Options
WSUS 3.0 SSL help!
![subl1m1nal](https://us.v-cdn.net/6030959/uploads/userpics/navatar225202_4.gif)
in Off-Topic
Hello all!
I'm having an issue setting up SSL on WSUS 3.0. I get the required virtual directories set for SSL.
However, I get an error message when running wsusutil.exe configuressl myserver.mydomain.local. The error states "Fatal Error: Object reference not set to an instance of an object."
Any ideas? I should mention I didn't use a SQL instance. I just used the built in database. Is this a problem?
I did some google searching, but am not finding much. I'm hoping the smart people of TechExams can point me in the right direction.
Thanks to anybody who can help,
Subl1m1nal
I'm having an issue setting up SSL on WSUS 3.0. I get the required virtual directories set for SSL.
However, I get an error message when running wsusutil.exe configuressl myserver.mydomain.local. The error states "Fatal Error: Object reference not set to an instance of an object."
Any ideas? I should mention I didn't use a SQL instance. I just used the built in database. Is this a problem?
I did some google searching, but am not finding much. I'm hoping the smart people of TechExams can point me in the right direction.
Thanks to anybody who can help,
Subl1m1nal
Currently Working On: 70-643 - Configuring Windows Server 2008 Applications Infrastructure
Plans for 2010: MCITP:EA and CCNA
70-648 - Done
70-643 - In progress
70-647 - Still on my list
70-680 - Still on my list
www.coantech.com
www.thecoans.net
www.facebook.com/tylercoan
www.twitter.com/tylercoan
www.linkedin.com/users/tylercoan
Plans for 2010: MCITP:EA and CCNA
70-648 - Done
70-643 - In progress
70-647 - Still on my list
70-680 - Still on my list
www.coantech.com
www.thecoans.net
www.facebook.com/tylercoan
www.twitter.com/tylercoan
www.linkedin.com/users/tylercoan
Comments
-
Options
earweed Member Posts: 5,192 ■■■■■■■■■□
I found a couple things. Hope it helps. WSUS uses windows internal database which is actually SQL 2005 embedded and the first article talks about it. The second article just talks about using management studio to manage the database.
sql solace: Management Studio Error : "Object reference not set to an instance of an object. (SQLEditors)"
Administering your Windows Internal Database (MICROSOFT##SSEE) instanceNo longer work in IT. Play around with stuff sometimes still and fix stuff for friends and relatives. -
Options
anujsharma85 Registered Users Posts: 3 ■□□□□□□□□□
Hey thanks for the link i am also facing the same problem
Anuj
MCSE,CCNAE,NETWORK+
Web:-http://www.systechblog.com -
Options
subl1m1nal Member Posts: 176
Anybody have any more ideas? I'm trying to install SQL 2005 SP3 to see if that fixes it per earweeds first article. Also checking out the managment studio. Will keep this posted as google has let me down.Currently Working On: 70-643 - Configuring Windows Server 2008 Applications Infrastructure
Plans for 2010: MCITP:EA and CCNA
70-648 - Done
70-643 - In progress
70-647 - Still on my list
70-680 - Still on my list
www.coantech.com
www.thecoans.net
www.facebook.com/tylercoan
www.twitter.com/tylercoan
www.linkedin.com/users/tylercoan -
Options
subl1m1nal Member Posts: 176
No go on SQL 2005 SP3. This is frustrating. I'd like to use SSL if at all possible. If not, I'll just leave it unencrypted. I can't believe nobody has ran into this before.Currently Working On: 70-643 - Configuring Windows Server 2008 Applications Infrastructure
Plans for 2010: MCITP:EA and CCNA
70-648 - Done
70-643 - In progress
70-647 - Still on my list
70-680 - Still on my list
www.coantech.com
www.thecoans.net
www.facebook.com/tylercoan
www.twitter.com/tylercoan
www.linkedin.com/users/tylercoan -
Options
Pash Member Posts: 1,600 ■■■■■□□□□□
Which version of IIS are you using?
Explain your steps prior to running configuressl as well please.
Cheers,
PashDevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me. -
Options
Claymoore Member Posts: 1,637
Try running the command from the WSUS server without the server name in the command line.
%installdir%\wsusutil configuressl -
Options
subl1m1nal Member Posts: 176
Thanks for helping out Pash! Using IIS 6 on Server 2003 SP2
Following the instructions from TechNet
To configure SSL on the WSUS server by using IIS 6.0
On the WSUS server, open Internet Information Services (IIS) Manager.
Expand Web Sites, and then expand the Web site for the WSUS server. It is recommended that the WSUS Administration custom Web site be used, but the default Web site might have been chosen when WSUS was being installed.
