locked
Unable to run WSUS PowerShell commands - "could not establish trust relationship" RRS feed

  • Question

  • Hey guys.

    I'm unable to run WSUS PowerShell commands on our upstream server. The error message states it "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel". This isn't an issue on our downstream servers.

    The upstream WSUS console is working fine and computers are able to download updates from it. Not sure when this started, but I did replace the SSL certs for all WSUS servers recently. Seems like if that was the issue, it'd effect the other servers as well.

    Any help would be appreciated!

    Wednesday, April 13, 2016 6:03 PM

All replies

  • Hi WWood,

    Based on my understanding, after changing the certificate, the WSUS GUI works well while powershell commands have issues.

    If my understanding is correct, then check if restart the WSUS server and run Server Cleanup Wizard could help.

    Besides, check if the old certificate is stored, if yes, also delete the old certificate and check the result.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, April 14, 2016 8:45 AM
  • Thanks for the response (sorry for the delay). As you suggested, I've tried running clean up wizard, rebooting, and the old certificate had already been deleted. Those steps have not resolved the issue.


    Friday, April 22, 2016 12:57 PM
  • Good Day

    Have you tried to import the module ?

    Import-Module UpdateServices -Force
    Hope this works
    Regards

    Friday, April 22, 2016 1:17 PM
  • No luck. Getting the same error.
    Friday, April 22, 2016 1:20 PM
  • Is the certificate for a web service from a trustworthy authority?
    If so, is the certificate stored in the Root CA Certificate store?
    Maybe you only have to export the certificate and install it in the server
    Friday, April 22, 2016 2:10 PM
  • Yep. It was issued by our internal CA. The WSUS server cert is installed and the root CA cert is in the trusted root store. IIS bindings are also correct.

    It's weird. Everything is working as expected except the WSUS PowerShell commands.

    Friday, April 22, 2016 3:17 PM
  • Hi WWood,

    Have you tried restarting the WSUS server? Could restart work?

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, April 25, 2016 8:30 AM
  • I've tried restarting. Unfortunately it didn't resolve the issue.
    Monday, April 25, 2016 1:52 PM
  • Hi WWood,

    What is the certificate template of the new certificate?

    And what about using another certificate, do the trusted root certificate stores correctly?

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, April 26, 2016 9:19 AM
  • It's a Web Server certificate template. At this point, I feel this probably isn't an issue with the certificate itself, because almost everything is working correctly. Clients can connect, clients can download updates, downstream servers can connect, etc. The only thing that isn't working are the WSUS PowerShell commands on the upstream server. For example "get-wsusserver". If there was a problem with the cert, I'd expect to see problems manifest themselves elsewhere.

    Also to be clear, I didn't observe a direct correlation between changing the certificate and the PowerShell issues. Rather, it's just the last change I can remember that might've caused it. It's not a case of "I changed it and then it stopped working".

    The downstream servers, which have the same certificate template and are configured the same way w/ regards to templates, can run the PowerShell commands.

    Wednesday, April 27, 2016 3:12 PM
  • Hi WWood,

    What about other powershell commands?

    Does the issue only for WSUS commands?

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, April 28, 2016 4:50 AM
  • Other PowerShell commands work fine. It's just the WSUS commands.
    Thursday, April 28, 2016 1:05 PM
  • Hi WWood,

    Try if re-index WSUS database could work.

    Reindex WSUS database:

    https://technet.microsoft.com/en-us/library/dd939795(v=ws.10).aspx

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, May 3, 2016 9:30 AM