locked
Server 2012 R2 WSUS not synchronizing RRS feed

  • Question

  • So I am testing out a new WSUS server on Server 2012 R2.

    This has been working fine for a few weeks and downloading updates from MS with no problems.

    However from the 8th December on-wards it now fails.

    I checked to see if any updates had been installed on the 7th and there was one so I uninstalled it but still the same problem.

    The error is as follows:

    WebException: The request was aborted: Could not create SSL/TLS secure channel.
    at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
       at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
       at Microsoft.UpdateServices.ServerSync.ServerSyncCompressionProxy.GetWebResponse(WebRequest webRequest)
       at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
       at Microsoft.UpdateServices.ServerSyncWebServices.ServerSync.ServerSyncProxy.GetAuthConfig()
       at Microsoft.UpdateServices.ServerSync.ServerSyncLib.InternetGetServerAuthConfig(ServerSyncProxy proxy, WebServiceCommunicationHelper webServiceHelper)
       at Microsoft.UpdateServices.ServerSync.ServerSyncLib.Authenticate(AuthorizationManager authorizationManager, Boolean checkExpiration, ServerSyncProxy proxy, Cookie cookie, WebServiceCommunicationHelper webServiceHelper)
       at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.SyncConfigUpdatesFromUSS()
       at Microsoft.UpdateServices.Serve

    Anyone any ideas what this is and why it has suddenly stopped working?

    Regards,

    Rob

    Monday, December 29, 2014 1:32 PM

All replies

  • However from the 8th December on-wards it now fails.

    I checked to see if any updates had been installed on the 7th and there was one so I uninstalled it

    It would be VERY relevant to know which update you uninstalled on the 8th of December.

    I have a pretty good guess since this is an SSL/TLS issue.

    What is the expiration date of your SSL certificate? Is it a SHA-1 cert or a SHA-256 or greater cert?

    And, if it's a new server for testing.. why clutter up the environment with SSL?


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Monday, December 29, 2014 3:17 PM
  • Many thanks for the reply.

    The update removed was KB3011780.  Didn't seem relevant but was the only thing that had changed on the server on that date.

    As for the SSL part...  no idea.  This is not something we have setup or changed.

    Everything was working fine until that date even though no one has made any changes to the server at all.

    If I knew why it was using SLL I would remove it but I can see no options for it to use this.

    Regards,

    Rob

    Tuesday, December 30, 2014 10:35 AM
  • Many thanks for the reply.

    The update removed was KB3011780.  Didn't seem relevant but was the only thing that had changed on the server on that date.

    As for the SSL part...  no idea.  This is not something we have setup or changed.

    Everything was working fine until that date even though no one has made any changes to the server at all.

    If I knew why it was using SLL I would remove it but I can see no options for it to use this.

    Regards,

    Rob


    maybe this one: https://support.microsoft.com/kb/2992611

    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Tuesday, December 30, 2014 11:00 AM
  • The update removed was KB3011780.

    There were some issues with the original release of this update. A revision was published on Nov 18, 2014. You might check to be sure that the latest revision is approved. Possibly the server had installed the earlier revision?

    As for the SSL part...  no idea.  This is not something we have setup or changed.

    My apologies. I confused the issue here. This is the logfile attempting to synchronize with Microsoft, and it does use SSL for that task.

    There are only a few reasons why this SSL connection would fail:

    • Something is now interfering with the connection. (Is the WSUS server configured to use a proxy server?)
    • The WSUS Server is missing a required certificate to authenticate the Microsoft certificate chain.

    Note also that the installation of MS14-066 changed the priority order of the ciphers used for SSL/TLS connections, so if there are intermediary devices, make sure they also support the use of those ciphers.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Tuesday, December 30, 2014 6:20 PM
  • Lawrence,

    Really appreciate all your help and suggestions on this matter.

    I have checked and ensured that the newer version of the update has been installed and the file versions match those of the later release from Microsoft.

    To be sure that nothing was in the way I have had our Firewall guys allow the server directly out to the internet but the same issue remains.

    They can see the server getting out on 443 but then a TCP reset is performed.  The error on the server is still about not been able to create a secure channel.

    I have run Windows Update on the server pointing it at MS and it is bang up to date.

    If there is a missing certificate how would I identify this?

    I am thinking that I may need to raise a call with MS as this is most strange.

    Thanks again for your help.

    Rob

    Wednesday, December 31, 2014 9:21 AM
  • Hi Lawrence.

    I'm having similar problem too. My WSUS does not synchronize with the same error from the day I installed a new (and the first) CA in our Active Directory. The CA is on the same server where WSUS is. Then I reinstalled the CA role of the server twice during next few days. But the WSUS problem started on the day I first installed CA. Is it unsupported for CA and WSUS to coexist on the same server? And what should I do next?

    Thanks

    George


    • Edited by George 88 Wednesday, May 17, 2017 4:21 AM
    Wednesday, May 17, 2017 4:21 AM
  • Hi George,

    Lawrence passed away a couple of years ago sorry.

    It sounds like you have an SSL configuration issue perhaps related to TLS version (which TLS versions etc permitted/enabled on your server)

    Or it might be a device (eg proxy or firewall) in the connection path between your WSUS and Microsoft.com ?

    Possibly the installation of the CA required a configuration change which might be the cause/conflict?

    I'm not an SSL expert, but this article might give some hints on troubleshooting?

    https://docs.microsoft.com/en-us/iis/troubleshoot/security-issues/troubleshooting-ssl-related-issues-server-certificate


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Wednesday, May 17, 2017 9:43 PM