[CCMHTTP] : WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID is set

SCCM CB 3 comments

I’ve been building up a greenfield ConfigMgr site recently and the site is using PKI. Everything was working well but then suddenly SSL comms ground to a halt and nothing was speaking to the management point successfully.

I found the problem when I attempted to install the ConfigMgr client on a new device. The ccmsetup.log reported a sea of red around SSL.

The issue was due to the fact that I had issued the IIS certificate on the Management Point server with a NETBIOS and a FQDN in the DNS field of the Subject Alternative name of the IIS cert.

I deleted the IIS cert, and reissued the certificate with just the FQDN and this resolved the problem.

Hope this helps if you get the same problem.

3 comments

  2. Hi Paul,

    I was about to post the same link as John. If you go to 14mins,19secs in, Justin adds the hostname and FQDN to the cert. The same with this guide also: https://www.windows-noob.com/forums/topic/16300-how-can-i-configure-system-center-configuration-manager-in-https-mode-pki-part-1/

    Might still try what you did as we are getting some WinHTTP errors when installing the client on our Server 2008 SP2 Standard Servers (I Know!), all other devices work, just that OS failing with:

    MP ‘SCCM.FQDN’ is not compatible
    Failed to get client version for sending state messages. Error 0x8004100e
    IsSslClientAuthEnabled – Determining provisioning mode state failed with 80070002. Defaulting to state of 63.
    Failed in WinHttpReceiveResponse API, ErrorCode = 0x2efd
    [CCMHTTP] ERROR: URL=https://SCCM.FQDN/ccm_system/request, Port=443, Options=63, Code=12029, Text=ERROR_WINHTTP_CANNOT_CONNECT
    [CCMHTTP] ERROR INFO: StatusCode=200 StatusText=
    Failed (0x80072efd) to send location request to ‘SCCM.FQDN’. StatusCode 200, StatusText ”
    Failed to send location message to ‘SCCM.FQDN’. Status text ”
    GetDPLocations failed with error 0x80072efd

    Reply

Leave a Reply