winget-cli: InternetOpenUrl() failed - 0x80072f05 : unknown error

Brief description of your issue

Looks like https://cdn.winget.microsoft.com/cache/source.msix does not come with a valid SSL certificate:

Steps to reproduce

winget upgrade --all --verbose

Expected behavior

it should just work

Actual behavior

see screenshot.

Environment

Windows Package Manager v1.4.10173
Copyright (c) Microsoft Corporation. All rights reserved.

Windows: Windows.Desktop v10.0.19045.2486
System Architecture: X64
Package: Microsoft.DesktopAppInstaller v1.19.10173.0

Logs: %LOCALAPPDATA%\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\DiagOutputDir

User Settings: %LOCALAPPDATA%\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\settings.json

Links
---------------------------------------------------------------------------
Privacy Statement   https://aka.ms/winget-privacy
License Agreement   https://aka.ms/winget-license
Third Party Notices https://aka.ms/winget-3rdPartyNotice
Homepage            https://aka.ms/winget
Windows Store Terms https://www.microsoft.com/en-us/storedocs/terms-of-sale

About this issue

Original URL
State: closed
Created a year ago
Reactions: 30
Comments: 25 (8 by maintainers)

Most upvoted comments

Hey all. We’re working on getting the certificate renewed.

+15

denelon on Feb 12, 2023

You can add a source like https://winget.azureedge.net/cache using the command below. sudo winget source add -n winget https://winget.azureedge.net/cache. https://learn.microsoft.com/en-us/windows/package-manager/winget/source

qilme on Feb 12, 2023

Looks like the certificate for https://cdn.winget.microsoft.com/cache expired about 1.5 hours ago.

beirlaenl on Feb 12, 2023

Root Cause

While our certificate was being properly auto renewed, the new certificate was not being loaded into the CDN endpoints. After discussing with our Azure infrastructure team, we were informed that autorotation is not supported with our specific configuration. Additionally, it does not appear that any monitoring was in place to check the certificate that was actually in use on the endpoint for validity.

Our planned path forward

In consultation with the Azure Front Door team – we have determined that the Azure Front Door CDN does support certificate autorotation. We will beging working on changes to our Azure Front Door CDN so that autorotation is supported. We will also add monitoring to verify that the certificates have been configured on the CDN endpoints.

denelon on Feb 15, 2023

The new certificate has been imported. We’re waiting for the provisioning to complete.

The expectation is 6 - 8 hours for full propagation.

denelon on Feb 12, 2023

according to the certificate transparency logs it should have already been renewed 3 times, most recently in november 2022… but none of those renewed certificates were actually picked up by the server. If the certificate files on disk were changed, was the server process restarted to re-read the certificate files? Was it even restarted for scheduled updates?

R-Adrian on Feb 12, 2023

Is it safe to do this? Will we have to go back to the old URL, cdn.winget.microsoft.com/cache?

You can always run winget source reset --force (as admin) to get back to defaults.

adamhl8 on Feb 12, 2023

Since we haven’t had any new reports of certificate problems, I’m going to go ahead and close this issue now.

denelon on Feb 12, 2023

seems to be working now.

@denelon, what’s the action taken to ensure this does not happen again?

tigerinus on Feb 12, 2023

That error message also needs to be fixed. What a terrible terrible error message

12932 on Feb 12, 2023

@denelon Red alert.

riverar on Feb 12, 2023

‘sudo’ is not recognized as an internal or external command, operable program or batch file.

powershell do not need sudo if you are admin account. just first remove then re-add

winget source remove -n winget

winget source add -n winget https://winget.azureedge.net/cache

peanut996 on Feb 12, 2023

We’re going to do a root cause on Monday. The certificate was issued in November, and it was published to the secret store, but it didn’t get configured on the endpoints. I’m not sure yet if it was code that we wrote not doing the right thing, or something else.

denelon on Feb 12, 2023

Seconded here:

