Connect to upstream server fail - "Could not establish trust relationship for the SSL/TLS secure channel" RRS feed

  • Question

  • Hi

    I'm trying to set up a local WSUS  as downstream to our working one at a different site (which is working fine).
    Both are on Server 2012 R2 machines.
    Both up to date with updates.

    The downstream wizard stops at 'Start connecting' with an http error of:
    WebException: The underlying connection was closed: Could not establish trust relationship for the secure channel. 
    System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

    Upstream server IP & port are good, use ssl is ticked, as is 'This is a replica of the upstream server'.
    Each server has a personal cert provided by local CA server.
    Have imported each other's certs to trusted devices store.

    I found a similar question on this forum where someone replying asked whether KB3159706 was installed ("...as further steps will be required"). In the OP's case it wasn't so that point was not expanded upon, but on ours it is.
    That KB seems to be required if serving Win 10 clients, which our WSUS is.

    Can anyone help here please?

    Many thanks

    Thursday, February 14, 2019 2:22 PM

All replies

  • Hi Paul,

    Try the following steps to verify that you can access the upstream server:

    • Use a browser on the client to access the following address:
      >  https://<UpstreamWSUSservername>:8531/iuident.cab
      >  https://<UpstreamWSUSservername>:8531/selfupdate/wuident.cab
      If the WSUS server is functioning properly, you should see a File Download window opening.

    If the certificate being used is inherently problematic, this step may not be completed.
    Reply back with the results would be happy to help.

    Yic Lv

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 15, 2019 7:54 AM
  • Confirm with part 3 of my 8 part blog series that you've configured and performed the manual steps on the systems that have KB3159706 installed on.


    As Yic mentions, try to download the WSUS iuident CAB file from the downstream server.

    and then try to browse to:

    If you can download it and browse to it, you've verified the SSL Cert is trusted on the downstream server.

    Adam Marshall, MCSE: Security
    Microsoft MVP - Windows and Devices for IT

    Saturday, February 16, 2019 3:19 PM