Jump to content

On decommissioning of update servers for 2000, XP, (and Vista?) as of July 2019


Mcinwwl

Recommended Posts

3 minutes ago, maile3241 said:

Do I now have to copy the patched sfc_os.dll to dllcache?

@maile3241 As I already mentioned some posts above copy your patched file first to system32\dllcache and then to system32. If it is blocked do it from outside using linux or WinPE. Restart computer and check if both files are still there. And then...hopefully...:cheerleader:

But one thing I have to say. It would be much easier if you read your posts a little bit more intently. Hope it'll work finally. :yes:

Link to comment
Share on other sites


21 minutes ago, Dave-H said:

Which of the two versions of HTTPSProxy should I use?
I assume one is later than the other as it says "Update", but why are there two versions there, is there a reason to use one over the other?

@Dave-H  Use the folder HTTPSProxy! Both are identical versions except for one file and this is config.ini. In folder HTTPSProxy there is one, in folder Update HTTPSProxy is none due to the idea you will update an existing installation and don't want to loose your settings which would be overwitten by new one. In first installation you have no config.ini so you are working from scratch. I think that was the idea of @Thomas S.. He released two versions but first release had been faulty so users had to update.

Edited by AstroSkipper
correction
Link to comment
Share on other sites

On 1/22/2022 at 6:41 AM, Dave-H said:

I don't have that certificate.
Could you export it and upload it here so I can try it to see if it makes any difference?

I see D.Draker uploaded it for you. (Thanks!) It won't make any difference, though, unless you need it to validate another certificate that was signed by that one.

On 1/22/2022 at 6:41 AM, Dave-H said:

I'm very loathe to start messing around with my installation of ProxHTTPSProxy, I've been using it for years and it has always worked perfectly with many other sites and continues to do so. I find it hard to imagine that it has an intrinsic problem that is stopping just MS Update from working but everything else is fine.

I understand. I don't think there's any problem with ProxHTTPSProxy. I think there's a bug with Windows Update when it tries to validate a site certificate signed by your ProxHTTPSProxy certificate that runs from 2021 (last year) to 2031. It's throwing that date/time error code when it shouldn't be; your ProxHTTPSProxy certificate is fine but WU still chokes on it.

As to actually finding that bug and fixing it, where's @mixit when you need him?

On 1/22/2022 at 8:53 AM, Dave-H said:

Thanks, yes I've done that, but no difference.

For some reason, WU seems to like the original ProxHTTPSProxy certificate (the one that runs from 2015-2025) better. But, it won't work unless you put it in your trusted root store (with a command like the one D.Draker gave you for the M$ certificate) and also recreate your site certificates.

I think ProxHTTPSProxy will re-create your site certificates automatically if it sees that CA.crt has changed, but just in case, you can rename your ...\Certs folder and create a new, empty one. That will force ProxHTTPSProxy to generate all new site certificates and sign them with the new CA.crt.

The reason for renaming the folder vs. just clearing it is just for performance; if things go wrong, you could just delete everything in ...\Certs, but if instead you go back to your current configuration, ProxHTTPSProxy won't need to re-create all your site certificates yet again. If you have to put your current CA.crt back, it can just go back to using the old ones.

 

A final note: CA.crt contains both a certificate and its private key. The private key is needed to sign the site certificates that ProxHTTPSProxy creates.

From a pure security standpoint, it's unwise to share a file with a private key like CA.crt, because (in theory) any two folks using the same CA.crt could decrypt each other's communications, if they had access to each other's computers. But for what we're doing, it's probably fine. I doubt that any of us is inclined to spy on anyone else!

That said, does anyone using ProxHTTPSProxy have a CA.crt expiring between 2025 and 2031? It'd be interesting to see if it works or not. I suspect there's a particular point in between (1/1/2028?) where things go wrong.

Link to comment
Share on other sites

56 minutes ago, Mathwiz said:

That said, does anyone using ProxHTTPSProxy have a CA.crt expiring between 2025 and 2031? It'd be interesting to see if it works or not. I suspect there's a particular point in between (1/1/2028?) where things go wrong.