2023-02-12 12:49:51.440 [CORE] WinGet, version [1.4.10173], activity [{302FD314-8C54-40CD-801A-0E06E020267B}]
2023-02-12 12:49:51.440 [CORE] OS: Windows.Desktop v10.0.22621.1105
2023-02-12 12:49:51.440 [CORE] Command line Args: "C:\Users\Amber\AppData\Local\Microsoft\WindowsApps\winget.exe" update --verbose-logs
2023-02-12 12:49:51.440 [CORE] Package: Microsoft.DesktopAppInstaller v1.19.10173.0
2023-02-12 12:49:51.440 [CORE] IsCOMCall:0; Caller: winget-cli
2023-02-12 12:49:51.443 [CLI ] WinGet invoked with arguments: 'update' '--verbose-logs'
2023-02-12 12:49:51.443 [CLI ] Found subcommand: update
2023-02-12 12:49:51.443 [CLI ] Leaf command to execute: root:upgrade
2023-02-12 12:49:51.445 [CORE] Setting action: Get, Type: Secure, Name: admin_settings
2023-02-12 12:49:51.445 [CORE] Admin settings was not found
2023-02-12 12:49:51.446 [CORE] Setting action: Get, Type: Secure, Name: admin_settings
2023-02-12 12:49:51.446 [CORE] Admin settings was not found
2023-02-12 12:49:51.446 [CORE] Setting action: Get, Type: Secure, Name: admin_settings
2023-02-12 12:49:51.446 [CORE] Admin settings was not found
2023-02-12 12:49:51.446 [CLI ] Executing command: upgrade
2023-02-12 12:49:51.446 [REPO] Additional sources GP is not enabled.
2023-02-12 12:49:51.446 [CORE] Setting action: Get, Type: Secure, Name: user_sources
2023-02-12 12:49:51.446 [CORE] Setting action: Get, Type: Secure, Name: admin_settings
2023-02-12 12:49:51.446 [CORE] Admin settings was not found
2023-02-12 12:49:51.446 [CORE] Adding chain to pinning configuration [Microsoft Store Source]:
DigiCert Global Root G2 : PublicKey
  Microsoft Azure TLS Issuing CA 01 : Subject | Issuer
    sfdataservice.microsoft.com : Subject | Issuer
2023-02-12 12:49:51.454 [CORE] Setting action: Get, Type: Standard, Name: sources_metadata
2023-02-12 12:49:51.454 [YAML] Detected UTF-8
2023-02-12 12:49:51.454 [REPO] GetCurrentSourceRefs: Source named 'microsoft.builtin.desktop.frameworks' from origin Default is hidden and is dropped.
2023-02-12 12:49:51.454 [REPO] Default source requested, multiple sources available, adding all to source references.
2023-02-12 12:49:51.454 [REPO] Adding to source references msstore
2023-02-12 12:49:51.454 [REPO] Adding to source references winget
2023-02-12 12:49:51.454 [REPO] Source past auto update time [5 mins]; it has been at least 27936109 mins
2023-02-12 12:49:51.539 [FAIL] WindowsPackageManager.dll!00007FF8F23FCA12: ReturnHr(1) tid(56d0) 80072F05     Msg:[winrt::hresult_error: The date in the certificate is invalid or has expired] 

2023-02-12 12:49:51.539 [FAIL] WindowsPackageManager.dll!00007FF8F2284431: LogHr(2) tid(56d0) 80072F05 
2023-02-12 12:49:51.539 [FAIL] D:\a\_work\1\s\external\pkg\src\AppInstallerRepositoryCore\RepositorySource.cpp(53)\WindowsPackageManager.dll!00007FF8F2407F41: (caller: 00007FF8F22D0DBE) LogHr(3) tid(56d0) 80072F05     Msg:[winrt::hresult_error: The date in the certificate is invalid or has expired] 

2023-02-12 12:49:51.539 [REPO] Source add/update failed, waiting a bit and retrying: winget
2023-02-12 12:49:53.599 [FAIL] WindowsPackageManager.dll!00007FF8F23FCA12: ReturnHr(2) tid(56d0) 80072F05     Msg:[winrt::hresult_error: The date in the certificate is invalid or has expired] 

2023-02-12 12:49:53.599 [FAIL] WindowsPackageManager.dll!00007FF8F2284431: LogHr(5) tid(56d0) 80072F05 
2023-02-12 12:49:53.599 [FAIL] D:\a\_work\1\s\external\pkg\src\AppInstallerRepositoryCore\RepositorySource.cpp(540)\WindowsPackageManager.dll!00007FF8F2407523: (caller: 00007FF8F21C8E1D) LogHr(6) tid(56d0) 80072F05     Msg:[winrt::hresult_error: The date in the certificate is invalid or has expired] 

2023-02-12 12:49:53.600 [REPO] Failed to update source: winget
2023-02-12 12:49:53.600 [REPO] Multiple sources available, creating aggregated source.

The served certificate is here, fingerprint F0:AA:13:A5:24:3B:AC:A6:00:3E:75:FA:59:5E:2F:20:36:54:BC:B6:09:BD:B2:71:CC:ED:98:60:93:FB:D7:95:

cdn-winget-microsoft-com.pem.txt

hawkowl on Feb 12, 2023