1 2 Previous Next 17 Replies Latest reply on Aug 23, 2017 11:36 PM by pulchritude19

    Certificate Issue on Deployment

    PaulFreedman Apprentice

      Has something changed today with the signing of the instllation files pushed from Ivanti Patch server?

       

      When deploying from 2 different patch server the status of deployment stays at scheduled and we are seeing the following errors in STDeploy.log

       

      2017-07-03T13:45:58.3722064Z 061c E STPackageDeployer.cpp:252 Required deployment support file content in 'CL5.exe'not signed by ST.

      2017-07-03T13:45:58.3802064Z 061c I STPackageDeployer.cpp:230 Skipping extraction of existing support file 'C:\Windows\ProPatches\Installation\InstallationSandbox#2017-07-03-T-13-44-49\DplyEvts.dll'. Performing authenticode check on the existing sandbox version.

      2017-07-03T13:45:58.3802064Z 061c I Authenticode.cpp:153 Verifying signature of C:\Windows\ProPatches\Installation\InstallationSandbox#2017-07-03-T-13-44-49\DplyEvts.dll with CWinTrustVerifier

      2017-07-03T13:45:58.3962064Z 061c E WinTrustVerifier.cpp:270 Certificate verification failed with error: -2146762748.

      2017-07-03T13:45:58.3962064Z 061c E STPackageDeployer.cpp:252 Required deployment support file content in 'DplyEvts.dll'not signed by ST.

      2017-07-03T13:45:58.4062064Z 061c I STPackageDeployer.cpp:230 Skipping extraction of existing support file 'C:\Windows\ProPatches\Installation\InstallationSandbox#2017-07-03-T-13-44-49\SafeReboot.exe'. Performing authenticode check on the existing sandbox version.

      2017-07-03T13:45:58.4062064Z 061c I Authenticode.cpp:153 Verifying signature of C:\Windows\ProPatches\Installation\InstallationSandbox#2017-07-03-T-13-44-49\SafeReboot.exe with CWinTrustVerifier

      2017-07-03T13:45:58.4242064Z 061c E WinTrustVerifier.cpp:270 Certificate verification failed with error: -2146762748.

      2017-07-03T13:45:58.4242064Z 061c E STPackageDeployer.cpp:252 Required deployment support file content in 'SafeReboot.exe'not signed by ST.

      2017-07-03T13:45:58.4362064Z 061c I STPackageDeployer.cpp:230 Skipping extraction of existing support file 'C:\Windows\ProPatches\Installation\InstallationSandbox#2017-07-03-T-13-44-49\SafeReboot64.exe'. Performing authenticode check on the existing sandbox version.

      2017-07-03T13:45:58.4362064Z 061c I Authenticode.cpp:153 Verifying signature of C:\Windows\ProPatches\Installation\InstallationSandbox#2017-07-03-T-13-44-49\SafeReboot64.exe with CWinTrustVerifier

      2017-07-03T13:45:58.4562064Z 061c E WinTrustVerifier.cpp:270 Certificate verification failed with error: -2146762748.

       

      Adding additional certs to trusted certificates seems to have resolved the issue. Was this a planned change?

        • 1. Re: Certificate Issue on Deployment
          ddenning SupportEmployee

          Hi Paul,

           

          We are not aware of any changes, but we will check on this.

           

          For the benefit of other users, what certificates did you add?

           

          Thanks!

           

          David

          • 3. Re: Certificate Issue on Deployment
            craige63 Rookie

            We started having the same issue on 6/28:

             

            2017-06-28T18:23:12.2655213Z 1214 I STPackageDeployer.cpp:230 Skipping extraction of existing support file 'C:\Windows\ProPatches\Installation\InstallationSandbox#2017-06-28-T-18-22-36\7Z.dll'. Performing authenticode check on the existing sandbox version.

            2017-06-28T18:23:12.2655213Z 1214 I Authenticode.cpp:153 Verifying signature of C:\Windows\ProPatches\Installation\InstallationSandbox#2017-06-28-T-18-22-36\7Z.dll with CWinTrustVerifier

            2017-06-28T18:23:12.2967205Z 1214 I STPackageDeployer.cpp:230 Skipping extraction of existing support file 'C:\Windows\ProPatches\Installation\InstallationSandbox#2017-06-28-T-18-22-36\CL5.exe'. Performing authenticode check on the existing sandbox version.

            2017-06-28T18:23:12.2967205Z 1214 I Authenticode.cpp:153 Verifying signature of C:\Windows\ProPatches\Installation\InstallationSandbox#2017-06-28-T-18-22-36\CL5.exe with CWinTrustVerifier

            2017-06-28T18:23:27.3035357Z 1214 E WinTrustVerifier.cpp:270 Certificate verification failed with error: -2146762748.

            2017-06-28T18:23:27.3035357Z 1214 E STPackageDeployer.cpp:252 Required deployment support file content in 'CL5.exe'not signed by ST.

            2017-06-28T18:23:27.3035357Z 1214 I STPackageDeployer.cpp:230 Skipping extraction of existing support file 'C:\Windows\ProPatches\Installation\InstallationSandbox#2017-06-28-T-18-22-36\DplyEvts.dll'. Performing authenticode check on the existing sandbox version.

            2017-06-28T18:23:27.3035357Z 1214 I Authenticode.cpp:153 Verifying signature of C:\Windows\ProPatches\Installation\InstallationSandbox#2017-06-28-T-18-22-36\DplyEvts.dll with CWinTrustVerifier

            2017-06-28T18:23:27.3035357Z 1214 E WinTrustVerifier.cpp:270 Certificate verification failed with error: -2146762748.

            2017-06-28T18:23:27.3191353Z 1214 E STPackageDeployer.cpp:252 Required deployment support file content in 'DplyEvts.dll'not signed by ST.

            2017-06-28T18:23:27.3191353Z 1214 I STPackageDeployer.cpp:230 Skipping extraction of existing support file 'C:\Windows\ProPatches\Installation\InstallationSandbox#2017-06-28-T-18-22-36\SafeReboot.exe'. Performing authenticode check on the existing sandbox version.

            2017-06-28T18:23:27.3191353Z 1214 I Authenticode.cpp:153 Verifying signature of C:\Windows\ProPatches\Installation\InstallationSandbox#2017-06-28-T-18-22-36\SafeReboot.exe with CWinTrustVerifier

            2017-06-28T18:23:27.3347349Z 1214 E WinTrustVerifier.cpp:270 Certificate verification failed with error: -2146762748.

            2017-06-28T18:23:27.3347349Z 1214 E STPackageDeployer.cpp:252 Required deployment support file content in 'SafeReboot.exe'not signed by ST.

            2017-06-28T18:23:27.3347349Z 1214 I STPackageDeployer.cpp:230 Skipping extraction of existing support file 'C:\Windows\ProPatches\Installation\InstallationSandbox#2017-06-28-T-18-22-36\SafeReboot64.exe'. Performing authenticode check on the existing sandbox version.

            2017-06-28T18:23:27.3347349Z 1214 I Authenticode.cpp:153 Verifying signature of C:\Windows\ProPatches\Installation\InstallationSandbox#2017-06-28-T-18-22-36\SafeReboot64.exe with CWinTrustVerifier

            2017-06-28T18:23:27.3503345Z 1214 E WinTrustVerifier.cpp:270 Certificate verification failed with error: -2146762748.

            2017-06-28T18:23:27.3503345Z 1214 E STPackageDeployer.cpp:252 Required deployment support file content in 'SafeReboot64.exe'not signed by ST.

            2017-06-28T18:23:27.3503345Z 1214 S DeployExeStates.cpp:409 Leaving STDeploy::CInitialExecutionPackageDeploy::DoStatefulRemediateActions.

            2017-06-28T18:23:27.3503345Z 1214 I STDeploy.cpp:306 Current remediation phase completed. Process exit code: 1006.

            2017-06-28T18:23:27.3503345Z 1214 S STDeploy.cpp:203 Leaving wmain.

