Certifacte Trust Provider error installing updates

[mikey8811]

Hi

I have a problem installing KB4014984 (Security and Quality Rollup for .NET Framework 2.0, 3.0, 4.5.2, 4.6 on Windows Vista SP2 and Server 2008 SP2: April 11, 2017). It will download but not install, even after several reboots.

The error is:

0x800B0109

I looked it up and it says:

A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

I tried downloading the manual installs for this but it would not install either.

Running the stand alone installer as an administrator gives the same results with the error being:

A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider

The stand alone installer failure has no error code but rather the full error message as above.

I tried resetting Windows Update manually

https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-resources

But the same error happened too.

Some history: I fixed the Checking for Updates situation and then did a Windows Update on 15 Mar. It was able to install the rest of the updates available then. Surprisingly, there were another 8 updates that did not show up then.

Thinking the updates were complete on 15 Mar, I then did some of the updates for Server 2008 from Greenhill's repository which I then interrupted.

I turned the computer off and it has been off until 27 Mar when these additional updates showed up - they didn't show up before or I would have updated them before I did Greenhill's updates.

I do have downloads of all the individual installers from Greenhill's repository including KB4507001 (the July 2019 Security and Quality Rollup for .NET Framework 4.5.2 for Windows Server 2008 SP2).

What can I do to get my Vista PC patched up at least until the Apr 11, 2017 update or an equivalent?

Thanks

[mikey8811]

Hi

Up for some help please.

Thanks

[greenhillmaniac]

That happened to me in Windows 7 when also trying to install recent .NET updates. I think W7 actually received some update about outdated certificates as opposed to Vista. I solved it by importing a MS certificate that Vista and 7 don't ship with.

http://download.microsoft.com/download/2/4/8/248D8A62-FCCD-475C-85E7-6ED59520FC0F/MicrosoftRootCertificateAuthority2011.cer

Run the following command with Admin rights to install it (replacing the path with the one where you downloaded the certificate)

certutil -addstore "Root" "c:\cacert.cer"

 

Edited June 22, 2020 by greenhillmaniac
Updated link

[mikey8811]

Hi @greenhillmaniac

Thanks for the reply.

I presume by path you mean

c:\cacert.cer

Where do i find the path where I downloaded the certificate? Or rather where should I "put" the certificate I downloaded?

Also, I was of the impression that the error occurred because I had mistakenly installed some of your updates before this which superceded KB4014984 (Security and Quality Rollup for .NET Framework 2.0, 3.0, 4.5.2, 4.6 on Windows Vista SP2 and Server 2008 SP2: April 11, 2017). As a result an older update did not work.

I guess this isn't the case?

Thanks

Edited April 8, 2020 by mikey8811

[greenhillmaniac]

13 hours ago, mikey8811 said:

I presume by path you mean

c:\cacert.cer

Where do i find the path where I downloaded the certificate? Or rather where should I "put" the certificate I downloaded?

"C:\cacert.cer" is just an example of the path where the certificate could be placed. Choose the one you want.
BTW, after running the command the certificate will be in your certificate store, so you can delete the downloaded file after.

13 hours ago, mikey8811 said:

Also, I was of the impression that the error occurred because I had mistakenly installed some of your updates before this which superceded KB4014984 (Security and Quality Rollup for .NET Framework 2.0, 3.0, 4.5.2, 4.6 on Windows Vista SP2 and Server 2008 SP2: April 11, 2017). As a result an older update did not work.

If that was the case the update would say that it didn't apply, not that the root certificate is not trusted (I think).

[mikey8811]

Thanks so much @greenhillmaniac

That worked like a dream.

I pretty much only use this Vista PC as a backup and run an old version of Firefox on it as there are some webpages I still use which need Java and that doesn't run on later versions. I also seed some torrents that are on a private tracker on it.

Which of the updates from your repository should I install just to be as safe as possible given the outdated system?

Thanks again.

Edited April 10, 2020 by mikey8811

[greenhillmaniac]

9 hours ago, mikey8811 said:

Which of the updates from your repository should I install just to be as safe as possible given the outdated system?

The minimum required should be the Servicing Stack update and the Monthly Rollup. Don't forget about the SHA-2 update to install updates newer than September 2019 (though it renders WU useless, since it bumps the build number to 6003).

I actually need to update the repository with January's MR (you can just get it from here for now).

