-acdf12c9d80e'
    Updates Publisher    3/22/2011 3:35:40 PM    10 (0x000A)
Publish:  : --- SDP XML file for publishing created at C:\Users\<user>\AppData\Local\Temp\tmpEA72.tmp
    Updates Publisher    3/22/2011 3:35:40 PM    10 (0x000A)
Publish:  : --- Temporary SDP XML file C:\Users\<user>\AppData\Local\Temp\tmpEA72.tmp created for publishing...
    Updates Publisher    3/22/2011 3:35:40 PM    10 (0x000A)
Publish:  : ---Preparing for metadata only publish for update e49b33e1-1429-4d8d-a796-acdf12c9d80e    Updates Publisher    3/22/2011 3:35:40 PM    10 (0x000A)
Publish:  : --- Calling update server API for update 'e49b33e1-1429-4d8d-a796-acdf12c9d80e'
    Updates Publisher    3/22/2011 3:35:40 PM    10 (0x000A)
Publish:  : --- Calling update server API for publishing update 'e49b33e1-1429-4d8d-a796-acdf12c9d80e'
    Updates Publisher    3/22/2011 3:35:40 PM    10 (0x000A)
Publish:  : --- PublishPackage call successful for update 'e49b33e1-1429-4d8d-a796-acdf12c9d80e'    Updates Publisher    3/22/2011 3:35:41 PM    10 (0x000A)
Publish:  : --- Removing temporary files...
    Updates Publisher    3/22/2011 3:35:41 PM    10 (0x000A)
Publish:  : --- Completed publishing for update 'e49b33e1-1429-4d8d-a796-acdf12c9d80e'
    Updates Publisher    3/22/2011 3:35:41 PM    10 (0x000A)

    Yet, while the update appears on the client once the update is deployed, it fails to install. I tested deploying Windows 7 SP1 to the same client and that worked, not too surprising since the update is signed by Microsoft.

    Since this is a signed cert, and the other, dependent intermediary certificates are on the server (I've even tried storing the intermediate certs in the "Trusted Publishers" store in addition to the signed cert itself to no avail), what gives? I've read many other threads where the certificate wasn't in the right store and others where WSUS Self-Signed cert wasn't being deployed to the client via one method or another, but since the same client, and the server for that matter, can navigate to a secure web site on the server using this signed cert, I'm not sure why I'm getting the signature verification failures. Anyone have an idea? Is there a cert I'm missing from Adobe that needs to be downloaded locally to the server and/or client? Thanks in advance.


    Tuesday, March 22, 2011 8:34 PM

All replies

  • Hi,

    You must first disable ssl, then add the certificate (WSUS Publishers Self-signed) on the client computer to the Trusted Root Certification Authorities and Trusted Publishers certificate stores.

    For more information visit: How to configure the Digital Certificate on Client Computers

    http://technet.microsoft.com/en-us/library/bb531031.aspx

    Hope this will help you, it worked for me.

     

    Tuesday, May 17, 2011 4:46 PM
  • Hi,

    You must first disable ssl, then add the certificate (WSUS Publishers Self-signed) on the client computer to the Trusted Root Certification Authorities and Trusted Publishers certificate stores.

    For more information visit: How to configure the Digital Certificate on Client Computers

    http://technet.microsoft.com/en-us/library/bb531031.aspx

    Hope this will help you, it worked for me.

     


    He said he already imported the cert on client certificate stores.

    Boomdude, are you sure your update is being signed by the certificate you are trying to use? Try to check the sigital signature on the file downloaed on client and make sure it's trusted by the client, and is signed by the same certificate listed in SCUP.


    Mayur
    Tuesday, May 17, 2011 5:17 PM
  • I know this thread is kind of old, but I found it while looking for a solution to this as I faced the exact same problem.

    I found on the following blog that the minimum key size for the SSL cert is 2048 for SCUP 2011. By default when I created the certificate signing request in IIS the size was 1024.

    http://blogs.technet.com/b/jasonlewis/archive/2011/07/12/system-center-updates-publisher-signing-certificate-requirements-amp-step-by-step-guide.aspx

    I recreated the cert, added it to IIS and replaced the existing cert, and re-imported the cert as a PFX into SCUP. After all this I still had the error when trying to do a full content publish. So I deleted the updates and publication for SCUP, recreated them and now I can do a full content publish and it shows up in SCCM as a deployable update.

    Hopefully this information is of some use to other people facing the same problem.

    EDIT: It started to fail to publish full content again. Not sure why it it decided to stop. However, after following the rest of the guide in the blog above (creating a Code Signing template and using that for the SCUP cert) it started working reliably.



    • Edited by csikorra Tuesday, October 11, 2011 9:36 PM
    Tuesday, October 11, 2011 7:46 PM