Own signed updates. Error 800b0004. Digital Signatures not trusted

We have published own created updates using wsus. The updates was
automatically signed by an certificate, which was created explicit for the
server. The root certificate is published on the computer as "trusted root".
Now we have digital signature errors on some computers(Windows Vista) like
the following:

2008-02-26 18:13:38:942 1020 cf4 DnldMgr BITS job
{92E46536-BB95-468B-8C4A-4129FAF413B3} completed successfully
2008-02-26 18:13:39:021 1020 cf4 Misc Validating signature for
C:\Windows\SoftwareDistribution\Download\4c04a18e4 68da1078fbeccdba67fe55f\15702aee91a845bedac5f000da d241cacef96f77:
2008-02-26 18:13:39:036 1020 cf4 Misc Microsoft signed: No
2008-02-26 18:13:39:036 1020 cf4 Misc Trusted Publisher: No
2008-02-26 18:13:39:036 1020 cf4 Misc WARNING: Digital Signatures on file
C:\Windows\SoftwareDistribution\Download\4c04a18e4 68da1078fbeccdba67fe55f\15702aee91a845bedac5f000da d241cacef96f77 are not trusted: Error 0x800b0004
2008-02-26 18:13:39:036 1020 cf4 DnldMgr WARNING: File failed
postprocessing, error = 800b0004
2008-02-26 18:13:39:036 1020 cf4 DnldMgr Failed file: URL =
'http://server.local.net/Content/77/15702AEE91A845BEDAC5F000DAD241CACEF96F77.cab',
Local path =
'C:\Windows\SoftwareDistribution\Download\4c04a18e 468da1078fbeccdba67fe55f\15702aee91a845bedac5f000d ad241cacef96f77'
2008-02-26 18:13:39:036 1020 cf4 DnldMgr Error 0x800b0004 occurred while
downloading update; notifying dependent calls.

Now the question is: Which kind of error is it? I tried to validate the
signing of the file using "signtool /verify" and it was successful.

Forwarded to WSUS newsgroup
(microsoft.public.windows.server.update_services) via crosspost as a
convenience to OP.

On the web:
http://www.microsoft.com/communities...pdate_services

In your newsreader:
news://msnews.microsoft.com/microsof...pdate_services
--
~PA Bear

Matthias Kracht wrote:
> We have published own created updates using wsus. The updates was
> automatically signed by an certificate, which was created explicit for the
> server. The root certificate is published on the computer as "trusted
> root".
> Now we have digital signature errors on some computers(Windows Vista) like
> the following:
>
> 2008-02-26 18:13:38:942 1020 cf4 DnldMgr BITS job
> {92E46536-BB95-468B-8C4A-4129FAF413B3} completed successfully
> 2008-02-26 18:13:39:021 1020 cf4 Misc Validating signature for
> C:\Windows\SoftwareDistribution\Download\4c04a18e4 68da1078fbeccdba67fe55f\15702aee91a845bedac5f000da d241cacef96f77:
> 2008-02-26 18:13:39:036 1020 cf4 Misc Microsoft signed: No
> 2008-02-26 18:13:39:036 1020 cf4 Misc Trusted Publisher: No
> 2008-02-26 18:13:39:036 1020 cf4 Misc WARNING: Digital Signatures on file
> C:\Windows\SoftwareDistribution\Download\4c04a18e4 68da1078fbeccdba67fe55f\15702aee91a845bedac5f000da d241cacef96f77
> are not trusted: Error 0x800b0004 2008-02-26 18:13:39:036 1020 cf4 DnldMgr
> WARNING: File failed
> postprocessing, error = 800b0004
> 2008-02-26 18:13:39:036 1020 cf4 DnldMgr Failed file: URL =
> 'http://server.local.net/Content/77/15702AEE91A845BEDAC5F000DAD241CACEF96F77.cab',
> Local path =
> 'C:\Windows\SoftwareDistribution\Download\4c04a18e 468da1078fbeccdba67fe55f\15702aee91a845bedac5f000d ad241cacef96f77'
> 2008-02-26 18:13:39:036 1020 cf4 DnldMgr Error 0x800b0004 occurred while
> downloading update; notifying dependent calls.
>
> Now the question is: Which kind of error is it? I tried to validate the
> signing of the file using "signtool /verify" and it was successful.

PA Bear [MS MVP] wrote:

> Forwarded to WSUS newsgroup
> (microsoft.public.windows.server.update_services) via crosspost as a
> convenience to OP.

