locked
WSUS 3.0SP2 Content file download failed. Reason: File cert verification failure RRS feed

  • Question

  • Hi,

    We have a problem wtih an Upstream WSUS 3.0SP2 on Windows server 2008 Enterprise SP2.

    Since june 12, several Updates approved for Windows 7 or for Windows 8.1 or IE 11 are not downloaded by our Upstream.

    On this Upstream, I have test a donwload of update with Interner Explorer and the same Proxy server and its OK.

    Any suggestions please ? 

    UPstream server version  : 3.2.7600.307 (hotfix KB2720211 + KB2828185 + KB4484071)

    In SoftwareDistribution.log, an exemple of download failed :

    2019-06-19 03:43:43.647 UTC Info WsusService.22 ContentSyncAgent.ProcessBITSNotificationQueue ContentSyncAgent recieved Transferred Event for Item: d0777547-6cfb-4f12-aed1-91ec38d56e33
    2019-06-19 03:43:43.647 UTC Info WsusService.22 ContentSyncAgent.ContentSyncSPFireStateMachineEvent ContentSyncAgent firing Event: FileDownloaded for Item: d0777547-6cfb-4f12-aed1-91ec38d56e33
    2019-06-19 03:43:43.694 UTC Error WsusService.22 ContentSyncAgent.ProcessBITSNotificationQueue Downloaded file e:\DATA\WSUS\WsusContent\E3\A2CB0FBB26057B1C0815E92687C838E14B7A03E3.cab caught exception at VerifyFile: System.IO.FileNotFoundException: Could not load file or assembly 'System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' or one of its dependencies. The system cannot find the file specified.
    File name: 'System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'
       at Microsoft.UpdateServices.ServerSync.ContentSyncAgent.VerifyCRC(String fileLocalPath, String additionalHash)
       at Microsoft.UpdateServices.ServerSync.ContentSyncAgent.VerifyFile(String fileLocalPath, String additionalHash)
       at Microsoft.UpdateServices.ServerSync.ContentSyncAgent.ProcessBITSNotificationQueue()

    === Pre-bind state information ===
    LOG: User = NT AUTHORITY\NETWORK SERVICE
    LOG: DisplayName = System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
     (Fully-specified)
    LOG: Appbase = file:///C:/Program Files/Update Services/Service/bin/
    LOG: Initial PrivatePath = NULL
    Calling assembly : Microsoft.UpdateServices.ContentSyncAgent, Version=3.1.6001.1, Culture=neutral, PublicKeyToken=31bf3856ad364e35.
    ===
    LOG: This bind starts in default load context.
    LOG: Using application configuration file: C:\Program Files\Update Services\Service\bin\WsusService.exe.Config
    LOG: Using machine configuration file from C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config.
    LOG: Post-policy reference: System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
    LOG: The same bind was seen before, and was failed with hr = 0x80070002.

       at Microsoft.UpdateServices.ServerSync.ContentSyncAgent.ProcessBITSNotificationQueue()
       at Microsoft.UpdateServices.ServerSync.ContentSyncAgent.WakeUpWorkerThreadProc()
       at System.Threading.ThreadHelper.ThreadStart_Context(Object state)
       at System.Threading.ExecutionContext.runTryCode(Object userData)
       at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData)
       at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state)
       at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
       at System.Threading.ThreadHelper.ThreadStart()
    2019-06-19 03:43:43.694 UTC Warning WsusService.22 ContentSyncAgent.ProcessBITSNotificationQueue Invalid file deleted: e:\DATA\WSUS\WsusContent\E3\A2CB0FBB26057B1C0815E92687C838E14B7A03E3.cab
    2019-06-19 03:43:43.694 UTC Info WsusService.22 ContentSyncAgent.ContentSyncSPFireStateMachineEvent ContentSyncAgent firing Event: FileVerificationFailed for Item: d0777547-6cfb-4f12-aed1-91ec38d56e33
    2019-06-19 03:43:43.694 UTC Info WsusService.22 EventLogEventReporter.ReportEvent EventId=364,Type=Error,Category=Synchronization,Message=Content file download failed. Reason: File cert verification failure. Source File: /c/msdownload/update/software/updt/2019/06/windows8.1-kb4502567-x86_a2cb0fbb26057b1c0815e92687c838e14b7a03e3.cab Destination File: e:\DATA\WSUS\WsusContent\E3\A2CB0FBB26057B1C0815E92687C838E14B7A03E3.cab.
    2019-06-19 03:43:43.710 UTC Info WsusService.22 ContentSyncAgent.WakeUpWorkerThreadProc ContentSyncAgent found no more Jobs, thread exitting
    2019-06-19 03:43:43.710 UTC Info WsusService.22 EventLogEventReporter.ReportEvent EventId=363,Type=Information,Category=Synchronization,Message=Content synchronization succeeded.

    Wednesday, June 19, 2019 6:22 AM

All replies

  • Hi,
      


    2019-06-19 03:43:43.694 UTC Info WsusService.22 EventLogEventReporter.ReportEvent EventId=364,Type=Error,Category=Synchronization,Message=Content file download failed. Reason: File cert verification failure. Source File: /c/msdownload/update/software/updt/2019/06/windows8.1-kb4502567-x86_a2cb0fbb26057b1c0815e92687c838e14b7a03e3.cab Destination File: e:\DATA\WSUS\WsusContent\E3\A2CB0FBB26057B1C0815E92687C838E14B7A03E3.cab.

    This problem may be caused by two potential root causes, please refer to the following steps to verify separately:
      

    1. Certificate chain issues
      The problem caused by the current root certificate or local publishing certificate not being installed correctly. If the computer can connect directly to the Windows Update site environment, it will receive updated certificate trust lists (CTL) every day.
      If not, please refer to the methods mentioned in the following two articles for obtaining:
      - "Configure a file or web server to download the CTL files"
      - "An automatic updater of untrusted certificates is available for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2"
        
    2. File issues
      File corruption during transfer, or file was corrupt on WSUS USS. Please try the following steps to fix it:
      1) Reject approved updates.
      2) Close any open WSUS consoles.
      3) Go to Administrative Tools – Services and STOP the Update Services service.
      4) In Windows Explorer browse to the WSUSContent folder (typically D:\WSUS\WSUSContent or C:\WSUS\WSUSContent)
      5) Delete ALL the files and folders in the WSUSContent folder.
      6) Go to Administrative Tools – Services and START the Update Services service.
      7) Open a command prompt and navigate to the folder: C:\Program Files\Update Services\Tools.
      8) Run the command WSUSUtil.exe RESET

      You can check the SoftwareDistribution.log(C:\Program Files\Update Services\LogFiles\SoftwareDistribution.log), When you start the reset process, you should see a line towards the bottom of the log which looks like this:
      WsusService.13  ExecutionContext.runTryCode  State Machine Reset Agent Starting
        
      After waiting for some time, check the log again and search for the text "State Machine Reset Agent Finished":
      - WsusService.13  ExecutionContext.runTryCode  State Machine Reset Agent Finished
          

    Hope the above can help you.
      

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 19, 2019 8:01 AM
  • Hi Luis,

    I have same problem with you after install hotfix KB4484071.

    Is it been fixed? Please share how to fix it.

    Thanks,

    Adhi

    Monday, June 24, 2019 3:25 AM
  • Thanks Yic 
    Monday, June 24, 2019 8:54 AM
  • Hi Adhi, 

    Finally we have found the solution : the Hotfix KB4484071 have the prerequisites .NET version 3.5 !!!

    Whe had just .NET 3.0 installed on our Upstream ... I don't understand why during one week we had no problem, and after that we get donwload failed for serveral updates.

    So after the installation of .NET v3.5.1, all the updates of june were downloaded succesfully !!!! Hope it will help you !

    Now we have a Downstream server WSUS 3.0SP2 on  Windows server 2008 Enterprise SP2 (32bit) with a lot of Out of memory exception and i cannot find the good parameters for Wsuspool or the files web.config of the Webservices (maxRequestLength). 

    If someone have a method for sizing this parameters ....