[erpdude8]

On 4/6/2020 at 6:58 AM, greenhillmaniac said:

That happened to me in Windows 7 when also trying to install recent .NET updates. I think W7 actually received some update about outdated certificates as opposed to Vista. I solved it by importing a MS certificate that Vista and 7 don't ship with.

https://mega.nz/file/V0YUDaaB#5pxXFo__HTkkK3suk0qQq2WnyMv1Kaf6FXzxJnNhVfw

Run the following command with Admin rights to install it (replacing the path with the one where you downloaded the certificate)

certutil -addstore "Root" "c:\cacert.cer"

 

this MS Certificate Authority 2011 certificate is still available for download from MS support article 3149737

 

 

[greenhillmaniac]

On 6/20/2020 at 4:29 PM, erpdude8 said:

this MS Certificate Authority 2011 certificate is still available for download from MS support article 3149737

That's actually where I got it originally! When I made the post I forgot about its origin. Thanks.

[lmacri]

On 4/6/2020 at 8:58 AM, greenhillmaniac said:

Run the following command with Admin rights to install it (replacing the path with the one where you downloaded the certificate)

certutil -addstore "Root" "c:\cacert.cer"

 

Hi greenhillmaniac:

If the user saves the MicrosoftRootCertificateAuthority2011.cer certificate file in the root directory of C:\ (i.e., C:\MicrosoftRootCertificateAuthority2011.cer) is the correct syntax of the command certutil -addstore "Root" "C:\MicrosoftRootCertificateAuthority2011.cer" ?

Edited July 1, 2020 by lmacri

[greenhillmaniac]

19 hours ago, lmacri said:

Hi greenhillmaniac:

If the user saves the MicrosoftRootCertificateAuthority2011.cer certificate file in the root directory of C:\ (i.e., C:\MicrosoftRootCertificateAuthority2011.cer) is the correct syntax of the command certutil -addstore "Root" "C:\MicrosoftRootCertificateAuthority2011.cer" ?

Yes, it should work.

[lmacri]

58 minutes ago, greenhillmaniac said:

Yes, it should work.

Thank you for confirming.

And just an FYI that I know of several Vista  SP2 users performing a clean reinstall of their OS who have reported that your suggestion <here> to apply the MicrosoftRootCertificateAuthority2011.cer certificate file fixed the error 800B0109 ("A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider") that Windows Update now throws when it tries to install KB4014984 (Security and Quality Rollup for NET. Framework 2.0, 3.0, 4.5.2, 4.6 on Windows Vista SP2 and Server 2008 SP2: April 11, 2017).  I decided to add a footnote to my instructions in the MS Answers thread Updates not working, it has been searching for updates for hours (where I post as user Great White North) in April 2020 and alert users to your solution since this problem installing KB4014984 has become so common.

Edited July 2, 2020 by lmacri

[greenhillmaniac]

3 hours ago, lmacri said:

I decided to add a footnote to my instructions in the MS Answers thread Updates not working, it has been searching for updates for hours (where I post as user Great White North) in April 2020 and alert users to your solution since this problem installing KB4014984 has become so common.

I've also used that post for my own Vista installs! Thanks.

[Boss]

I am facing a similar problem with Win Vista Starter 32 bit recently. But it does not seem to be connected with the certificate mentioned above and KB4014984 as the steps mentioned above were carried out properly. Event Viewer shows CAPI2 Error -- Event ID 11 -- A method to fix this issue was attempted but it did not solve. As soon as the PC is started within 5 minutes this error starts filling-in in Event Viewer > Windows Log > Applications

The error is seen in Event Viewer as--  Failed extract of third-party root list from auto update cab at: <http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

The link mentioned is working and I was able to download the authrootstl.cab and unzip it to find the authroot (Certificate Trust List). The images are attached.

I even right clicked it and it got installed also. This particular certificate is valid till December 2021. In this certificate as it can be seen in the images attached -- The certificate is OK.

Also the steps as mentioned in -- https://support.microsoft.com/en-us/topic/3acf0348-0f81-7c79-7029-a7c6c861cdfc

were carried out but it did nit solve the problem.  Why the error CAPI2 ? Any solution.... please guide.

MSFN.zip

[abbodi1406]

@Boss based on picture 6, parent "Microsoft Root Certificate Authority 2010" is not properly trusted in your os
http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt

CertUtil -addstore Root MicRooCerAut_2010-06-23.crt