none
Strange SSL problem RRS feed

  • Question

  • Hi,

    We had WSUS on Windows Server 2016 some weeks ago with SSL which working fine.

    We have reinstalled our server from scratch recently.

    The only difference is that domain server name is not the FQDN used to access it (and used by SSL too).

    Clients can connect to the server without error. WSUS console says that SSL certificate can't be verified.

    All necessary config (wsusutil, iis) has been done.

    The certificate is a commercial and fully recognized certificate (but we have imported CA root just in case).

    The event log says error 12012 (API not functionning).

    As the certificate is ok, we can't understand why console is not running.

    I've tried accessing WSUS using Url https://FQDN:8531/WSUSAdmin, but I've got a blank page. Perhaps it's an error 500, but where can I find the logs ?

    Have you some idea about this strange thing ?

    Thanks for your help

    Monday, July 29, 2019 10:08 AM

All replies

  • Create a DNS alias that points to the server IP and matches the name defined in the certificate. Use that name to access WSUS. 

    Http error logs are in C:\WINDOWS\system32\LogFiles\HTTPERR\

    Launch the IIS console and check the logging settings to see where the individual site logs are.

     


    Monday, July 29, 2019 12:20 PM
  • Sorry for my late reply and thanks for your help.

    I've made some different tests since July.

    The server has been reinstalled using Windows Server 2019.

    The SSL is installed and I can try some Url like https://myserver.mydomain:8531/ClientWebService/client.asmx

    The DNS correctly respond for query about myserver.mydomain.

    On the WSUS console, the error is that SSL certificate can not be validated. The SSL is good and provided with full chain. CA root certificate has been imported on the server too just in case of.

    Is the error comes from that FQDN used is not the same than server name (NetBios) and domain (AD) name ?

    Thanks

    Wednesday, October 30, 2019 9:50 PM
  • Is the error comes from that FQDN used is not the same than server name (NetBios) and domain (AD) name ?


    What name are you telling the WSUS console to connect to?

    What name is on the certificate? 

    To the best of my knowledge, the names need to match. 

    Wednesday, October 30, 2019 10:15 PM
  • The netbios name is the same as the first part of FQDN.

    LAN: myserver.localdomain

    FQDN: myserver.mydomain

    NetBios (use with the console): myserver

    SSL certificate use myserver.mydomain

    The only difference between the server name on the domain and the FQDN used is the domain part.

    The console seems to be able to use netbios name only, because the server name field is always uppercase.

    Thursday, October 31, 2019 9:05 AM
  • I've modified our DNS so myserver.mydomain is a CNAME to myserver.localdomain

    I've modified ou SSL certificate so now it include SAN for myserver.mydomain.

    But the error still appear...

    Don't know what to do

    Thursday, October 31, 2019 11:07 AM
  • I need to reboot to be sure, but it seems that finally all is working.

    IIS haven't correctly updated some parameters, a IISRESET was needed.

    Thursday, October 31, 2019 11:32 AM
  • Hi,

    Sorry for my late reply, I'm too busy...

    WSUS has worked some days (less than a week), and same error again.

    Nothing has changed (except a reboot and system updates).

    I didn't understand anything. How WSUS can work just for some days ????

    Again SSL certificate problem.

    ...

    Sunday, November 17, 2019 6:21 PM

  • Again SSL certificate problem.


    We can't see your screen. We don't know where you are seeing this error. We don't know what you or any of your co-workers may have changed. If you are unable to share specific details like screen images, the actual names that you are using, the details of the certificate, then maybe you would have better luck opening a real case with Microsoft support and let them have access to your servers to troubleshoot the problem.

    We can still try to help, but we really need more details. Earlier you posted:

    The SSL is installed and I can try some Url like https://myserver.mydomain:8531/ClientWebService/client.asmx

    Does that still work? What name are you using to browse? What does Edge/Chrome say about the certificate? 







    • Edited by MotoX80 Monday, November 18, 2019 2:32 PM
    Monday, November 18, 2019 1:39 AM