cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Summary

All patches fail to publish except SVM's very own Agent.
The error message has no identification text or error, it simply stating that it failed to publish.
In the C:\Users\<User>\Documents\csi_pluginlog.txt you find the following error:

"An Error Occurred While Downloading The File:"."  - HttpRequest: Status=499

Symptoms

You've changed nothing at the SVM host and publishing might have been working fine so far.

SVM starts throwing the same undefined error each time you attempted to publish a package.

User-added image
When you face this issue, the following conditions are usually met:

  • None of the packages listed under SPS publish successfully.
  • Publishing an Agent Deployment Package works, however.
  • The 'csi_pluginlog.txt' file in your local Documents folder displays the below error:

 

"Error in HttpRequest: status=499, statusText='It was not possible to connect to the revocation server or a definitive response could not be obtained.',winCode=12057"

Cause

The error is caused by CRL blocking on the local SVM host when Internet Explorer attempts to connect to http://crl3.digicert.com and http://crl4.digicert.com. Internet Explorer performs such CRL validation of each program utilizing its WinHTTP classes to forward connection requests online (also the case with SVM package downloading). See more about certificate validation security in SVM and Windows here. 

User-added image

The current error is being caused by GPO implicit deny restrictions applied to any site not explicitly listed as Trusted in the 'Trusted Sites' configuration of Internet Explorer.

To confirm that this is indeed the problem you are trying to resolve, you need to validate the 3 bullet points listed under 'Symptoms' above.  All three must be present, particularly the error message in the log file as pointed out.

Steps To Reproduce

Resolution

Resolution to this problem is to include the following URLs to the Trusted Sites zone of the Internet Explorer on the SVM host:

You may want to test the fix before making changes to the network.
Use the instructions in the Workaround section for that. 

Workaround

To make 100% sure you can resolve this by GPO edit, you have to enforce the appropriate websites on the machine while overriding the GPO applicability. 

You have only one option to do this - quickly modify the registry configuration of your browser and perform publishing before GPO is being reapplied. By default, GPO refreshes once per 90 min unless it's being configured otherwise. You have to config this quickly and check it promptly too. 

Steps to override GPO locally and test package publishing; 

  • Open regedit.exe
  • browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
  • Right-click on 'ZoneMap' key
  • New > Key
    • Name it exactly crl3.digicert.com
      • Right-click on the main central window and add new Dword value and name it http
        • Correct the DWORD value to 2
  • Right-click on ZoneMap and add second New Key
    • Name it exactly crl4.digicert.com?
      • In the new window, add new DWORD again, name it http and change its value to 2
  • Add third value under ZoneMap and name it *.secunia.com
    • Yet again create a new DWORD value for this key, name it http and change its value to 2
  • Right-click on 'ZoneMap' key and export the settings so that you can save yourself time editing again if GPO refreshes in the meanwhile.
  • Restart IE using the setting 'Run As Administrator' and login to your SVM account.
  • Go to Patching quickly and publish any package under the 'SPS' menu (Adobe, Flash, Java, or any of the like).
    • Publishing succeeds. You have now confirmed that the problem is indeed GPO restriction over the CRL websites.
  • Edit your GPO accordingly to accommodate the required URLs for DigiCert CRL website in the Trusted Sites zone for a permanent fix.

Additional Information

The SVM Support team had been able to successfully resolve this problem by performing the above steps. However, Trusted Sites' applicability extends to a lot of possible custom configurations and you may end up needing to perform deeper troubleshooting or customization at the registry. 

Refer to this full guide by Microsoft on how to adapt the required registry changes to your custom configuration to succeed in resolving this issue.

 

Related Documents

https://support.microsoft.com/en-gb/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users

https://blogs.msdn.microsoft.com/jpsanders/2011/02/21/certificate-revocation-list-crl-check-and-winhttp-proxy-settings/

 

Related KB Articles

Cannot Publish Any Packages due to "An Error Occurred While Downloading File from https://dl.csi7.secunia.com" [error 12045]

Was this article helpful? Yes No
No ratings
Version history
Last update:
‎Sep 16, 2019 01:03 PM
Updated by: