• Welcome to Support Forum: Get Support for Patch My PC Products and Services.
 

Failed to sign package; error was: 2147954402 OR 2147954429 OR 2147954407

Started by Kirankr31, February 04, 2019, 02:04:08 AM

Previous topic - Next topic

Kirankr31

An error occured while publishing an update to WSUS, Failed to sign package, error was 2147954402

Justin Chalfant (Patch My PC)

#1
Hey!

We've seen this a few times.

UPDATE: Please use the following KB for the most up to date information about this error: https://patchmypc.com/update-publishing-fails-when-proxy-is-in-use-and-timestamping-is-enabled


2147954402 = The operation timed out

This happens when you are using a proxy in the environment. You will one of the following error(s) in the PatchMyPC.log with 2147954402 being the most common.



Most common one = "An error occurred while publishing an update to WSUS: Failed to sign package; error was: 2147954402"
Another possible error = "An error occurred while publishing an update to WSUS: Failed to sign package; error was: 2147954429"
Another possible error = "An error occurred while publishing an update to WSUS: Failed to sign package; error was: 2147954407"
Another possible error = "An error occurred while publishing an update to WSUS: Failed to sign package; error was: 2148086027"
Another possible error = An error occurred while publishing an update to WSUS: Failed to sign package; error was: 2149122451
Another possible error = An error occurred while publishing an update to WSUS: Failed to sign package; error was: 2149122455
Another possible error = An error occurred while publishing an update to WSUS: Failed to sign package; error was: 2149122449

The reason this happens is that although the publishing service and the SUP/WSUS is most likely configured to use a proxy. The WSUS API we call uses the Windows Crypto API for the timestamping operation to http://timestamp.digicert.com. The Windows Crypto API uses the default proxy configured at the SYSTEM level not what is defined in our publishing service or WSUS. We have confirmed with the SCCM product group this seems to be a known scenario where the WSUS API uses the default HTTP proxy setting in the SYSTEM level context, not the proxy configured in WSUS. Since the SYSTEM proxy is usually not set, this is why the HTTP call to http://timestamp.digicert.com will return the error(s) listed above.

Setting the SYSTEM Proxy:

To set the SYSTEM level proxy, we've found it's usually easiest to set it using Internet Explorer and PSEXEC.exe.


  • Download PSEXEC.exe from https://live.sysinternals.com/
  • Open command prompt as Administrator
  • Launch Internet Explorer as SYSTEM using command line: psexec.exe -s -i "C:\Program Files\internet explorer\iexplore.exe"
  • In Internet Explorer > Settings > Connections > LAN Settings > Enable "Use a proxy server for your LAN and configure the IP Address and Port and click OK and close IE
  • If psexec.exe is blocked in your environment, you can create a one time scheduled task that must run under SYSTEM/COMPUTER account context and set the SYSTEM level proxy using netsh. You can run the following command line: cmd.exe /c netsh winhttp set proxy http://myproxyserver.com:8080 (where the server name and port are set for your environment)
  • Run the publishing service sync again and see if the publishing process works.
  • If you still have issues publishing updates, please send us a support request via email https://patchmypc.com/technical-support or post a topic to our forum https://patchmypc.com/forum/index.php?board=23.0

Additional Details:

2147954402 = The operation timed out
2147954429 = A connection with the server could not be established
2147954407 = The server name or address could not be resolved
2148086027 = ASN1 bad tag value met.
2149122451 = Forbidden (403).
2149122455 = Proxy authentication required (407).
2149122449 = Unauthorized (401).