search cancel

Microsoft Software Bulletins fail to download in the PRC

book

Article ID: 162502

calendar_today

Updated On:

Products

Patch Management Solution for Windows

Issue/Introduction

Microsoft specific Software Bulletins fail to download in the Patch Remediation Center (PRC) from the vendor site to the Symantec Management Platform (SMP) Server.

When checking following the URL in browser on SMPhttps://download.microsoft.com the page displays: There is a problem with the website's security certificate:

Download failed for 'https://download.microsoft.com/download/6/7/8/678A5BB8-89DB-4129-9EA2-4595E90756A1/Windows8.1-KB3099406-x64.msu'
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

   [System.Net.WebException @ Altiris.PatchManagementCore]
   at Altiris.PatchManagementCore.Utilities.File.DownloadToStreamWithRetries(Uri uri, DownloadContext downloadContext)
   at Altiris.PatchManagementCore.Utilities.File.Download(String fromUrl, String toDirectory, String toFileName, Boolean forceDownload, DownloadParameters miscDownloadParams)

The remote certificate is invalid according to the validation procedure.
   [System.Security.Authentication.AuthenticationException @ System]
   at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Threading.ExecutionContext.runTryCode(Object userData)
   at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
   at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.ConnectStream.WriteHeaders(Boolean async)

Exception logged from: 
   at Altiris.Diagnostics.Logging.EventLog.ReportException(Int32 severity, String strMessage, String category, Exception exception, String footer)
   at Altiris.NS.Logging.EventLog.ReportException(Int32 severity, String strMessage, String category, Exception exception)
   at Altiris.PatchManagementCore.Utilities.File.Download(String fromUrl, String toDirectory, String toFileName, Boolean forceDownload, DownloadParameters miscDownloadParams)
   at Altiris.PatchManagementCore.Utilities.FileDownloader.Download()
   at Altiris.PatchManagementCore.Utilities.FileDownloader.DoDownloadProcedure(Object data)
   at System.Threading.ExecutionContext.runTryCode(Object userData)
   at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Threading.ThreadHelper.ThreadStart(Object obj)

**CEDUrlStart** :http://entced.symantec.com/entt?product=SMP&version=7.5.3153.0&language=en&module=N3FcVDJ0CeyLtrnoo0P7DtojtqbEnQqJLMgq1H1Y6Zw=&error=-626137224&build=**CEDUrlEnd**

-----------------------------------------------------------------------------------------------------
Date: 10/15/2015 9:07:06 PM, Tick Count: 669450662 (7.17:57:30.6620000), Host Name: SMPNAME, Size: 4.42 KB
Process: AtrsHost (10276), Thread ID: 20, Module: AtrsHost.exe
Priority: 1, Source: Altiris.PatchManagementCore.Utilities.File.Download
 

Cause

The Baltimore CyberTrust Root certificate required to hit the vendor's site may not be present on the NS or domain. Microsoft has changed from the GTE CyberTrust Global Root to the Baltimore CyberTrust Root for all public-facing HTTPs services. 

Additionally, this may also be manually deleted or possibly removed by GPO or group policy targeting a specific Organizational Unit or Group.

Resolution

Work through the following to resolve this issue:

  1. Ensure the root certificates are implemented per the required geographic region:
    • Review the following in the environment:
      • Review with SMP Administrator; implement the certificates in the SMP Server - Certificate Store:
        • Common process to view the Certificates Store:
          • Start > Run > MMC > File > Add or Remove Snap-ins
          • Highlight 'Certificates' and click 'Add>'
          • Select 'Computer account' radial button and click 'Next'
          • Leave on default 'Local computer' setting and click 'Finish'
          • Check whether the Baltimore CyberTrust Root certificate is present like the following screenshots.

​​​​

  • Review with the Domain Administrator; implement the certificates in the Domain Certificate Store:
    • Ensure the trusted sites of the domain are in order and the needed certificates are installed
    • Note: There were recent changes to the Baltimore CyberTrust root certificate per Microsoft KB2842149 as needed.
       
  1. If further network clearance is needed for Patch Management download URL's; view the URL Mask Maker Tool attached on TECH186657:
    • Run the tool, for it will provide each URL required by Patch Management to download updates from each respective vendor enabled on the PMImport
    • Found in the Console > Manage > Jobs & Tasks > Software > Patch Management > Import Patch Data for Windows; Vendors and Software
       
  2. Ensure necessary ports are opened for communications from the SMP Server:
    • ​​Port usage for SMP 7.5 & 7.6 are detailed on DOC6770.

Attachments