Close Menu
    Facebook X (Twitter) Instagram
    Sunday, May 18
    X (Twitter) LinkedIn
    All about Endpoint Management
    • Home
    All about Endpoint Management
    Home»CM2012»SCCM Configmgr SUP sync error The underlying connection was closed Could not establish trust relationship for the SSL/TLS secure channel

    SCCM Configmgr SUP sync error The underlying connection was closed Could not establish trust relationship for the SSL/TLS secure channel

    Eswar KonetiBy Eswar KonetiSeptember 21, 6:02 pm3 Mins Read CM2012 20,274 Views
    Share
    Facebook Twitter LinkedIn Reddit

     

    I was contacted by colleague that Configmgr is not showing the updates that were published day ago by SCUP . So i started checking the SCUP configuration (proxy) and the updates status if they are published or not using the date published and also verified SCUP logs.

    From SCUP perspective,all looks good. Next to look at Configmgr ,in this ,i checked the SUP properties if the published products are selected or not , check the proxy details in site system role properties.

    Next to look at proxy details that are configured in IE for system account for which ,you can use psexec tool to verify it.

    How to open IE using system account or check the proxy details in cmd using pxecec ? run the cmd using administrator ,run psexec –i –s cmd.exe

    Type netsh winhttp show proxy it must give you the proxy details if at all configured .Run the following command to open IE using system account

    PsExec.exe -i -s "C:\Program Files\Internet Explorer\iexplore.exe"

    set the proxy in IE ,once this is done ,come back to cmd prompt (system account) and run netsh winhttp import proxy source =ie to import the IE settings .

    This also looks good to me .What else could go wrong for the updates not shown up in SCCM console ?

    Now ,i move onto the SUP logs WCM.log and WSUSCtrl.log both looks good and the final log is sync log wsyncmgr.log which has some errors init.

    Sync failed: UssCommunicationError: WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.~~at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request). Source: Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WsusSyncAction.WSyncAction.SyncWSUS

    image

    we know that ,there are no changes to IIS or any configurations in the last few months with respect to SSL. I have tried the sync by providing the user name in site system role properties to use credentials to connect to proxy server but it failed with same error.

    After searching in Google with above error ,found few blogs that refers to https://technet.microsoft.com/en-us/library/dn265983.aspx (configure trusted roots) but they do not apply to me .

     https://the-d-spot.org/2011/05/17/sccm-sup-sync-failed-6703/

    http://www.mssccmfaq.de/2012/06/02/sup-synchronisation-schlagt-fehl-could-not-establish-trust-relationship-for-the-ssltls-secure-channel/

    https://www.windows-noob.com/forums/topic/7559-sup-sync-issue/

    After sometime ,got to know from another colleague that ,there were some changes made to the proxy server by NOC team which requires SSL authentication. What it means is ,software update sync happens using system account instead of user account which require SSL authentication and in this case, we need to get approval from security team to allow the SCCM site server computer account to bypass or added to exception list.

    References and troubleshooting https://support.microsoft.com/en-us/help/10329/configuring-software-update-synchronization-in-system-center-configura 

    https://technet.microsoft.com/en-sg/library/bb892795.aspx

    Could not establish trust relationship for the SSL/TLS secure channel remote certificate is invalid SCCM software update sync sync fail underlying connection was closed WSUS wsyncmgr.log
    Share. Twitter LinkedIn Email Facebook Reddit

    Related Posts

    Optimize Your Intune Workflow with a Powerful Browser Extension

    March 22, 10:39 am

    Migrate Microsoft 365 Updates from SCCM/MECM to Intune for Co-Managed Devices

    February 11, 9:50 pm

    Investigating Co-Management Issues with Windows Endpoints in SCCM/Intune

    October 26, 10:45 pm

    1 Comment

    1. Alps on September 21, 2017 6:18 PM

      Your colleagues seem to be quite helpful.

      Reply

    Leave a ReplyCancel reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Sign Up

    Get email notifications for new posts.

    Author

    I’m Eswar Koneti ,a tech enthusiast, security advocate, and your guide to Microsoft Intune and Modern Device Management. My goal? To turn complex tech into actionable insights for a streamlined management experience. Let’s navigate this journey together!

    Support

    Awards

    Archives

    © Copyright 2009-2024 Eswar Koneti, All rights reserved.

    Type above and press Enter to search. Press Esc to cancel.