0patch Agent can't connect to server due to expired Sectigo root certificate

mitja.kolsek -

On May 30, 2020, several Sectigo's root certificates have expired and haven't been automatically updated on Windows XP and Windows Server 2003 - and, as we later learned, some more recent Windows computers. As a result, 0patch Agent's connections to our server started failing; the agent became unable to sync either automatically or manually, and it was impossible to register the agent on such computers.

This problem can be resolved by installing new Sectigo root certificates. Note that in order to support all 0patch functionality, these new certificates need to be installed both in your own user account (to allow for 0patch registration and agent updates), and in the computer account (to allow for downloading new patches). Follow these instructions to do both:


A) Download new Sectigo root certificates

1) You may not be able to download new Sectigo root certificates with Internet Explorer on an affected computer, so you'll need another, more recent, computer to download them. On that computer, visit https://crt.sh/?d=1199354 and https://crt.sh/?d=1720081 with a web browser to download new Sectigo root certificates and store them as files 1199354.crt and 1720081.crt, respectively, somewhere on your local disk.
2) Transfer downloaded certificate files to your affected computer via USB key, network or any other medium.

B) Install new Sectigo root certificates in the Computer Account

1) On the affected computer, launch mmc.exe as Administrator
2) In the Management Console, select "File" -> "Add/Remove Snap-in"
3) In the "Add/Remove Snap-in" window, press "Add"
4) In the "Add Standalone Snap-in" window, select "Certificates" and press "Add"
5) In the "Certificates Snap-in" window, select "Computer account" and press "Next"
6) In the "Select Computer" window, press "Finish"
7) In the "Add Standalone Snap-in" window, press "Close"
8) In the "Add/Remove Snap-in" window, press "Close"
9) In the Management Console tree, expand the "Certificates (Local Computer)"
10) Right-click on "Trusted Root Certification Authorities" and select "All Tasks", then "Import..."
11) In the "Certificate Import Wizard" window, press "Next", then browse to the downloaded certificate file 1199354.crt, and press "Next", "Next", and "Finish" (You should see a notice that "The import was successful.")
12) Repeat the procedure with 1720081.crt
13) [Optional step] To verify a successful installation, launch 0patch Console as Administrator and press "SYNC NOW" in the "LAST SERVER SYNC" box. The sync should succeed.

C) Install new Sectigo root certificates in your own Windows account

1) On the affected computer, login as the user using 0patch Console (usually the Administrator)
2) Double-click file 1199354.crt.
3) In the "Certificate" window, press "Install Certificate..."
4) In the "Certificate Import Wizard" window, press "Next", "Next", and "Finish"
5) In the "Security Warning" window, press "Yes" (You should see a notice that "The import was successful.")
6) Repeat the procedure with 1720081.crt
7) [Optional step] To verify a successful installation, launch Internet Explorer as the user using 0patch Console, and visit https://dist.0patch.com. The page should load without any certificate-related warnings.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.