Download error: The requested URL does not pass this deployment’s download whitelist

Hello guys, I’m trying to push some Java updates through the console but as I understand Oracle updates require manual caching. Here is what I did to solve the issue, I hope i’m doing something wrong, because I read and tried everything.

  1. I have downloaded the required update and renamed it to its sha1 and placed it in …\BigFix Enterprise\BES Server\wwwrootbes\bfmirror\downloads\sha1

And then started to getting Download error: The requested URL does not pass this deployment’s download whitelist

  1. I created an iis server and created a folder under …\inetpub\wwwroot\Installers on bigfix server

3- DowloadWhitelist.txt was created manually, and added http://x.x.x/installers/ to it.

4- created a custom repository and placed http://x.x.x/installers/ in the box prompted when setting a new custom repository on the console, and then selected the targeted computers and clicked OK.

Now I’m getting 404 whenever I try to push the updates. Has anyone had a similar issue? Can somebody explain the way to whitelist clearly ?

Any input is appreciated.

1 Like

Several things to address here.

In the first step, renaming the files to their sha1 value and placing them in the wwwrootbes/bfmirror/downloads/sha1 folder should allow the server to skip downloading the files at all. I would check that you do have the correct download files, that the files’ sha1 values match the files’ content, and that the fixlet action references the correct sha1. A common scenario can happen when Oracle replaces the download binaries, and the fixlets may be out of date.

You can use the Bigfix-provided sha1.exe tool to check the files, or in the Fixlet Debugger use
(size of it, sha1 of it, sha256 of it) of file "c:\temp\myjavafile.exe" to check that it matches the expected values.

Part 2, when adding values to the DownloadWhiteList file, the values there are Regular Expressions, not string literals. I won’t be able to check mine until Tuesday, but the “.” Has a special significance as a wildcard character, and should be escaped via a backslash; “*” has a special value as a repeater. So the values should look something like
The dots in the hostname are escaped so they are literal “.” characters, and after the trailing forwardslash “.*” acts as “any number of wildcard characters”.

But if you are getting a 404 error from the manual repo, that implies the server is trying to do the download - so it’s ok with the download whitelist.

Error 404 is “page not found”. Can you manually download the file from the IIS server? The Download Status pane in the action status should show the exact URL it is trying to download, can you try that download link manually? I’m not sure whether the client setting is supposed to have the trailing backslash included, so check whether it’s trying to download http://your.repo.server/installers//jre9.whatever.exe (with two slashes after the repo path)

1 Like

There is no step 2. If step 1 is working correctly, then the Java Update fixlets should work.

I’m not sure what this is about, but this should be an entirely separate problem unrelated to the Java Updates.

Also, I don’t think a DownloadWhitelist is required at all if you use prefetches with sha1/sha256 with the default bigfix settings.

If you are trying to deploy custom software with prefetches using BigFix, it isn’t a bad idea to set up a software repository that is exposed to the BigFix server over HTTP/HTTPS and you can use that path to create prefetches, but also make the same downloads available to IT and end users directly if needed. You could use Box for this purpose, or BackBlaze B2 or your own webserver or whatever you want.

Yes, agreed and I should’ve been more clear. These are several separate issues. When manually precaching a file, there is no need for DownloadWhitelist nor for a Custom Repository.

1 Like

Hey all,
Need some help here
I have an isolated environment using bigfix ( trying to use bf )
i have placed all my downloaded fixlets in to a folder called bfpatches under the wwwrootbes folder
and i have created a DownloadWhitelist.txt file in …BES Server\Mirror Server\config
with the setting: http://bfsrv01.test.local/bfptaches/.*

every time i try run an action on a fixlet that is in bfpatch folder i get an http error 28 timeout was reached

what is not configured correctly ??

You likely need the port number on both the DownloadWhitelist, and on the actual download URLs in the actionscripts. Also I’d recommend using https downloads, and a small bit of regex formatting on the DownloadWhitelist, ie


thank you very much for you reply
is it https ??? not http ?
originally i had the port in the whitelist but i dont have it in the server config - ill try that also
another question do i need the \ before the . in the server FQDN ??

thank you so much

still failing even after setting my whitelist to
https://bfsrv01.test.local:52311/bfptaches/.* and using the port in the BES settings
so frustrating

I don’t know if this is a typo or a copy/paste, but…you misspelled ‘bfpatches’ twice now…

Https protocol would be preferred but you can use either or both.

The downloadwhitelist entry is a Regular Expression. The backslashes escape the “.” character which would otherwise match “anything” (including a dot). So a ‘bfsrv01.test’ expression would also match ‘bfsrv01atest’. Not escaping the dots allows a (small) chance of matching a server you didn’t intend.

What you are trying definitely works, it’s just a matter of getting the syntax correct.

You should probably use two entries, to match both http and https…