jperkins71
Member
- Messages
- 6
- Solutions
- 1
- Reaction score
- 0
- Points
- 1
We've run into an issue with expired certificates on our SCCM server. The distribution certificate and the IIS certificate used for HTTPS/SSL binding expired at the same time.
Requesting a certificate from our internal CA and setting the IIS HTTPS bindings to use this certificate cleared up most functions (software and update deployment is working fine).
I've requested a DP certificate from the internal CA, exported it to a file, imported it via Administration -> Site Configuration -> Servers and Site System Roles -> Distribution point -> Properties, even tried removing the PXE service or the entire distribution point role, updated the boot image to distribution points, but I'm still getting a "WINHTTP_CALLBACK_STATUS_FLAG_CERT_DATE_INVALID is set" error in SMSPXE.log when attempting to PXE boot a system.
The certificate template for DP certificates is set up as shown in a number of how-to sites posted:
(The latter example uses Windows 10/Server 2016 compatibility level and a slightly different subject alternate name field than the others.)
The server is running SCCM 2403.
Can anyone offer suggestions for tracking down this issue? Errors in SMSPXE.log definitely look like there's a certificate date issue happening:
<![LOG[[TSMESSAGING] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered]LOG]!><time="20:32:53.027+300" date="07-25-2024" component="SMSPXE" context="" type="3" thread="7012" file="libsmsmessaging.cpp:830">
<![LOG[[TSMESSAGING] : dwStatusInformationLength is 4
]LOG]!><time="20:32:53.027+300" date="07-25-2024" component="SMSPXE" context="" type="3" thread="7012" file="libsmsmessaging.cpp:831">
<![LOG[[TSMESSAGING] : *lpvStatusInformation is 0x20
]LOG]!><time="20:32:53.027+300" date="07-25-2024" component="SMSPXE" context="" type="3" thread="7012" file="libsmsmessaging.cpp:832">
<![LOG[[TSMESSAGING] : WINHTTP_CALLBACK_STATUS_FLAG_CERT_DATE_INVALID is set
]LOG]!><time="20:32:53.027+300" date="07-25-2024" component="SMSPXE" context="" type="3" thread="7012" file="libsmsmessaging.cpp:856">
<![LOG[[TSMESSAGING] AsyncCallback(): -----------------------------------------------------------------]LOG]!><time="20:32:53.027+300" date="07-25-2024" component="SMSPXE" context="" type="3" thread="7012" file="libsmsmessaging.cpp:862">
<![LOG[Sending with winhttp failed; 80072f8f]LOG]!><time="20:32:53.028+300" date="07-25-2024" component="SMSPXE" context="" type="3" thread="7012" file="libsmsmessaging.cpp:10293">
Requesting a certificate from our internal CA and setting the IIS HTTPS bindings to use this certificate cleared up most functions (software and update deployment is working fine).
I've requested a DP certificate from the internal CA, exported it to a file, imported it via Administration -> Site Configuration -> Servers and Site System Roles -> Distribution point -> Properties, even tried removing the PXE service or the entire distribution point role, updated the boot image to distribution points, but I'm still getting a "WINHTTP_CALLBACK_STATUS_FLAG_CERT_DATE_INVALID is set" error in SMSPXE.log when attempting to PXE boot a system.
The certificate template for DP certificates is set up as shown in a number of how-to sites posted:
(The latter example uses Windows 10/Server 2016 compatibility level and a slightly different subject alternate name field than the others.)
The server is running SCCM 2403.
Can anyone offer suggestions for tracking down this issue? Errors in SMSPXE.log definitely look like there's a certificate date issue happening:
<![LOG[[TSMESSAGING] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered]LOG]!><time="20:32:53.027+300" date="07-25-2024" component="SMSPXE" context="" type="3" thread="7012" file="libsmsmessaging.cpp:830">
<![LOG[[TSMESSAGING] : dwStatusInformationLength is 4
]LOG]!><time="20:32:53.027+300" date="07-25-2024" component="SMSPXE" context="" type="3" thread="7012" file="libsmsmessaging.cpp:831">
<![LOG[[TSMESSAGING] : *lpvStatusInformation is 0x20
]LOG]!><time="20:32:53.027+300" date="07-25-2024" component="SMSPXE" context="" type="3" thread="7012" file="libsmsmessaging.cpp:832">
<![LOG[[TSMESSAGING] : WINHTTP_CALLBACK_STATUS_FLAG_CERT_DATE_INVALID is set
]LOG]!><time="20:32:53.027+300" date="07-25-2024" component="SMSPXE" context="" type="3" thread="7012" file="libsmsmessaging.cpp:856">
<![LOG[[TSMESSAGING] AsyncCallback(): -----------------------------------------------------------------]LOG]!><time="20:32:53.027+300" date="07-25-2024" component="SMSPXE" context="" type="3" thread="7012" file="libsmsmessaging.cpp:862">
<![LOG[Sending with winhttp failed; 80072f8f]LOG]!><time="20:32:53.028+300" date="07-25-2024" component="SMSPXE" context="" type="3" thread="7012" file="libsmsmessaging.cpp:10293">