@Mathwiz My ProxHTTPSProxy CA certificate is valid until 2025 but my HTTPSProxy CA certificate is valid until 2030 which was recreated in 2020. I deleted all certificates in \Certs and site certificates were recreated when visiting these sites. I have installed both Proxy versions and after configuring properly they are working on Microsoft Update site without any problems.

Edited by AstroSkipper
addition
Link to comment
Share on other sites

17 minutes ago, Mathwiz said:

So, maybe 2020-2030 works too? If so that would be better than 2015-2025; it would give us another five years, assuming the remnants of WU/MU last that long....

@Mathwiz Of course I don't know how long these remnants of MU will last but deleting the HTTPSProxy CA certificate in HTTPSProxy's program folder let HTTPSProxy generate a new one with duration of 10 years beginning at time of creation I think.

Edited by AstroSkipper
correction
Link to comment
Share on other sites

@AstroSkipper

OK, I now have HTTPSProxy working, and I am using your confg.ini file.
It does seem to be doing everything that ProxHTTPSProxy was doing.
Unfortunately, there's no difference on Microsoft Update.
I'm still getting "[0x80072F8F] Your computer's date and time appear to be out of sync with an update certificate."

This is the output from HTTPSProxy.
I don't know if it provides any clues.

[22:43] 010 HTTPSProxy FrontProxy/v1.5.2 [WinError 10054] An existing connection was forcibly closed by the remote host
[22:43] 013 HTTPSProxy FrontProxy/v1.5.2 [WinError 10054] An existing connection was forcibly closed by the remote host
[22:43] 014 [D] "HEAD https://www.update.microsoft.com/v11/3/legacy/windowsupdate/selfupdate/wuident.cab?2201232243" 302 216
[22:43] 015 [D] "HEAD https://fe2.update.microsoft.com/v11/3/legacy/windowsupdate/selfupdate/wuident.cab?2201232243" 200 27634
[22:43] 016 [D] "HEAD https://www.update.microsoft.com/v11/3/legacy/windowsupdate/selfupdate/wuident.cab?2201232243" 302 216
[22:43] 017 [D] "HEAD https://fe2.update.microsoft.com/v11/3/legacy/windowsupdate/selfupdate/wuident.cab?2201232243" 200 27634
[22:44] 000 HTTPSProxy FrontProxy/v1.5.2 [WinError 10054] An existing connection was forcibly closed by the remote host

:dubbio:

Link to comment
Share on other sites

And the next attempt.

[22:49] 000 "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:600)" while trying to establish local SSL tunnel for [...................:80]
[22:49] 131 [D] "HEAD https://www.update.microsoft.com/v11/3/legacy/windowsupdate/selfupdate/wuident.cab?2201232249" 302 216
[22:49] 132 [D] "HEAD https://fe2.update.microsoft.com/v11/3/legacy/windowsupdate/selfupdate/wuident.cab?2201232249" 200 27634
[22:49] 133 [D] "GET https://www.update.microsoft.com/v11/3/legacy/windowsupdate/selfupdate/wuident.cab?2201232249" 302 216
[22:49] 134 [D] "GET https://fe2.update.microsoft.com/v11/3/legacy/windowsupdate/selfupdate/wuident.cab?2201232249" 200 27634
[22:49] 135 [D] "HEAD https://www.update.microsoft.com/v11/3/legacy/windowsupdate/selfupdate/wuident.cab?2201232249" 302 216
[22:49] 136 [D] "HEAD https://fe2.update.microsoft.com/v11/3/legacy/windowsupdate/selfupdate/wuident.cab?2201232249" 200 27634
[22:50] 000 HTTPSProxy FrontProxy/v1.5.2 [WinError 10054] An existing connection was forcibly closed by the remote host

:dubbio:

Link to comment
Share on other sites

24 minutes ago, AstroSkipper said:

@Mathwiz Of course I don't know how long these remnants of MU will last but deleting the HTTPSProxy CA certificate in HTTPSProxy's program folder let HTTPSProxy generate a new one with duration of 10 years beginning at time of creation I think.

