locked
Can't deploy packages - publishing package to server fails since SP1 RRS feed

  • Question

  • Unable to create software packages for deployment since moving to SP1.  Package is able to be created but during the process it fails when it tries to publishing the package to the server.  Get the following error message:

    Verification of file signature failed for file:\\SERVER\UpdateServicesPackages\e46383a1-41af-450b-b94f-ef13c4043a80\4cdd2e47-a9cf-4fd9-b2a0-08d28abb3534_1.cab

    NOTE: This occurs for any package we try to create.

    Background:

    This feature worked fine until moving to SP1.  When SP1 was initially installed, the server stopped working all together.  The server was wiped and a clean install of the OS and SCE2007 was installed.  Before running through the configuration wizards, SP1 was installed.  We then ran the configuration wizards to finalize the install.  

    Any ideas?
    Friday, March 28, 2008 9:03 PM

Answers

  • Hi,

    Please Open a cmd prompt and navigate to the C:\Program Files\System Center Essentials 2007 directory, then run the following command: SCECertPolicyConfigUtil.exe /PolicyType domain /ManagementGroup <management group name> /SCEServer <Essentials Server FQDN>

    --------------------
    Regards,
    Eric Zhang



    Tuesday, April 8, 2008 7:03 AM

All replies

  • Hi,

    It seems the error is related to the certificates.

    Pleae navigate to "%programfiles%\system center essentials 2007\certificates“ to check whether the two certificates(wsuscodesigningcert.cer and wsussslcert.cer) exist.

    If not, please run Configure Product Features wizard from the administration space splash page (linked on the top right hand side) again.
    --------------------
    Regards,
    Eric Zhang




    Monday, March 31, 2008 8:45 AM
  • Both cert files exist in the certificates folder.

     

    After sitting all weekend, all of the clients have checked in and their health state is showing as "OK".  The SCE server itself is showing "This computer has not been contacted yet"

     

    After seeing that Firewalls can be a common problem, I've already confirmed that the Firewall is disabled on the server.

    Monday, March 31, 2008 12:58 PM
  • Hi,

    As these two certificates exist in the SCE, we need to verify whether they has been properly configured.

    To verify that the SSL certificate has been configured on the WSUS website:
    1. Open IIS Manager on the Essentials server

    2. Navigate to Web Sites\WSUS Administration

    3. Right click on the WSUS Administration web site and select Properties

    4. Select the Directory Security tab

    5. In the Secure Communications section, click on View Certificate.

    6. On the Details tab of the certificate, the “Issuer”property should be the name of the System Center Essentials server. The “Thumbprint” property should match what is in the SSLCertHash value in HKLM\Software\Microsoft\System Center Essentials\1.0\PolicySettings. This can be used to compare with the Thumbprint of the certificate on the client machine to verify that they are the same.

    To verify that the Code Signing certificate has been created on the System Center Essentials server, verify that the “WSUS Publishers Self-signed” certificate exists under WSUS\Certificates in the Local Computer certificate store. To do this:

    1. Go to Start – Run – mmc.exe

    2. When the MMC console opens, select File – Add/Remove Snap-in, then click on Add.

    3. In the list of snap-ins, select “Certificates” and click on Add.

    4. Select “Computer account” and click on Next, then select “Local Computer” and click on Finish.

    5. Close the Snap-ins list and click Ok on the Add/Remove snap-in window.

    6. In the Certificate console, expand the Certificates (Local Computer) tree and verify that the “WSUS Publishers
    Self-signed” certificate exists under WSUS\Certificates.

    7. On the Details tab of the certificate, the “Issuer” property should be “WSUS Publishers Self-signed”. The “Thumbprint” property should match what is in the WSSUCodeSigningCertHash value in HKLM\Software\Microsoft\System Center Essentials\1.0\PolicySettings. This can be used to compare with the Thumbprint of the certificate on the client machine to verify that they are the same.