Actually it sounds like a digital certificates issue - I don't know which
newsgroup would be most suitable. One of the Vista groups perhaps?

If it really is specific to the way WSUS verifies certificates, I think the OP
may be on their own; I don't know of anybody else who has tried to do this before.

>> We have published own created updates using wsus. The updates was
>> automatically signed by an certificate, which was created explicit for the
>> server. The root certificate is published on the computer as "trusted root".
>> Now we have digital signature errors on some computers(Windows Vista) like
>> the following:

What mechanism did you use to publish the certificate to the client computers?
Have you doublechecked that the certificate is present? Have you tried copying
the file to the client and examining the certificate via Windows Explorer?

Harry.

The computers are located at an active directory. The sign certificate was
created by a microsoft certification authority, which is a part of the active
directory. So automatically the root certificate of the certification
authority will be published for the computers using active directory.
The root certificate of the certification authority is installed at the
computer(I checked this using the mmc console and the certificate plugin for
the local computer context).
The explorer grant this certificate as valid. I tried this verification step
also at the systemcontext and everything is fine.
The big problem is on some computers it works and on another computer it
doesn't work.
It's really comlex to understand the verification process of wsus.

I added the sign certificate to the "trusted publishers" on the computers,
which has the problems. That solved the issue.
But the question is: Why it works on some computers without this step? Or
which parameter or setting is wrong on this computers, where it crash.

"Harry Johnston [MVP]" wrote:

> PA Bear [MS MVP] wrote:
>
> > Forwarded to WSUS newsgroup
> > (microsoft.public.windows.server.update_services) via crosspost as a
> > convenience to OP.
>
> Actually it sounds like a digital certificates issue - I don't know which
> newsgroup would be most suitable. One of the Vista groups perhaps?
>
> If it really is specific to the way WSUS verifies certificates, I think the OP
> may be on their own; I don't know of anybody else who has tried to do this before.
>
> >> We have published own created updates using wsus. The updates was
> >> automatically signed by an certificate, which was created explicit for the
> >> server. The root certificate is published on the computer as "trusted root".
> >> Now we have digital signature errors on some computers(Windows Vista) like
> >> the following:
>
> What mechanism did you use to publish the certificate to the client computers?
> Have you doublechecked that the certificate is present? Have you tried copying
> the file to the client and examining the certificate via Windows Explorer?
>
> Harry.
>

Matthias Kracht wrote:

> The big problem is on some computers it works and on another computer it
> doesn't work.

Try to locate the common distinguishing factor.

Harry.

How? I have no idea how to find this differences.
Do you have an idea?


"Harry Johnston [MVP]" wrote:

> Matthias Kracht wrote:
>
> > The big problem is on some computers it works and on another computer it
> > doesn't work.
>
> Try to locate the common distinguishing factor.
>
> Harry.
>

Matthias Kracht wrote:

> How? I have no idea how to find this differences.
> Do you have an idea?

Nothing specific. You could try making a list of those machines on which it
works or those on which it doesn't (whichever is smaller) and look for common
factors - which part of the network they're on, what software they have
installed, when they were installed, that sort of thing.

It sounded from your first message as though all Vista machines were failing and
all WinXP machines succeeding, but I take it this isn't the case. Are all the
failing machines running Vista? In that case you could ignore the WinXP
machines and just compare the Vista machines that work with those that don't.
You might also want to ask in one of the Vista newsgroups and see if anyone has
experienced any similar problems with digital signatures.

Harry.

Matthias Kracht wrote:

> I added the sign certificate to the "trusted publishers" on the computers,
> which has the problems. That solved the issue.
> But the question is: Why it works on some computers without this step?

Actually this may be a bigger worry than I thought - according to what
documentation I can find WUA shouldn't accept certificates unless they're in the
Trusted Publishers store. So it's the computers where the update is working
that aren't functioning properly, not the ones where it isn't.

Have you checked on one of the computers where the updates were being accepted
to see whether the certificate was already in the Trusted Publishers store?
Perhaps it wound up there as a side-effect of something else you were doing on
those computers?

You can look at the computer store by starting mmc, adding the Certificates
snapin and selecting Computer Account.

If you can verify that you're seeing locally created updates accepted by WUA
without the certificate being in Trusted Publishers, please contact me directly
as this would warrant further investigation.

Harry.