This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

"An Error Occurred While Downloading File from https://dl.csi7.secunia.com" [WinHttp 12045]

Summary

When attempting to publish any type of package through SPS in SVM, the publishing attempt fails with the same error message stating that SPS cannot download the file from https://dl.csi7.secunia.com This error is caused by the inability of your host machine (the SVM host) to verify the 'Server certificate' of the URL at https://dl.csi7.secunia.com. Most often this is due to domain blocking, Proxy/Firewall blocking, Policy-based blocking, etc.

Symptoms

  • The failure to publish packages occurs for all packages (excluding SVM Agent) being published from that same host machine.
  • You see the following error appearing on your screen when publishing operation fails:

User-added image

  • After typing the address https://dl.csi7.secunia.com the browser bar turns red showing that there's a problem.
    • You click on the 'lock icon' on the right side of the browser bar and you review the certificate
    • Under the 'Certification Path' tab, you see 2 or fewer certificate steps (while the certificate chain is composed of 3 steps.

User-added image

  • When you look at the 'csi_pluginlog.txt' file (located in "My Documents" directory), it shows the following additional information:
Error in HttpRequest: status=499, statusText='The certificate authority is invalid or incorrect',winCode=12045
Failed to download file https://dl.csi7.secunia.com/?action=download&package=VLC_3.0.3_64-bit_SPS.exe&toke

Cause

This error is a CRL-related (certificate revocation list) issue that occurs due to the inability of the local machine (the one you host SVM onto) to access online certificate revocation servers hosted by DigiCert.
The active Certificate Revocation List check is performed by the IE browser against an online web server hosted on the DigiCert domain.

If access to DigiCert is forbidden for server systems or all domain-joined systems, then CRL validation will fail. The check could also fail due to "Request time out" especially where a proxy is involved. When CRL validation fails, the browser immediately prevents the requestor (in this case SVM) to proceed as it is not deemed 'Trusted'. 

You can verify this by typing 'https://dl.csi7.secunia.com' in the address bar which should turn red indicated 'problems with the certificate'.

User-added image

 

Steps To Reproduce

  1. Remove the DigiCert Root CA certificate from Third-Party Root Certification Authorities and Trusted Root Certification Authorities certificate stores on the system.
  2. Block access to 'DigiCert.com' domain (disallow it).
  3. Attempt to download the package through the Software Vulnerability Manager. 

Resolution

There are a few ways to resolve this issue.
In this section we list the fastest of them all, find the other ways under the 'Workaround' section below.
Depending on your organization policies and security policies, choose the one that fits best for you:

Method 1: Import the certificates directly from the browser to the local certificates stores manually

  • Open IE as Administrator
  • Enter https://dl.csi7.secunia.com in the address bar
  • Click on the 'icon lock' on the right-hand side of the address bar
  • Click on 'View Certificate'
  • Click on 'Install Certificate' when the certificate window appears
    • Install the certificate under the 'Local Machine' account and leave the wizard to place it Automatically.
  • When finished with installing the first certificate, go back to the certificate window.
  • Click 'Certification Path'
  • Click on the middle-level certificate (DigiCert SHA2 Secure Server CA)
  • Install this intermediate certificate just like you did for the first one.
  • When finished installing the second certificate, you will have to download the third certificate - the DigiCert Root Level CA.
    • If you encounter this problem, you are likely missing this certificate displayed in the certificate path
    • Find the certificate attached to this article and download it.
    • Install it as you did for the previous two.
    • When you are done and you reload the address https://dl.csi7.secunia.com, it should no longer turn red and it should now show you that all 3 levels of the certificate chain are listed nicely.
  • Publish Package without errors.

Workaround

Workarounds to solve this issue include:

Perform publishing from another machine that is less restricted:

  • Find a machine where, when entering the URL https://dl.csi7.secunia.com in the IE address bar, it displays all 3 certificate levels as Trusted (no red color in the URL)
  • Install the Patching plugin on Windows 8/10 workstation and connect to WSUS/SCCM on that machine
  • Create packages from that machine publishing them effectively to your remote server. Use this machine as 'Remote Administration Host'
    • This may or may not always work. If CRL blocking is done on the Firewall/Proxy, this workaround may fail as Proxy/Firewall blocks all machines equally and so the problem is widely distributed across the network.

White-list domain-wide CRL online locations on the Proxy/Firewall to resolve the problem for all affected domain hosts:


User-added image

Additional Information

More about DigiCert Certificate Revocation Listing and validation here

Related KB Articles

WinHttp request (12175); status = 499, "A Security error occurred"
SVMPatching Plugin Not Loading Correctly
SCCM Inventory Import and Daemon Certificate Revocation Check Failures by Proxy
SVM Cloud CRL Requirements
Change of Digital Certificates after the move to AWS

‎Nov 15, 2018 04:58 PM - edited ‎Sep 16, 2019 04:25 PM

DigiCert Root CA.zip
Was this article helpful? Yes No
No ratings
0 Kudos
Version history
Last update:
‎Sep 16, 2019 04:25 PM
Updated by:
Level 7 Flexeran