Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




3 posts

Wannabe Geek


# 177784 14-Aug-2015 07:02
Send private message

Hey All,

Been scanning forums with respect to fe2.updates.microsoft.com and the bizarre cert validation issues that you get when hitting this URL. As far as I can gather, this issue has been around since late 2014 and still hasn't been resolved.

Its strange that Windows by default doesn't trust the Root or Intermediate... I can manually trust the Root and Intermediate manually but wondering if its actually legitimate site (appears to be hit when synchronising WSUS). Bizarre that MS haven't pushed out an update so that Windows trusts the Root and Intermediate for this site.

Am I losing the plot or is this an outstanding issue that MS still hasn't resolved?

Any thoughts appreciated.

Cheers,
A


Create new topic
2538 posts

Uber Geek

Subscriber

  # 1366059 14-Aug-2015 08:20
Send private message

Are you still trying to get WinXP or earlier updates on WSUS by chance?



3 posts

Wannabe Geek


  # 1366084 14-Aug-2015 09:16
Send private message

Absolute legend.

Root cause was Office 2002/XP product was selected. Unselecting that option allows updates to pass through the CheckPoint using HTTPS inspection without needing to put a bypass exception in place for that URL.

Well spotted! I no longer get sync failures due to that URL not being valid which is awesome.

 
 
 
 


5136 posts

Uber Geek

Trusted
Microsoft

  # 1366113 14-Aug-2015 09:49
Send private message

andynzengr: Hey All,

Been scanning forums with respect to fe2.updates.microsoft.com and the bizarre cert validation issues that you get when hitting this URL. As far as I can gather, this issue has been around since late 2014 and still hasn't been resolved.

Its strange that Windows by default doesn't trust the Root or Intermediate... I can manually trust the Root and Intermediate manually but wondering if its actually legitimate site (appears to be hit when synchronising WSUS). Bizarre that MS haven't pushed out an update so that Windows trusts the Root and Intermediate for this site.

Am I losing the plot or is this an outstanding issue that MS still hasn't resolved?

Any thoughts appreciated.

Cheers,
A



can you describe what the problem actually is?

 

What error code are they seeing, logs, etc? Are you behind a proxy that tries to inspect HTTPS traffic? If proxy is acting as MITM while doing that, WU will not trust the connection. We’re extremely particular about SSL cert for security reason.



3 posts

Wannabe Geek


  # 1366354 14-Aug-2015 13:59
Send private message

Absolutely,

If you browse to https://fe2.update.microsoft.com, the certificate is invalid.

Root: Microsoft Root Certificate Authority 2011
Serial: 3F 8B C8 B5 FC 9F B2 96 43 B5 69 D6 6C 42 E1 44
Validity: 23 Mar 2036
Common Name: Microsoft Root Certificate Authority 2011

Intermediate: Microsoft Update Secure Server CA 2.1
Serial: 33 00 00 00 0A B8 91 A2 C8 0A 50 A5 DF 00 00 00 00 00 0A
Validity: 22 Jun 2027
Common Name: Microsoft Update Secure Server CA 2.1

Server Certificate: fe2.update.microsoft.com
Serial: 33 00 00 00 4B 71 09 0E 6C 98 35 08 53 00 00 00 00 00 4B
Validity: 17 Mar 2016
Common Name: fe2.update.microsoft.com

I would have expected both the Root and Intermediate to be trusted in the local certificate store on a MS Server 2012 server, tested from Windows 7 PC and Safari. None of these browsers trust the Root or Intermediate. 

I inspect SSL on my perimeter CheckPoint firewall, WSUS by default hits fe2.update.microsoft.com for what appears to be for updates referencing Windows XP/Windows 2000. Removing those check boxes in WSUS avoids the server trying to access fe2.update.microsoft.com and traffic is permitted/synchronisation completes. The configuration on the CheckPoint will drop any HTTPS connection that is invalid (including if CRL/OCSP URLs are not reachable). All other HTTPS communication through my firewall, either inspected or bypass work fine. It seems like the server certificate needs to be reissued and that the current certificate being presented to the client is no trusted.

Regards,
A

Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

New AI legaltech product launched in New Zealand
Posted 21-Aug-2019 17:01


Yubico launches first Lightning-compatible security key, the YubiKey 5Ci
Posted 21-Aug-2019 16:46


Disney+ streaming service confirmed launch in New Zealand
Posted 20-Aug-2019 09:29


Industry plan could create a billion dollar interactive games sector
Posted 19-Aug-2019 20:41


Personal cyber insurance a New Zealand first
Posted 19-Aug-2019 20:26


University of Waikato launches space for esports
Posted 19-Aug-2019 20:20


D-Link ANZ expands mydlink ecosystem with new mydlink Mini Wi-Fi Smart Plug
Posted 19-Aug-2019 20:14


Kiwi workers still falling victim to old cyber tricks
Posted 12-Aug-2019 20:47


Lightning Lab GovTech launches 2019 programme
Posted 12-Aug-2019 20:41


Epson launches portable laser projector
Posted 12-Aug-2019 20:27


Huawei launches new distributed HarmonyOS
Posted 12-Aug-2019 20:20


Lenovo introduces single-socket servers for edge and data-intensive workloads
Posted 9-Aug-2019 21:26


The Document Foundation announces LibreOffice 6.3
Posted 9-Aug-2019 16:57


Symantec sell enterprise security assets for US$ 10.7 billion to Broadcom
Posted 9-Aug-2019 16:43


Artificial tongue can distinguish whisky and identify counterfeits
Posted 8-Aug-2019 20:20



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.