I get the following error when a prefetch is being downloaded by the root server in some cases:
HTTP Error 60: Peer certificate cannot be authenticated with given CA certificates: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
It would be interesting if I could turn off SSL certificate validation for downloads that are validated with size/hash, but even better would be for this to be fixed.
So I just had something similar happen and I spent a couple hours confused… But! I found the solution!
In my experience this happens if you use an http url and the webserver automatically rewrites HTTP to HTTPS before the download.
If I changed my prefetch to https it worked. I tried with your prefetch statement and when it’s HTTP it fails but if you change it to HTTPS it works just fine.
I will have to try that, but I think in my case, it was HTTPS and it failed, so I switched it to HTTP to see if that would succeed and that also failed.
I made a fixlet with your prefetch and got the same error, your prefetch from github worked after changing to https. Hopefully the solution is that easy!
Recent attempt at deploying Adobe AIR 20.0.260 resulted in the HTTP/SSL Error and did go in to the fixlet and change the prefetch link from http to https and the AdobeAIRInstaller.exe successfully completed cache to the server. Thanks for the tip.
I have the same issue, but with Core Protection Module --> Propagate.exe:
D:\Program Files\BigFix Enterprise\BES Server>PropagateFiles.exe CreateFileOnlyCustomSiteUserAuthorization "C:\BigFix\license.pvk" "x" "http://x.be:52311" "cpm_admin" "x" "FileOnlyCustomSite_CPMAutoUpdate"
HTTP Error 60: Peer certificate cannot be authenticated with given CA certificates: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Thanks for your reply.
That issue is already solved (still have another one but working on it, PMR logged with prio 1).
The issue was that we had Web Reports installed on the root server a couple of months ago. We uninstalled it and re installed it on another server. The problem was that 2 settings ( _BESRelay_HTTPServer_SSLCertificateFilePath and _BESRelay_HTTPServer_SSLFlag ) were still on the root server. I’ve deleted those settings and it worked again.
One thing that i’ve already said a couple of times to Support too and maybe you can give an explanation: why isn’t there local logging of the .exe that needs to run??? We’ve already had a couple of problems with different exe’s, but there is no way to troubleshoot them? You only have the client log, but that only gives the last exit code from the exe right?
This is something that needs to be done I think, It would help to solve a lot of PMR’s.
For the second part of your post here are you referring to the logging that would be generated from the Windows Installer (for example, when patching)? Or what additional logging are you looking for?
There is a way to activate logging for the Windows installer. Please see the following MS article?
I’ll try that, but then you need to adjust the commando’s in the fixlet.
For example: Core Protection Module - Set ActiveUpdate Server Pattern Update Interval - ID 25
This runs a couple of .exe’s. The action always failed with us, but without logging it’s pretty hard to troubleshoot. So you suggest that I edit the originel fixlet and put in the commando’s for logging?
I’ve found the error myself by running the commands manually etc and then there was an error in the DOS box itself, but that was just lucky then. I think the .exe should be temporary logged and when failed the logs should be kept. When the action succeeds, the install logs should be deleted.
We also had this with the installation of WebReports. We had an issue during installation (problems with the user authentication and cluster DB), but there was no logging. After 3 days we found the solution ourself (there had to be a local user created), but just by trial and error.
Yes @jgstew, I have changed the code by replacing with https and the action completed successfully.
But, Once after checking on the end-user I can see file has been deployed successfully but not installed correctly using Script.
// Install Python for Windows
prefetch python-3.5.2.exe sha1:3873deb137833a724be8932e3ce659f93741c20b size:29269656 https://www.python.org/ftp/python/3.5.2/python-3.5.2.exe sha256:529c46b9fd3dcf83029b8bfc95034e640ea2c69835b1aa4b75edeec8de764193
wait msiexec.exe /i "__Download\python-3.5.2.exe" /qn /quiet /norestart
I have used this as well: wait "{pathname of system folder & "\msiexec.exe"}" /i "{(pathname of client folder of current site) & "\__Download\python-3.5.2.exe"}" /qn /norestart
try running the msiexec.exe through command prompt and see if that installs python perfectly on the machine. If that does not work, you have to modify your installation parameters and try it until the exit code is “0”.
to check exit code in cmd, “echo %ERRORLEVEL%”, you have to run this only after the msiexec completes its operation.
This is an EXE installer. You do not install it using MSI Exec. You have to figure out what type of installer it is and how to silently install it on the command line. You should do this outside of bigfix and only try it through bigfix once you have a command line option working silently.
There are many types of EXE installers and each has their own method for silent install. NSIS, InstallShield, InnoSetup, and many others. One way to try to figure out which you are dealing with is to upload the file to VirusTotal and see the analysis and look for the type of installer there. It can often be in the comments or other file metadata. VirusTotal will also give you the TrID results which can be useful.
Once you have the package, you can pre-cache the package on your BES Server and then use it as the download point. BigFix Downloads don’t support automation of prompts.
Now, Script is able to download the file “win64_152824.exe” from internet and Complete Cached on Server but after some time it’s getting failed during deployment on the end-user with Status: Download Failed.
)
