Unable to publish updates due to WPP certificate problem

Topics: Publishing Issue
Feb 26, 2014 at 5:15 AM
Hi there,

I have the following WSUS Architecture:
WSUS-Main -> Contains all the CAB files (works together with WSUS-SQL).
WSUS-SQL -> The database needed by WSUS-Main.
WSUS-Servant -> Gets patches from WSUS-Main/SQL so that it can deploy patches to Client Workstation
Client Workstation -> Gets patches from WSUS-Servant because of security reasons.

I had installed the WPP into WSUS-Main and WSUS-Servant and had used the WPP in WSUS-Main to generate the certificate. Then when I used that certificate on WSUS-Servant, it displayed a "You don't have any certificat,. You will not be able to publish updates".

Is there something that I am missing? I've already set all computers to install Locally Publish Updates, according to the Installation Guide.pdf
Coordinator
Feb 26, 2014 at 9:31 AM
Hi, I will assume that your Wsus-Servant is a Wsus Downstream server and Wsus-Main is the Upstream server.

Your workstations pulls updates from the downstream server, so the downstream server needs to get updates from the upstream server, so the downstream server needs to trust the upstream server.

You have to add the code signing certificate into the 'Trusted Publisher' store of the downstream server. If the certificate is an self-signed cert then the same certificate must be add to the "Trusted Authority" on the downstream server. Otherwise you have to add the certificate of the root authority that have issued out the code signing certificate, into the "Trusted Authority" . This will allow the downstream server to pull locally published updates from the upstream server.

If you want to locally publish onto the downstream server directly, you have to create a self-signed code signing certificate from the downstream server (don't forget to spread this certificate onto clients workstations).

I do recommend to publish only on the upstream server, because it's much more complicated to manage certificate otherwise.
Mar 3, 2014 at 5:18 AM
Edited Mar 3, 2014 at 5:26 AM
Hi there,

I had used the WPP-Servant to create this self-signed certificate by clicking on "Generate the Cert" button and placed it into "Trusted Root Certification Authorities" and "Trusted Publishers" certificates folder of WPP-Servant. However, after I restarted WPP-Servant and click on the "Connect to Server" button, it displays an error message, "The certificate is invalid. You will not be able to publish updates". Is there some problems with the WPP's generating of certificate? Presently, I am using the latest version of WPP, Release v1.3.1401.04.

Anyway, the reason I am adopting this WSUS architecture is due to security reasons as we do not want our client workstations to have any access to WSUS-Main and WSUS-SQL. Hence, I need to deploy this updates from WSUS-Servant.

Example of our WSUS Architecture:
WSUS-Main -> IP Address: AA.XX.XX.XX
WSUS-SQL -> IP Address: AA.XX.XX.XX
WSUS-Servant -> IP Addresses: AA.XX.XX.XX and BB.XX.XX.XX
Client Workstations -> IP Address: BB.XX.XX.XX
Coordinator
Mar 4, 2014 at 2:33 PM
What is the version of Wsus ?
Mar 12, 2014 at 2:21 AM
3.0 SP2
Coordinator
Mar 14, 2014 at 7:33 PM
If you have used the function to generate a self-signed certificate with a Wsus 3.0SP2, then the certificate has been generated by the Wsus server itself.
You can try these options :
  • Delete all Wsus-Selfsigned certificate in the "Wsus" store, "Trusted Root Certification Authorities" and "Trusted Publishers" store, re-generate a sefl-signed certificate.
    or
  • In WPP use this option "Ignore Code-Signing Certificate validation errors" 'in Tools->Settings->Server Tab)
Mar 18, 2014 at 2:19 AM
Hi there, the WPP-Servant still displays an error message, "The certificate is invalid. You will not be able to publish updates", despite re-generating the self-signed certificate and using the option "Ignore Code-Signing Certificate validation errors". I was wondering whether we are supposed to generate this certificate from the upstream server and deployed to the rest of the servers, including the downstream server..

Anyway, I was trying only on one machine, WSUS-Main, to test whether I can deploy updates to itself. As I run "wuauclt /detectnow" for the second time, the WSUS-Main could not detect any updates, even though the WPP console displays "Not Installed" on WSUS-Main. And when I right-click on WSUS-Main to install the update, it displays an error message, "Fail to copy". I've already set WSUS-Main to install Locally Publish Updates, according to the Installation Guide.pdf and checked that Windows Firewall service is switched off.
Coordinator
Mar 20, 2014 at 10:10 PM
Hi,
WPP-Servant still displays an error message, "The certificate is invalid. You will not be able to publish updates", despite [...] using the option "Ignore Code-Signing Certificate validation errors".
I really don't know how you can do that ! This error message is display only when the certificate is invalid AND the option "Ignore Code-Signing Certificate validation errors" is NOT active.
As I run "wuauclt /detectnow" for the second time, the WSUS-Main could not detect any updates
Which updates do you want your Wsus detect if you don't have publish any update ?!?!?
Marked as answer by DCourtel on 5/8/2014 at 2:49 AM
Mar 21, 2014 at 2:02 AM
Hi,

I am trying to deploy the update, Adobe Reader 9.3.3, AdbeRdr 933_en_US.exe. Despite the status has been detected as "Not Installed" and the .cab was accessible in my WPP console, I still could not detect any updates for me to download and install. Anyway, I have tried self-generating the certificate multiple times but I was again still unable to detect any updates for me to download and install. Any advice on this issue?