    Regards

    Luis

    • Proposed as answer by James_names Thursday, July 18, 2019 9:49 AM
    Monday, June 24, 2019 9:10 AM
  • Hi Luis

    thank you very much for this information, I searched for a day the origin of this issue.
    The hotfix KB4484071 was automatically installed in June but the .NET version 3.5 was not present. 1

    Well done Microsoft ...

    Regards,

    Hervé

    Thursday, July 11, 2019 11:56 AM
  • Thanks to this, it solved my problem with WSUS 2008R2.

    I had the same error problem with my WSUS 10032 and 364. It was enough in features to add .NET Framework 3.5.1 Features (Install) and install all updates.

    Restart and voila!

    Thursday, July 18, 2019 7:45 AM
  • Many thanks Luis, this was the solution for me also.

    James

    Thursday, July 18, 2019 9:50 AM
  • Wow thx you search all the day, and finaly i found your post !!!

    GG WP !! Thx

    Thursday, September 5, 2019 9:39 AM
  • The even says it all:

    Content file download failed.

    Reason: The server does not support the necessary HTTP protocol. Background Intelligent Transfer Service (BITS) requires that the server support the Range protocol header.

    This seems related to re-directing the WSUS traffic WAN Access to a PROXY or WEB-Filter which does not support "HTTP 1.1 range Requests". Google seems to have certain PATENTS on that maybe that's the reason it dropped out of some FW/PROXY where it was once included?.

    Tell your NETWORK Admin to check if the filter solution does support that. If not a) Let the WSUS Direct to WAN b) Change BitsDownloadPriorityForeground=1 c) OR worst TIP they reinstall/Install Framework 3.5.1 Feature component WHICH (I guess) sets the BitsDownloadPriorityForeground also. (Just by luck a lucky strike ;-)

    https://tools.ietf.org/html/rfc7233 (HTTP 1.1 range Requests)

    Main Problem and source seems the PROXY or WEBFILTER. This is known in SOPHOS and SONICWALL Forums. Never seen in esp. related or with KB on Fortinet.

    https://community.sophos.com/products/unified-threat-management/f/network-protection-firewall-nat-qos-ips/78776/problem-with-downloading-wsus-updates

     

    https://support.microsoft.com/en-us/help/922330/error-message-when-you-try-to-download-a-file-by-using-the-background

    https://social.technet.microsoft.com/Forums/en-US/ac5f7668-6460-4082-8d0b-0690bcc8229a/6703-failed-to-sync-some-of-the-updates?forum=configmgrgeneral

    Greetings from Switzerland

    Mike

    Monday, September 16, 2019 11:56 AM
  • Hi LuisOLI!

    After i installed .NET 3.5 the downloads are working again.

    Thank you!

    Friday, October 18, 2019 6:14 PM
  • Hi,

    I know this is relatively old, but I just started having the same issue but only for December 2019 cumulative updates for Windows 10 (1903) & server 2019.  Anyone else experiencing this issue.  So far I've only run wsutil reset, which looks like its downloading but then after a while it fails.  I am guessing I need to follow Yic's option 2 through to resolution.

    Cheers

    Paul


    PH

    Tuesday, December 24, 2019 4:52 PM
  • Just returned to work, and both updates above still failed to download.  HTTP status 403: The client does not have sufficient access rights to the requested server object.  All other updates are downloading and installing.

    PH

    Monday, December 30, 2019 9:53 AM
  • Please see a more recent blog: https://social.technet.microsoft.com/Forums/en-US/d8ee593c-b2e3-4a26-815a-5df65ac49876/4-of-latest-updates-fail-to-download-with-status-quotthe-update-failed-to-downloadquot?forum=winserverwsus

    There are 2 new URL's that need to be added to your white lists:

    3.tlu.dl.delivery.mp.microsoft.com
    dl.delivery.mp.microsoft.com

    I am sure that more admins will come across this in the next month or so as different regions are updated.

    Cheers

    Paul


    PH

    • Proposed as answer by PaulyHaley Monday, December 30, 2019 7:00 PM
    Monday, December 30, 2019 11:11 AM