I was trying to work through the Microsoft guide to enable SSL on our WSUS server and ran into a few problems. Looks like i was able to set the WSUS server to run with SSL as the connection type on the WSUS console shows "Local/SSL".
My problem is when i try clicking the "check for updates" box on a test laptop, it will automatically error out with the 80072F8F error. I've done a lot of researching and everything seems to point to an error in my certificate. I don't have an in-depth knowledge of certs so below is what I've done so far:
1) On the WSUS server, opened up IIS, created a domain certificate but the "Select" box was grayed out when trying to specify the CA. I ended up manually inputting the CAname\servername
2) Set the binding in IIS to use the newly generated certificate under port 8531
3) "Required" SSL on all the virtual directorys per the documentation
4) Ran wsusutil.ext /configuressl (confirmed https is bound to fqdn:8531)
5) Configured WSUS GPO to point to https://fqdn_of_wsus_server:8531
After I did all that I rebooted the WSUS server and opened up the WSUS console and I was getting a connection error. I opened up a MMC console and added the Certificates snap-in. For some reason my CA's root CA cert and the domain cert i created earlier in IIS were in the Intermediate CA store. I found that when I moved my CA's root CA cert to my Trusted Root CA, the WSUS console loaded up.
Back on my test laptop, i ran a gpupdate /force and rebooted the machine. When i trigger a check-in via wuauclt.ese /detectnow or through the windows update UI, i get an error. Checked the WindowsUpdate.log on the client machine and it basically says it wasn't able to hit https://fqdn_of_wsus_server:8531/selfupdate/wuident.cab, but manually navigating to that URL succeeds on the client machine and I'm able to download that cab file.
I tried putting my Root CA's cert in the client machines trusted Root CA store while keeping the domain cert i generated earlier on IIS in the intermediate CA store but this didn't work. I'm pretty sure I got the SSL stuff all confused. Any pointers would be appreciated as I've gone through a lot of guides online and they all say similar things but I think it's a misunderstanding on my part so if anyone can dumb it down a bit for a beginner.
Best Answer
You didn't mention which Server you are using but I assume you use 2012 R2.
There has been a recent update (
KB3159706) which changes how the WSUS SSL connections are made and you need to manually edit some stuff to get it to work..NET 4.5 -> WCF ->)C:\Program Files\Update Services\WebServices\ClientWebService\Web.config(need to take ownership of the file to edit it).The
bindingConfigurationneeds to be edited 2 times in the<endpoint address="">section as follows:bindingConfiguration="SSL"and addmultipleSiteBindingsEnabled="true"to the line below as shownAll this is necessary for everybody that wants to use SSL with a WSUS on Server 2012 with the mentioned KB installed. I invested 3 days of research to find this...Good to know Microsoft!