            • 4. Re: Certificate Issue on Deployment
              Evansf Rookie

              I have these certificates already...Something has changed...I'm getting the exact same errors in STDeploy.logs

              • 5. Re: Certificate Issue on Deployment
                ddenning SupportEmployee

                Hi Evan,

                 

                Thank you for letting us know about this issue. I have been asked to have all customers with this issue to create a support case at support.ivanti.com to investigate what is going on. Please set your logging to all, delete your current logs, reproduce the issue, and submit the verbose deployment logs with your case as is mentioned in this document How To: Collect Protect console, patch deployment and agent logs for troubleshooting

                 

                Also please reference this thread.

                 

                Thanks!

                 

                David

                • 6. Re: Certificate Issue on Deployment
                  ddenning SupportEmployee

                  Hi Craig,

                   

                  Thank you for letting us know about this issue. I have been asked to have all customers with this issue to create a support case at support.ivanti.com to investigate what is going on. Please set your logging to all, delete your current logs, reproduce the issue, and submit the verbose deployment logs with your case as is mentioned in this document How To: Collect Protect console, patch deployment and agent logs for troubleshooting

                   

                  Also please reference this thread.

                   

                  Thanks!

                   

                  David

                  • 7. Re: Certificate Issue on Deployment
                    nthur Rookie

                    Where do we get the certificates needed? we got an email from support with the certs attached but they got stripped by email security.

                    • 8. Re: Certificate Issue on Deployment
                      nthur Rookie

                      Also I think this should give a failed status instead of it being stuck in scheduled

                      • 10. Re: Certificate Issue on Deployment
                        ddenning SupportEmployee

                        Hi nthur,

                         

                        Do you have a support case open on this? We can send you the Microsoft certificates for a particular error we have seen in the support case. If that does not fix it then as jayg500 stated you need to make sure your root certificates are updated from Microsoft.

                         

                        The reason that the status shows as scheduled rather than failed is because at that point, everything is happening on the client machine so if something fails before the client can start broadcasting its progress after the console has approved everything, then the console will not know and will stay at scheduled which is the last state before the target machine starts broadcasting packets.

                         

                        Thanks!

                         

                        David

                        • 11. Re: Certificate Issue on Deployment
                          pulchritude19 Rookie

                          Hi,

                          I have same problem on one of client server (Windows Server 2008).. I've already tried deploying patches but still stuck in scheduled task, and the root certificates is already updated. Do I need to open support case on this also?

                           

                          Thanks!

                          • 12. Re: Certificate Issue on Deployment
                            JayG500 Rookie

                            Support has been very prompt and helpful to me.  There are different reasons why it can appear to stay in "scheduled" mode.

                            What does your deploy log say on the workstation?

                             

                            I ran into the following issues of things staying in scheduled:

                            1) The certificate issue mentioned above

                            2) Scheduler needed updated

                            3) Anti-virus blocking

                            4) Rights issues with the deploy users -- some how under machine properties it had the wrong user set for deploy; my machine group for scanning had the correct user.

                            • 13. Re: Certificate Issue on Deployment
                              nthur Rookie

                              Hello,

                               

                              yes we opened a case with Ivanti and the tech tried to send us the certs via email but they get stripped by McAfee, that is why I was asking if the certs needed are available to download somewhere.

                              We did a Microsoft Root CA update on a machine to test this, and yes it resolves the issue but now that machine has 300+ certs in trusted root  and there are a bunch of errors in the event log that there are way too many certs in there.

                              I found one Digi cert that seems to be is the one Ivanti is looking for and I exported that one and imported to several machines and that one seems to take care of the issue with machines stuck in scheduled with error WinTrustVerified.cpp:270 Certificate Validation failed with error: -214762748 in the STDeploy.log

                              • 14. Re: Certificate Issue on Deployment
                                pulchritude19 Rookie

                                Hi,

                                What specific certs Ivanti support sent to you? Can you share?So that I can test it on the affected machine.

                                Since, we have a same issue with machines stuck in scheduled.

                                As I know, it is certificate issue, right? what is the best troubleshooting that you can share with me.

                                I need to resolve the issue as soonest.

                                 

                                Thanks.

                                1 2 Previous Next