    To verify that the Code Signing certificate has been configured on the Essentials server and on client computers, use the Certificates MMC console to verify that it exists under Trusted Root Certification Authorities, Trusted Publishers, and Third-Party Root Certification Authorities in the Local Computer certificate store. To do this:

    1. Go to Start – Run – mmc.exe

    2. When the MMC console opens, select File – Add/Remove Snap-in, then click on Add.

    3. In the list of snap-ins, select “Certificates” and click on Add.

    4. Select “Computer account” and click on Next, then select “Local Computer” and click on Finish.

    5. Close the Snap-ins list and click Ok on the Add/Remove snap-in window

    6. In the Certificate console, expand the Certificates (Local Computer) tree and verify that the following certificate is listed under Trusted Root Certification Authorities\Certificates, Trusted Publishers and Third-Party Root Certification Authorities:

    Issued To:WSUS Publishers Self-signed
    Issued By:WSUS Publishers Self-signed
    Intended Purpose :<All>


    7. Verify that the Thumbprint properties on the above certificate matches the thumbprint on the “WSUS Publishers Self-signed” certificate under WSUS\Certificates in the certificate store on the Essentials server.

    --------------------
    Regards,
    Eric Zhang




    Tuesday, April 1, 2008 8:04 AM
  •  Eric Zhang - MSFT wrote:

    6. In the Certificate console, expand the Certificates (Local Computer) tree and verify that the following certificate is listed under Trusted Root Certification Authorities\Certificates, Trusted Publishers and Third-Party Root Certification Authorities:

    Issued To:WSUS Publishers Self-signed
    Issued By:WSUS Publishers Self-signed
    Intended Purpose :<All>

    --------------------
    Regards,
    Eric Zhang



    SCE SERVER
    -----------------------------
    Everything checked okay until step #6.  There appear to be some Code Signing certificate issues on the SCE server. 

    1)  Trusted Root Certification Authorities\Certificates - missing Issued to: WSUS Publishers
    2)  Trusted Publishers - missing Certificates sub folder
    3)  Third Part Root Certification Authorities\Certificates - missing Issued to: WSUS Publishers

    For items 1 & 3 that have the Certificates sub folder, is it just a matter of importing the code signing certificate that is found at c:\Program Files\System Center Essentials 2007\Certificates?

    What is involved in adding the Certificates subfolder to item #2 (Trusted Publishers) and importing the certificate?


    CLIENT
    -------------------------------
    1)  The code signing certificates look good.
    2)  On the client should I expect to see an entry for SSLCertHash in HKLM\Software\Microsoft\System Center Essentials\1.0\PolicySettings?  If so, this entry does not exist on the client.
    Tuesday, April 1, 2008 4:11 PM
  • Hi,

    As the certificate didn't appear at Trusted Root Certification Authorities\Certificates and Third Part Root Certification Authorities\Certificates, please navigate to "%programfiles%\system center essentials 2007\certificates", import the WSUScodesigningcert.cer.

    --------------------
    Regards,
    Eric Zhang



    Wednesday, April 2, 2008 10:27 AM
  • Yesterday I imported the WSUScodesigningcert certificates into Trusted Root Certification Authorities\Certificates and Third Part Root Certification Authorities\Certificates.  Restarted the server and let it sit over night. 

    Server still shows "This computer has not been contacted yet."  Still unable to deploy any software packages to the clients - fails when SCE trys to publish the package to the server. Have tried restarting IIS.  Should wuauclt.exe /detect trigger the server to check in with itself. Not sure if this triggers the health state or not?
    Thursday, April 3, 2008 12:30 PM
  • Hi,

    Did the same error (in your first post) appear again when you create software package or is there any other error?

    If there is, please post the new error
    --------------------
    Regards,
    Eric Zhang



    Monday, April 7, 2008 9:27 AM
  • We receive the same error message as in the first post.  Nothing new in the way of error messages.
    Monday, April 7, 2008 1:11 PM
  • Hi,

    Please Open a cmd prompt and navigate to the C:\Program Files\System Center Essentials 2007 directory, then run the following command: SCECertPolicyConfigUtil.exe /PolicyType domain /ManagementGroup <management group name> /SCEServer <Essentials Server FQDN>

    --------------------
    Regards,
    Eric Zhang



    Tuesday, April 8, 2008 7:03 AM
  • Is this fix applicable to both server 2003 and 2008?

     

    Thanks in advance

     

    Matt Smith

    Thursday, May 22, 2008 9:42 AM