Perform the following steps on the APIRemoting30, ClientWebService, DSSAuthWebService, ServerSyncWebService, and SimpleAuthWebService virtual directories that reside under the WSUS Web site:
Right-click the Web site or virtual directory, and then click Properties.
Click the Directory Security tab, and then click Edit in the Secure Communications section.
Select Require secure channel (SSL), and then click OK.
Click OK to close the properties for the virtual root.
Close Internet Information Services (IIS).
Run the following command from <WSUS Installation Folder>\Tools: WSUSUtil.exe configuressl <Intranet fully qualified domain name (FQDN) of the software update point site system)>.Currently Working On: 70-643 - Configuring Windows Server 2008 Applications Infrastructure
Plans for 2010: MCITP:EA and CCNA
70-648 - Done
70-643 - In progress
70-647 - Still on my list
70-680 - Still on my list
www.coantech.com
www.thecoans.net
www.facebook.com/tylercoan
www.twitter.com/tylercoan
www.linkedin.com/users/tylercoan -
Options
Claymoore Member Posts: 1,637
Those are the instructions for integrating WSUS with SCCM in native mode. Are you setting up a SUP in SCCM or are you configuring a standard WSUS implementation? -
Options
subl1m1nal Member Posts: 176
Just standard WSUS.Currently Working On: 70-643 - Configuring Windows Server 2008 Applications Infrastructure
Plans for 2010: MCITP:EA and CCNA
70-648 - Done
70-643 - In progress
70-647 - Still on my list
70-680 - Still on my list
www.coantech.com
www.thecoans.net
www.facebook.com/tylercoan
www.twitter.com/tylercoan
www.linkedin.com/users/tylercoan -
Options
subl1m1nal Member Posts: 176
No FQDN in the command is the same result. However, if I uncheck the "Require SSL" box in IIS from the directories, the command returns http://servername:80.Currently Working On: 70-643 - Configuring Windows Server 2008 Applications Infrastructure
Plans for 2010: MCITP:EA and CCNA
70-648 - Done
70-643 - In progress
70-647 - Still on my list
70-680 - Still on my list
www.coantech.com
www.thecoans.net
www.facebook.com/tylercoan
www.twitter.com/tylercoan
www.linkedin.com/users/tylercoan -
Options
Claymoore Member Posts: 1,637
Start with these two links:
Secure WSUS 3.0 SP2 Deployment
Managing WSUS 3.0 SP2 from the Command Line
Does the server certificate you installed use the FQDN or just the single NetBIOS name? -
Options
subl1m1nal Member Posts: 176
Thanks for the help guys. I knew I could count on the guys (and gals) of TE to point me in the right direction!
Yeah, I knew it was going to be something stupid on my part. The problem is I needed a certificate assigned to my default website in IIS.
Followed the instructions here to create a self signed certificate and the command started working.
Hopefully google will index this thread so it will be useful to somebody else out there.Currently Working On: 70-643 - Configuring Windows Server 2008 Applications Infrastructure
Plans for 2010: MCITP:EA and CCNA
70-648 - Done
70-643 - In progress
70-647 - Still on my list
70-680 - Still on my list
www.coantech.com
www.thecoans.net
www.facebook.com/tylercoan
www.twitter.com/tylercoan
www.linkedin.com/users/tylercoan -
Options
Claymoore Member Posts: 1,637
Your clients won't trust that self-signed certificate and will be unable to connect to the server to download metadata. You will need to either:- Import and install that certificate to the computer store on every PC
- Add the WSUS server as a trusted root through group policy so that clients will trust certificates signed by the server
- Use a differenet certificate from a provider that clients already trust, such as something from your enterprise PKI or an external provider like GoDaddy.
-
Options
subl1m1nal Member Posts: 176
Your clients won't trust that self-signed certificate and will be unable to connect to the server to download metadata. You will need to either:- Import and install that certificate to the computer store on every PC
- Add the WSUS server as a trusted root through group policy so that clients will trust certificates signed by the server
- Use a differenet certificate from a provider that clients already trust, such as something from your enterprise PKI or an external provider like GoDaddy.
Good point. I was going to either push it out through GP or install the cert manually (only about 40 PCs). You're absolutely correct about the encryption of only the metadata. I may switch it back to standard http. It was good practice with IIS for 70-643 though.Currently Working On: 70-643 - Configuring Windows Server 2008 Applications Infrastructure
Plans for 2010: MCITP:EA and CCNA
70-648 - Done
70-643 - In progress
70-647 - Still on my list
70-680 - Still on my list
www.coantech.com
www.thecoans.net
www.facebook.com/tylercoan
www.twitter.com/tylercoan
www.linkedin.com/users/tylercoan