8 Replies Latest reply on Aug 20, 2017 12:44 PM by nthur

    Certificate Issue on Deployment

    PaulFreedman Apprentice

      Has something changed today with the signing of the instllation files pushed from Ivanti Patch server?

       

      When deploying from 2 different patch server the status of deployment stays at scheduled and we are seeing the following errors in STDeploy.log

       

      2017-07-03T13:45:58.3722064Z 061c E STPackageDeployer.cpp:252 Required deployment support file content in 'CL5.exe'not signed by ST.

      2017-07-03T13:45:58.3802064Z 061c I STPackageDeployer.cpp:230 Skipping extraction of existing support file 'C:\Windows\ProPatches\Installation\InstallationSandbox#2017-07-03-T-13-44-49\DplyEvts.dll'. Performing authenticode check on the existing sandbox version.

      2017-07-03T13:45:58.3802064Z 061c I Authenticode.cpp:153 Verifying signature of C:\Windows\ProPatches\Installation\InstallationSandbox#2017-07-03-T-13-44-49\DplyEvts.dll with CWinTrustVerifier

      2017-07-03T13:45:58.3962064Z 061c E WinTrustVerifier.cpp:270 Certificate verification failed with error: -2146762748.

      2017-07-03T13:45:58.3962064Z 061c E STPackageDeployer.cpp:252 Required deployment support file content in 'DplyEvts.dll'not signed by ST.

      2017-07-03T13:45:58.4062064Z 061c I STPackageDeployer.cpp:230 Skipping extraction of existing support file 'C:\Windows\ProPatches\Installation\InstallationSandbox#2017-07-03-T-13-44-49\SafeReboot.exe'. Performing authenticode check on the existing sandbox version.

      2017-07-03T13:45:58.4062064Z 061c I Authenticode.cpp:153 Verifying signature of C:\Windows\ProPatches\Installation\InstallationSandbox#2017-07-03-T-13-44-49\SafeReboot.exe with CWinTrustVerifier

      2017-07-03T13:45:58.4242064Z 061c E WinTrustVerifier.cpp:270 Certificate verification failed with error: -2146762748.

      2017-07-03T13:45:58.4242064Z 061c E STPackageDeployer.cpp:252 Required deployment support file content in 'SafeReboot.exe'not signed by ST.

      2017-07-03T13:45:58.4362064Z 061c I STPackageDeployer.cpp:230 Skipping extraction of existing support file 'C:\Windows\ProPatches\Installation\InstallationSandbox#2017-07-03-T-13-44-49\SafeReboot64.exe'. Performing authenticode check on the existing sandbox version.

      2017-07-03T13:45:58.4362064Z 061c I Authenticode.cpp:153 Verifying signature of C:\Windows\ProPatches\Installation\InstallationSandbox#2017-07-03-T-13-44-49\SafeReboot64.exe with CWinTrustVerifier

      2017-07-03T13:45:58.4562064Z 061c E WinTrustVerifier.cpp:270 Certificate verification failed with error: -2146762748.

       

      Adding additional certs to trusted certificates seems to have resolved the issue. Was this a planned change?

        • 1. Re: Certificate Issue on Deployment
          ddenning SupportEmployee

          Hi Paul,

           

          We are not aware of any changes, but we will check on this.

           

          For the benefit of other users, what certificates did you add?

           

          Thanks!

           

          David

          • 3. Re: Certificate Issue on Deployment
            craige63 Rookie

            We started having the same issue on 6/28:

             

            2017-06-28T18:23:12.2655213Z 1214 I STPackageDeployer.cpp:230 Skipping extraction of existing support file 'C:\Windows\ProPatches\Installation\InstallationSandbox#2017-06-28-T-18-22-36\7Z.dll'. Performing authenticode check on the existing sandbox version.

            2017-06-28T18:23:12.2655213Z 1214 I Authenticode.cpp:153 Verifying signature of C:\Windows\ProPatches\Installation\InstallationSandbox#2017-06-28-T-18-22-36\7Z.dll with CWinTrustVerifier

            2017-06-28T18:23:12.2967205Z 1214 I STPackageDeployer.cpp:230 Skipping extraction of existing support file 'C:\Windows\ProPatches\Installation\InstallationSandbox#2017-06-28-T-18-22-36\CL5.exe'. Performing authenticode check on the existing sandbox version.

            2017-06-28T18:23:12.2967205Z 1214 I Authenticode.cpp:153 Verifying signature of C:\Windows\ProPatches\Installation\InstallationSandbox#2017-06-28-T-18-22-36\CL5.exe with CWinTrustVerifier

            2017-06-28T18:23:27.3035357Z 1214 E WinTrustVerifier.cpp:270 Certificate verification failed with error: -2146762748.

            2017-06-28T18:23:27.3035357Z 1214 E STPackageDeployer.cpp:252 Required deployment support file content in 'CL5.exe'not signed by ST.

            2017-06-28T18:23:27.3035357Z 1214 I STPackageDeployer.cpp:230 Skipping extraction of existing support file 'C:\Windows\ProPatches\Installation\InstallationSandbox#2017-06-28-T-18-22-36\DplyEvts.dll'. Performing authenticode check on the existing sandbox version.

            2017-06-28T18:23:27.3035357Z 1214 I Authenticode.cpp:153 Verifying signature of C:\Windows\ProPatches\Installation\InstallationSandbox#2017-06-28-T-18-22-36\DplyEvts.dll with CWinTrustVerifier

            2017-06-28T18:23:27.3035357Z 1214 E WinTrustVerifier.cpp:270 Certificate verification failed with error: -2146762748.

            2017-06-28T18:23:27.3191353Z 1214 E STPackageDeployer.cpp:252 Required deployment support file content in 'DplyEvts.dll'not signed by ST.

            2017-06-28T18:23:27.3191353Z 1214 I STPackageDeployer.cpp:230 Skipping extraction of existing support file 'C:\Windows\ProPatches\Installation\InstallationSandbox#2017-06-28-T-18-22-36\SafeReboot.exe'. Performing authenticode check on the existing sandbox version.

            2017-06-28T18:23:27.3191353Z 1214 I Authenticode.cpp:153 Verifying signature of C:\Windows\ProPatches\Installation\InstallationSandbox#2017-06-28-T-18-22-36\SafeReboot.exe with CWinTrustVerifier

            2017-06-28T18:23:27.3347349Z 1214 E WinTrustVerifier.cpp:270 Certificate verification failed with error: -2146762748.

            2017-06-28T18:23:27.3347349Z 1214 E STPackageDeployer.cpp:252 Required deployment support file content in 'SafeReboot.exe'not signed by ST.

            2017-06-28T18:23:27.3347349Z 1214 I STPackageDeployer.cpp:230 Skipping extraction of existing support file 'C:\Windows\ProPatches\Installation\InstallationSandbox#2017-06-28-T-18-22-36\SafeReboot64.exe'. Performing authenticode check on the existing sandbox version.

            2017-06-28T18:23:27.3347349Z 1214 I Authenticode.cpp:153 Verifying signature of C:\Windows\ProPatches\Installation\InstallationSandbox#2017-06-28-T-18-22-36\SafeReboot64.exe with CWinTrustVerifier

            2017-06-28T18:23:27.3503345Z 1214 E WinTrustVerifier.cpp:270 Certificate verification failed with error: -2146762748.

            2017-06-28T18:23:27.3503345Z 1214 E STPackageDeployer.cpp:252 Required deployment support file content in 'SafeReboot64.exe'not signed by ST.

            2017-06-28T18:23:27.3503345Z 1214 S DeployExeStates.cpp:409 Leaving STDeploy::CInitialExecutionPackageDeploy::DoStatefulRemediateActions.

            2017-06-28T18:23:27.3503345Z 1214 I STDeploy.cpp:306 Current remediation phase completed. Process exit code: 1006.

            2017-06-28T18:23:27.3503345Z 1214 S STDeploy.cpp:203 Leaving wmain.

            • 4. Re: Certificate Issue on Deployment
              Evansf Rookie

              I have these certificates already...Something has changed...I'm getting the exact same errors in STDeploy.logs

              • 5. Re: Certificate Issue on Deployment
                ddenning SupportEmployee

                Hi Evan,

                 

                Thank you for letting us know about this issue. I have been asked to have all customers with this issue to create a support case at support.ivanti.com to investigate what is going on. Please set your logging to all, delete your current logs, reproduce the issue, and submit the verbose deployment logs with your case as is mentioned in this document How To: Collect Protect console, patch deployment and agent logs for troubleshooting

                 

                Also please reference this thread.

                 

                Thanks!

                 

                David

                • 6. Re: Certificate Issue on Deployment
                  ddenning SupportEmployee

                  Hi Craig,

                   

                  Thank you for letting us know about this issue. I have been asked to have all customers with this issue to create a support case at support.ivanti.com to investigate what is going on. Please set your logging to all, delete your current logs, reproduce the issue, and submit the verbose deployment logs with your case as is mentioned in this document How To: Collect Protect console, patch deployment and agent logs for troubleshooting

                   

                  Also please reference this thread.

                   

                  Thanks!

                   

                  David

                  • 7. Re: Certificate Issue on Deployment
                    nthur Rookie

                    Where do we get the certificates needed? we got an email from support with the certs attached but they got stripped by email security.

                    • 8. Re: Certificate Issue on Deployment
                      nthur Rookie

                      Also I think this should give a failed status instead of it being stuck in scheduled