locked
WSUS synchronization failure( kb4022730 ) RRS feed

  • Question


  • Our WSUS server(3.0) failed to synchronize to Microsoft patch website,
    The wrong patch is kb4022730,Reason: File cert verification failure.
    Other patch was Download successful,but WSUS display synchronization status was failed. 


    The following records were found in the log file :

    2019-12-18 08:26:07.584 UTC Info WsusService.14 EventLogEventReporter.ReportEvent EventId=364,Type=Error,Category=Synchronization,Message=内容文件下载失败。原因: File cert verification failure. 源文件: /c/msdownload/update/software/secu/2017/06/windows10.0-kb4022730-x64_f8cc3c3282c9d0eff5c59ae004bd468d037a0b23.cab 目标文件: d:\WSUS\WsusContent\23\F8CC3C3282C9D0EFF5C59AE004BD468D037A0B23.cab。

    2019-12-18 08:31:17.598 UTC Info WsusService.14 EventLogEventReporter.ReportEvent EventId=364,Type=Error,Category=Synchronization,Message=内容文件下载失败。原因: File cert verification failure. 源文件: /c/msdownload/update/software/secu/2017/06/windows10.0-kb4022730-x86_749a5a7af3ac36a1ff014171f2b21eb38fc224f4.cab 目标文件: d:\WSUS\WsusContent\F4\749A5A7AF3AC36A1FF014171F2B21EB38FC224F4.cab。

    2019-12-18 08:32:38.424 UTC Info WsusService.23 SusService.ValidateServerCertificate CheckValidationResult Succeeds: CertOK
    2019-12-18 08:32:38.437 UTC Info WsusService.23 ServerCertificateValidator.IsHostAllowedException Requested host: sws1.update.microsoft.com
    2019-12-18 08:32:38.455 UTC Error WsusService.23 CertificateChainPolicy.VerifyPolicy The given certificate chain has not Microsoft Root CA signed root (800B0109)



    How to deal with this problem.

    jennifar.ding

    Friday, December 20, 2019 11:09 AM

All replies

  • Hi,
      

    Since your WSUS is located in Windows Server 2008 r2, the following updates need to be added at this time, and SHA-2 algorithm signature support has been completed:
      

    Please consider first checking if the above updates are installed on the WSUS server. If not, please perform these repairs first.
     

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 23, 2019 2:03 AM
  • Hi,Yic

    When we install these two patches, System prompted that they have been installed。


    jennifar.ding

    Monday, December 23, 2019 7:50 AM
  • Hi Jennifar,
      

    This problem may be caused by two potential root causes, please refer to the following steps to verify separately:
      

    1. Certificate chain issues
      The problem caused by the current root certificate or local publishing certificate not being installed correctly. If the computer can connect directly to the Windows Update site environment, it will receive updated certificate trust lists (CTL) every day.
      If not, please refer to the methods mentioned in the following two articles for obtaining:
      - "Configure a file or web server to download the CTL files"
      - "An automatic updater of untrusted certificates is available for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2"
        
    2. File issues
      File corruption during transfer, or file was corrupt on WSUS USS. Please try the following steps to fix it:
      1) Reject approved updates.
      2) Close any open WSUS consoles.
      3) Go to Administrative Tools – Services and STOP the Update Services service.
      4) In Windows Explorer browse to the WSUSContent folder (typically D:\WSUS\WSUSContent or C:\WSUS\WSUSContent)
      5) Delete ALL the files and folders in the WSUSContent folder.
      6) Go to Administrative Tools – Services and START the Update Services service.
      7) Open a command prompt and navigate to the folder: C:\Program Files\Update Services\Tools.
      8) Run the command WSUSUtil.exe RESET

      You can check the SoftwareDistribution.log(C:\Program Files\Update Services\LogFiles\SoftwareDistribution.log), When you start the reset process, you should see a line towards the bottom of the log which looks like this:
      WsusService.13  ExecutionContext.runTryCode  State Machine Reset Agent Starting
        
      After waiting for some time, check the log again and search for the text "State Machine Reset Agent Finished":
      - WsusService.13  ExecutionContext.runTryCode  State Machine Reset Agent Finished
          

    Reply back with the results would be happy to help.
      

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, December 24, 2019 1:26 AM
  • Hi,
     

    Any update is welcome here.
    If the issue is resolved, share your solution or find the helpful response "Mark as Answer" to help other community members find the answer.
     

    Thank you for your cooperation, as always.
     

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, December 27, 2019 5:11 AM
  • Hi,Yic

    We haven't followed your plan yet,
    If there is any result, it will be fed back here in time.
    Thank you for your support.


    jennifar.ding

    Friday, December 27, 2019 5:32 AM