That is correct. The problem appears to be that if it's too recent, it seems to trigger that blasted "[0x80072F8F] Your computer's date and time appear to be out of sync with an update certificate."

The original CA.crt ran from 2015-2025 and seems to work just fine.

Yours runs from 2020-2030 and also seems to work fine.

Dave's runs from 2021-2031 and does not seem to work.

I also had one that ran from 2021-2031 that didn't work. I had to replace it with the original 2015-2025 one to fix it.

I assume a new one was created when @Dave-H installed @Thomas S.'s version, which presumably runs from 2022-2032. It doesn't work either.

Link to comment
Share on other sites

Yes, my HTTPSProxyCA.crt is now valid from 23/01/22 to 23/01/32.
It doesn't work.
I guess that HTTPSProxy and ProxHTTPSProxyMII have exactly the same issue then, and whichever one you use will have the same problem.
:(

Link to comment
Share on other sites

33 minutes ago, Mathwiz said:

The original CA.crt ran from 2015-2025 and seems to work just fine.

Yours runs from 2020-2030 and also seems to work fine.

Dave's runs from 2021-2031 and does not seem to work.

I also had one that ran from 2021-2031 that didn't work. I had to replace it with the original 2015-2025 one to fix it.

I assume a new one was created when @Dave-H installed @Thomas S.'s version, which presumably runs from 2022-2032. It doesn't work either.

 

20 minutes ago, Dave-H said:

Yes, my HTTPSProxyCA.crt is now valid from 23/01/22 to 23/01/32.
It doesn't work.
I guess that HTTPSProxy and ProxHTTPSProxyMII have exactly the same issue then, and whichever one you use will have the same problem.
:(

@Mathwiz Ok, indeed this could be the problem. @Dave-H Maybe you turn back time to 2020 and let HTTPSProxy generate a new one with duration of 10 years beginning at time of creation. Certs folder of HTTPSProxy must be cleared. Then we will know whether our guess is correct or not.

Edited by AstroSkipper
Link to comment
Share on other sites

Well I've restored ProxHTTPSProxy now, but I guess it's the same scenario.
I don't think that it matters which of the two programs you use, they are extremely similar and the same problem exists in both of them for me.
Entries in red in the console normally indicate errors I would have thought, both on HTTPSProxy and ProxHTTPSProxy.
I've now found that if I use the older certificate on ProxHTTPSProxy (the one that expires in 2025), it doesn't work at all.
I have to install the newer one that expires in 2031 to get it to work again.
Yes, I did start it with a new empty "Certs" folder!
:)

Link to comment
Share on other sites

On 1/24/2022 at 1:38 AM, Dave-H said:

Well I've restored ProxHTTPSProxy now, but I guess it's the same scenario.
I don't think that it matters which of the two programs you use, they are extremely similar and the same problem exists in both of them for me.
Entries in red in the console normally indicate errors I would have thought, both on HTTPSProxy and ProxHTTPSProxy.
I've now found that if I use the older certificate on ProxHTTPSProxy (the one that expires in 2025), it doesn't work at all.
I have to install the newer one that expires in 2031 to get it to work again.
Yes, I did start it with a new empty "Certs" folder!

@Dave-H How did you get the log file? Where is the log file located? I couldn't find anyone. And what is about turning back time to 2020 and letting HTTPSProxy generate a new one with duration of 10 years beginning at time of creation? Certs folder of HTTPSProxy must be cleared. Then we will know whether our guess is correct or not.

And check your Trusted Zone. Trusted Zone to high with only these three urls related to MU: http://www.update.microsoft.com, https://www.update.microsoft.com and http://update.microsoft.com. Disable in IE settings "Check for server certificate revocation".
https://imgur.com/UBI7btL

 

Edited by AstroSkipper
correction
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...