Submit a ticketCall us

WebinarWebinar: A checklist for planning your Network Performance Monitor (NPM) upgrade

Are you ready for your next upgrade? To help you plan smoothly, join this webcast to learn more about, SolarWinds® Orion® Installer, SolarWinds Upgrade Advisor, Upgrades Guides, Training Videos, and other resources available. We’ll share key upgrade planning considerations, lessons learned from customers with practical advice from SolarWinds Product Experts. We’ll also give practical tips to identify the estimated time needed and resources, how to prepare the business and IT staff for changes, ways to plan for required system changes, and more.

Register now.

Home > Success Center > Patch Manager > Patch Manager - Knowledgebase Articles > Certificate errors when downloading or installing third-party updates to clients or software distribution points

Certificate errors when downloading or installing third-party updates to clients or software distribution points

Updated: July 13, 2018

Overview

When you download or install third-party updates to clients or software distribution points, Patch Manager displays certificate errors. 

These errors include:

  • Certificate chain process terminated
  • Invalid Signature
  • Verification of signature file failed with an error like below on WSUS server and published package status "Failed to download" in PM console

Content file download failed. Reason: File cert verification failure. Source File: /c/upgr/2017/12/16299.125.171213-1220.rs3_release_svc_refresh_clientbusiness_vol_x86fre_en-gb_d877a9b12be8b99993fb3b5bd2a4ee7c177b4083.esd Destination File: d:\WSUS\WsusContent\83\D877A9B12BE8B99993FB3B5BD2A4EE7C177B4083.esd.

  • Failed to download content id "X". Error: Invalid certificate signature
    Package.

Environment

  • All Patch Manager versions

Cause 

  • The WSUS self-signed certificate is not installed in the Trusted Root CA and Trusted Publishers
  • "Allow signed updates from an intranet Microsoft update services location" is not enabled in the computer policy.

Resolution

Verify that the WSUS certificate is installed on your client computer, downstream Windows Server Update Services (WSUS) server, Microsoft System Center Configuration Manager (SCCM) server, and any other Microsoft® Windows® operating system that generates errors when you download and install your software updates. 

Check the Windows Update Policy

Verify that the WSUS self-signed certificate is located in the Trusted Root Certification Authorities (which authorizes the install of the signed content). Also, ensure that the policy on the computer has "Allow signed updates from an intranet Microsoft update services location" enabled.

  1. Search for the Resultant Set of Policy (RSOP). This policy reflects the current policy for the local and GPO applied to the system.

    Open a Search box and search for:

    RSOP.msc

  2. Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Update.
  3. Ensure that the Setting for "Allow signed updates from an intranet Microsoft update services location" is enabled.

    If there is no setting configured, update the setting from your Group Policy Management Console on the Domain Controller. See Configure clients using Group Policy in the Patch Manager Administrator Guide for details.

Export the WSUS certificate

Provision downstream publishing servers with a WSUS certificate by exporting the certificate from the upstream WSUS server.

See Configure clients using Group Policy in the Patch Manager Administrator Guide for details.

Import the WSUS certificate

After you export the certificate to a file, import the certificate file to both the Trusted Root Certification Authorities and Trusted Publishers stores. You can import the certificate into your GPO or you can manually import it to the PC with the steps below.

  1. Log on to the computer that is receiving the certificate error.
  2. Copy the certificate to the local machine.
  3. Launch the Microsoft Management Console by executing:

    MMC.exe

  4. Click File > Add/Remove Snap-in.
  5. Select Certificates and click Add.
  6. Select the Computer account, and click Next.
  7. Select the Local Computer, and click Finish.
  8. Click OK.
  9. Place the certificate in Trusted Root CA.
    1. Expand Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates.
    2. Search the directory for a WSUS Self-Signed Certificate.
    3. Make sure the serial number is identical with the certificate you exported from WSUS.

      If the certificate is identical, go to step 10. If not, go to step d.>

    4. Right-click Certificates under Trusted Root Certification Authorities > All Tasks > Import.
    5. Click Next.
    6. Click Browse and navigate to the directory where you copied the certificate.
    7. Select the certificate, and then click Next.
    8. Make sure the certificate is placed in Trusted Root CA, and then click Next.
    9. Click Finish.
  10. Place the certificate in Trusted Publishers.
    1. In the certificates MMC, navigate to Trusted Publishers > Certificates.
    2. Search this directory for the WSUS Self-Signed Certificate, if it is present, make sure the serial number is the same as the certificate you exported from WSUS. If it is then attempt to download the update again, if the serial number doesn’t match continue to step b.
    3. If it is not present then right-click on Certificates under Trusted Publishers > All Tasks > Import.
    4. Click Next.
    5. Click Browse and navigate to the directory where you copied the certificate.
    6. Select the certificate, and click Next.
    7. Verify that the certificate is being placed in Trusted Publishers, and click Next.
    8. Click Finish.

 

Last modified

Tags

Classifications

Public