none
Since when does WSUS require an SSL certificate signed by Microsoft?

    Pertanyaan

  • 2012-07-16 18:35:10.362 UTC Info WsusService.8 SusService.ValidateServerCertificate CheckValidationResult Succeeds: CertOK
    2012-07-16 18:35:10.362 UTC Info WsusService.8 WebServiceCommunicationHelper.VerifyServerCertificate Requested host: my.update.server
    2012-07-16 18:35:10.409 UTC Error WsusService.8 CertificateChainPolicy.VerifyPolicy The given certificate chain has not Microsoft Root CA signed root (800B0109)

    My own certificates signed by my own CA have always been sufficient until very recently.

    All seven WSUS 3.0 sp2 services now report "the service is not working" all day long.

    Server functionality dose not seem to be impaired, but the event logs are full of this annoying error.

    How do I make it stop?


    • Diedit oleh cjc055 27 Juli 2012 20:12
    16 Juli 2012 19:08

Jawaban

Semua Balasan

  • more info here

    http://blogs.technet.com/b/wsus/archive/2012/06/08/further-hardening-of-wsus-now-available.aspx

     

     

    Feed: WSUS Product Team Blog Posted on: Friday, June 08, 2012 12:43 PM Author: WSUS Team Subject: Further Hardening of WSUS Now Available

     Hello, 

    As we mentioned previously, Microsoft is releasing an update to further harden the Windows Server Update Services (WSUS) as a defense-in-depth precaution for our customers. This update is now available for download. As an additional measure, we are providing the SHA1 and SHA2 hashes of the WSUS update and the WU client files we released today. This allows administrators to verify that the files they download are from Microsoft. The hashes are listed in the update KB article. We strongly urge WSUS administrators to apply these updates as soon as possible to take advantage of the added security they offer. If you’d like to read more, please review the MSRC blog for more information.

    Please follow the following steps to ensure a smooth deployment:

    1. Apply Security Advisory Update 2718704, issued on June 3, which moved unauthorized digital certificates derived from a Microsoft Certificate Authority to the Untrusted Store.
    2. Apply the WSUS update, issued on June 08, see KB 2720211.

     

    Thank you,

    WSUS team

    17 Juli 2012 13:59
  • Thank you, but KB 2720211 has no effect on this issue.

    The update service is still apparently rejecting its own server's test certificate w/out a Microsoft signature.

    Or am I supposed to infer from the background to KB 2720211 that test certificates can no longer be used with WSUS?


    cjc055

    17 Juli 2012 15:35
  • 2012-07-16 18:35:10.409 UTC Error WsusService.8 CertificateChainPolicy.VerifyPolicy The given certificate chain has not Microsoft Root CA signed root (800B0109)

    Regarding the subject line -- WSUS has always required a Microsoft SSL certificate, because the synchronization task is performed via SSL.

    Please do not confuse this certificate with the local certificates you use for local client-based SSL connections to the WSUS server, or for server synchronizations to the upstream server (which can also, optionally, be SSL-enabled).

    The reason you are receiving an 0x800B0109 error is because the WSUS server has an invalid, incorrect, or missing certificate, or some SSL-enabled proxy server enroute to Microsoft has not been updated. My vote would be that you have a missing (new) SSL certificate from Microsoft.

    KB2718704 expires certificates that were compromised by the Flame malware. Not installing this update will not impact WSUS functionality at all, but does leave those machines vulnerable to infection by Flame (or other similar, and not-yet-identified, malware).

    KB2720211 updates the Windows Update Agent, rolls up some unrelated WSUS hotfixes, and updates WSUS to generate 2048-bit local publishing certificates (only relevant if you're doing local publishing with WSUS). This update does not impact WSUS server synchronization from Microsoft -- but may impact client detection and update installation if it's not installed -- which manifests as an 0x800B0001 error on the client in the WindowsUpdate.log.

    [LG - edit 7/19/2012 - Disregard this last paragraph. It was based on inaccurate information obatined from a WSUS server I was accessing at the time of this post which may have been retaining a collection of erroneously published and expired instances of KB931125 from June 2012. The most recent version of KB931125 was, in fact, released in April, 2012; however there are now packages for Windows 7 and Windows Server 2008 -- but interestingly not for 'R2']

    KB931125 is likely what's biting you here. Starting at the end of June, 2012, Microsoft changed how they manage Certificate Revocation Lists and Root Certificate Updates. Previously this was an automated feature of the OS (Vista and later worked but weren't always enabled; it was broken in XP/2003, and never updated on many systems) -- and as a result, many systems have invalid root certificate repositories. This update contains the current Root Certificate collection -- which, btw, has new Root Certificates for WSUS and the Windows Update Agent -- issued concurrent with the release of KB2718704 in response to the Flame malware. This update is contained in the "Updates" update classification, which (unfortunately) many WSUS administrators have chosen not to enable for synchronization. If you're not synchronizing that classification, then you may not have even known this update was necessary. (Arguably this edition of KB931125 should have been classified as a Critical Update, but it's not.)


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin


    18 Juli 2012 17:48
    Moderator
  • Thank you for such a comprehensive answer, but I am confused.

    I should have mentioned originally that the server whose log I excerpted is 2008 R2 SP1.

    You seem to be saying that the problem is not the server's own machine certificate, for which I am grateful.

    I mistook the mention of my server in the previous log entry as somehow relevant to the entry you quoted.

    However I thought KB931125 only applied to XP/2003, as you posted on another thread at:

    http://social.technet.microsoft.com/Forums/en/winserverwsus/thread/7b5e6cb7-a4f3-4466-afea-0c32da5d3167

    Bing shows me no KB931125 other than XP/2003 more recent than June 2011. Both KB2718704 & KB2720211 have been applied

    and All Classifications have been enabled for synchronization on my server. How else can I obtain the corrected roots you describe?

