locked
WSUS Sync is not working Sync failed: UssCommunicationError: WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote RRS feed

  • Question

  • I know there are loads of posts with same issue and most of them were related to proxy and connectivity .

    This was case for me as well (few months back). Now the same error is back. But I've confirmed that FW ports and proxy are fine this time around.

    server is configured on http port 80 

    ERROR

    Sync failed: UssCommunicationError: WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.~~at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request). Source: Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WSyncAction.WSyncAction.SyncWSUS

    ............

    I've checked proxy server connectivity. I'm able browse following site from WSUS server

    http://catalog.update.microsoft.com/v7/site/Home.aspx?sku=wsus&version=3.2.7600.226&protocol=1.8

    I did telnet proxy server on the particular port (8080) and that is also fine.

    I've doubt on certificates, any idea which are the certificates which we need to look? And if certificate is expired then (my guess) we won't be able open the above mentioned windows update catalog site?

    Any tips appreciated !


    Anoop C Nair (My Blog www.AnoopCNair.com) - Twitter @anoopmannur - FaceBook Forum For SCCM

    Thursday, June 19, 2014 2:13 PM

Answers

  • Any other hints where I can prove them it's a sure shot problem from their side.

    I'd say Wireshark the sync session and see where the traffic goes.. or doesn't.. as the case may be.

    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Saturday, June 21, 2014 12:59 AM

All replies

  • Greetings Anoop!

    The error message pretty much describes the issue.

    Sync failed: UssCommunicationError: WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure

    SSL is enabled/configured, and the certificate being used is invalid (or the cert does not exist or cannot be obtained), or the SSL connection could not be established.

    Not sure about your use of port 8080, but unless the proxy server is properly remapping the port, that will likely be problematic.

    ALSO... a common problem when using proxy servers... WSUS needs to be able to SYNC on SSL, and DOWNLOAD CONTENT on HTTP. If you're forcing port 8080 to redirect to port 80 outbound, then WSUS has no way to build an SSL connection to Microsoft Update. You'll need to set up a second proxy listener to handle the SSL-based sync.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Thursday, June 19, 2014 9:59 PM
  • Hi Lawrence ! - Many thanks for looking into this thread and replying. Appreciate your help.

    Your reply  ("SSL is enabled/configured, and the certificate being used is invalid (or the cert does not exist or cannot be obtained), or the SSL connection could not be established.") is very helpful.

    I've already tested CONTENT DOWNLOAD and it's working fine. WSUS Sync was also working fine for years with proxy server configured on port (8080) and WSUS server on port 80.

    My Guess (this is my best guess ;)) is this something to do with Firewall or Proxy side configuration rather than WSUS. However, I'm not finding a way to prove this to proxy/firewall team. From their perspective all the required port communication open and proxy server is also reachable. More over we're able to access internet (Microsoft Update Catalog site) over same port (8080).

    Any other hints where I can prove them it's a sure shot problem from their side.

    Thanks again !!

     


    Anoop C Nair (My Blog www.AnoopCNair.com) - Twitter @anoopmannur - FaceBook Forum For SCCM


    Friday, June 20, 2014 1:58 AM
  • Any other hints where I can prove them it's a sure shot problem from their side.

    I'd say Wireshark the sync session and see where the traffic goes.. or doesn't.. as the case may be.

    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Saturday, June 21, 2014 12:59 AM
  • Hi, I know this is an old thread, but we started getting this on our WSUS server a few weeks ago, and it hasn't been able to synchronize successfully since. Here is the error we are getting:

    WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
    at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
       at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
       at Microsoft.UpdateServices.ServerSync.ServerSyncCompressionProxy.GetWebResponse(WebRequest webRequest)
       at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
       at Microsoft.UpdateServices.ServerSyncWebServices.ServerSync.ServerSyncProxy.GetAuthConfig()
       at Microsoft.UpdateServices.ServerSync.ServerSyncLib.InternetGetServerAuthConfig(ServerSyncProxy proxy, WebServiceCommunicationHelper webServiceHelper)
       at Microsoft.UpdateServices.ServerSync.ServerSyncLib.Authenticate(AuthorizationManager authorizationManager, Boolean checkExpiration, ServerSyncProxy proxy, Cookie cookie, WebServiceCommunicationHelper webServiceHelper)
       at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.SyncConfigUpdatesFromUSS()
       at Microsoft.UpdateServices.Serve

    As noted above, I too can browse to http://catalog.update.microsoft.com/v7/site/Home.aspx?sku=wsus&version=3.2.7600.226&protocol=1.8 fine on the WSUS server.

    Not sure why this thread was marked answered. Wireshark is hardly a solution. Please advise on how to resolve this issue.

    Monday, April 9, 2018 2:00 PM