    Is there a list I can verify against? Or are they already there and do not solve this problem?


    cjc055


    • Diedit oleh cjc055 18 Juli 2012 20:35
    18 Juli 2012 20:30
  • Hmmmm.. something unexpected is going on. Wednesday afternoon, I did have an entire collection of KB931125 update packages for every OS on a WSUS server I was working from, dated June 27, 2012. However, today, I'm looking at a pair of better-maintained WSUS servers -- and they don't exist. Furthemore, the actual KB article shows a last revision date of April, 2012, completely discounting anything I said - and totally consistent with your observations.

    Having said that, though, I'm still inclined to think that the root cause is the same - albeit the remediation will be different. The entire certificate chain used by WSUS, WU/MU, and the Windows Update Agent was replaced. If synchronizations from an upstream server to Microsoft are failing with SSL errors, the most likely cause is exactly as stated -- the WSUS server does not have the requisite SSL certificate.

    A second possible cause, as described in the text of KB2718704 is that an intermediate proxy server has not been properly updated and is using an older SSL certificate to inspect the passthru packets -- something no longer allowed by the new WSUS/MU/WU/WUAgent infrastructure.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    19 Juli 2012 23:05
    Moderator
  • The 2008 R2 SP1 server on which I run WSUS 3.0 SP2 is pointed directly at Microsoft for its upstream synchronizations.

    There are no intermediates, and today I discovered that its updates are no longer accessible from any client but itself.

    I don't see anything in the C:\Program Files\Update Services\LogFiles\SoftwareDistribution.txt other than what I've

    already posted. Is there another log at which I should be looking?

    "If synchronizations from an upstream server to Microsoft are failing with SSL errors, the most likely cause is exactly as stated -- the WSUS server does not have the requisite SSL certificate." - which WSUS server, mine or the upstream Microsoft server?

    Is there an official list of the replaced certificates with thumbprints that I can verify against whatever is on my server?


    cjc055


    • Diedit oleh cjc055 20 Juli 2012 13:31
    20 Juli 2012 13:29
  • Is there another log at which I should be looking?

    Check the Application Event Log as well for relevant WSUS application errors.

    "If synchronizations from an upstream server to Microsoft are failing with SSL errors, the most likely cause is exactly as stated -- the WSUS server does not have the requisite SSL certificate." - which WSUS server, mine or the upstream Microsoft server?

    Yours.

    Is there an official list of the replaced certificates with thumbprints that I can verify against whatever is on my server?

    Good question! I don't have an answer for this. Inasmuch as this is a breakdown in your ability to maintain and deploy security updates, you might also consider opening at ticket with CSS -- which should be a no-charge call since it is security related.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    20 Juli 2012 18:48
    Moderator
  • The errors that started this thread came from the Application Event Log. "The service is not working" is neither relevant nor helpful.

    To be clear, you are saying that the Microsoft certificates on my server are to blame, and not my server's own computer certificate?

    What is CSS and where are it's tickets opened?


    cjc055

    23 Juli 2012 13:12
  • To be clear, you are saying that the Microsoft certificates on my server are to blame, and not my server's own computer certificate?

    Actually,  I'm suggesting that the Microsoft certificates are missing from your server; the ones that are there are not contributing at all. The WSUS Server runs a server synchronization via an SSL connection to Microsoft. In order to validate that SSL connection, your machine must have the correct SSL certificate installed -- just like an end-user needs to have the right SSL certificate to talk to their bank.

    Your server's own computer certificate is used by client systems to validate the identity of the WSUS server (so they know they're talking to the right WSUS server). This is the same thing your WSUS server does with Microsoft -- it needs to know that it really is talking to Microsoft. Without the certificate, it cannot authenticate that it is talking to the correct server.

    What is CSS and where are it's tickets opened?

    Customer Support Services (aka Product Support Services). http://support.microsoft.com/contactus/


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin


    23 Juli 2012 17:30
    Moderator
  • Just wondering if you had any updates from Microsoft on this? I am seeing the same symptoms as well.

    Help

    27 Juli 2012 13:38
  • The service errors in the Application event log that started this thread have been known issues all along:

    http://blogs.technet.com/b/sus/archive/2012/06/20/wsus-kb272011-common-issues-encountered-and-how-to-fix-them.aspx

    - 2nd issue "After Installing the KB" describes how to turn them off.

    The WSUS log entries I first posted are still a mystery, and some mysteries are not worth solving.

    I've built a fresh WSUS instance on another server running SQL 2012 and everything seems fine now.

    SSL is on and the clients so far can connect. None of this qualifies as an "answer", but that's how I'm marking it.

    This second link has more gory details for those unable to simply start from scratch:

    http://social.technet.microsoft.com/Forums/en-US/winserverwsus/thread/531d576b-eeaf-40dc-9057-b3adbde6186f/

    What really aggravates me is having to surf around blogs and forums, scratching each others heads over this junk,

    and spending most of our time sorting the real answers from those just trying to sound authoritative.

    Where's the leadership, Microsoft?

    Kurt Eichenwald's Vanity Fair article is far more relevant than any of this thread's preceding posts:

    http://www.vanityfair.com/business/2012/08/microsoft-lost-mojo-steve-ballmer


    cjc055





    • Ditandai sebagai Jawaban oleh cjc055 27 Juli 2012 20:14
    • Diedit oleh cjc055 27 Juli 2012 20:20
    27 Juli 2012 20:11
  • Thats exactly what I did. Just uninstall WSUS and reinstalled it. So far no errors to speak of.

    Help

    27 Juli 2012 20:21