Re: [WiX-users] Certificate install to local machine failswith code 26352
Your CustomAction is not deferred and will fail if the installation is not elevated. Have you tried running it deferred? Maybe that is the problem we're having... the deferred CustomAction server isn't impersonating for us appropriately. -Original Message- From: Chris Bardon [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 25, 2008 04:38 To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] Certificate install to local machine failswith code 26352 Very strange-I thought that would fix the problem. I created a custom action to install my certificate, and that was the only really major change that I made. Here's the source for my CA: UINT __stdcall InstallCertificate(MSIHANDLE hInstall) { //install a cert into the local machine store LPWSTR certPath=new WCHAR[MAX_PATH]; DWORD dwSize=MAX_PATH; UINT rc=MsiGetProperty(hInstall,TEXT("CERTPATH"), certPath, &dwSize ); HCERTSTORE hCertStore; //open the root CA store hCertStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, NULL, CERT_SYSTEM_STORE_LOCAL_MACHINE , L"Root"); DWORD dwCertSize=8192; //wix used a 64Mb buffer BYTE* certBuffer=new BYTE[dwCertSize]; memset(certBuffer,0,dwCertSize); FILE* f=_wfopen(certPath,TEXT("r")); if(f==NULL) return ERROR_PATH_NOT_FOUND; CERT_BLOB blob = { 0 }; fread(certBuffer,sizeof(BYTE),dwCertSize,f); blob.cbData = dwCertSize; blob.pbData = certBuffer; PCCERT_CONTEXT pNewContext = NULL; DWORD dwEncodingType; DWORD dwContentType; DWORD dwFormatType; CryptQueryObject(CERT_QUERY_OBJECT_BLOB, &blob, CERT_QUERY_CONTENT_FLAG_ALL, CERT_QUERY_FORMAT_FLAG_ALL, 0, &dwEncodingType, &dwContentType, &dwFormatType, NULL, NULL, (LPCVOID*)&pNewContext); if(pNewContext) { //install the certificate //strange-replace existing fails, but use existing works. Replace does a delete though, so perhaps that's why? if(!CertAddCertificateContextToStore(hCertStore, pNewContext, CERT_STORE_ADD_USE_EXISTING, NULL)) //if(!CertAddCertificateContextToStore(hCertStore, pNewContext, CERT_STORE_ADD_REPLACE_EXISTING, NULL)) { DWORD dwErr=GetLastError(); return dwErr; } } //close the store CertCloseStore(hCertStore, 0); delete certBuffer; delete certPath; return ERROR_SUCCESS; } And then I just run it in my installer like this: CERTPATH AND NOT REMOVE So far, everything seems to work, so all I really have to do is tighten up a couple of things in the CA source. Any idea why my code works, but the code in iisextension doesn't? If I change the line that installs the cert to the one that's commented out, it gives me the same error as the one I logged. -Original Message- From: Rob Mensching [mailto:[EMAIL PROTECTED] Sent: Monday, November 24, 2008 2:29 PM To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] Certificate install to local machine failswith code 26352 As noted in my bug comment, the other code is commented out. I changed the only location that was actually being executed. Ultimately, I don't think this change did anything. -Original Message- From: Chris Bardon [mailto:[EMAIL PROTECTED] Sent: Thursday, November 13, 2008 12:43 To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] Certificate install to local machine fails with code 26352 I just checked the latest weekly, and it looks like the change only got made in one place. It looks like I still get the same cert install error-is there a reason that it didn't change in scacert.cpp? -Original Message- From: Rob Mensching [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2008 2:01 PM To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] Certificate install tolocal machinefailswithcode 26352 Yes, but I didn't make the 4624 build. If you look in CVS then you'll see the change. -Original Message- From: Chris Bardon [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2008 10:51 To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] Certificate install to local machinefailswithcode 26352 I checked out the latest weekly build, and it looks like the problem is still there. The source for the build is also identical to what was there before-Rob, did you change anything? -Original Message- From: Chris Bardon [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 21, 2008 1:13 PM To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] Certificate install
Re: [WiX-users] Certificate install to local machine failswith code 26352
Very strange-I thought that would fix the problem. I created a custom action to install my certificate, and that was the only really major change that I made. Here's the source for my CA: UINT __stdcall InstallCertificate(MSIHANDLE hInstall) { //install a cert into the local machine store LPWSTR certPath=new WCHAR[MAX_PATH]; DWORD dwSize=MAX_PATH; UINT rc=MsiGetProperty(hInstall,TEXT("CERTPATH"), certPath, &dwSize ); HCERTSTORE hCertStore; //open the root CA store hCertStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, NULL, CERT_SYSTEM_STORE_LOCAL_MACHINE , L"Root"); DWORD dwCertSize=8192; //wix used a 64Mb buffer BYTE* certBuffer=new BYTE[dwCertSize]; memset(certBuffer,0,dwCertSize); FILE* f=_wfopen(certPath,TEXT("r")); if(f==NULL) return ERROR_PATH_NOT_FOUND; CERT_BLOB blob = { 0 }; fread(certBuffer,sizeof(BYTE),dwCertSize,f); blob.cbData = dwCertSize; blob.pbData = certBuffer; PCCERT_CONTEXT pNewContext = NULL; DWORD dwEncodingType; DWORD dwContentType; DWORD dwFormatType; CryptQueryObject(CERT_QUERY_OBJECT_BLOB, &blob, CERT_QUERY_CONTENT_FLAG_ALL, CERT_QUERY_FORMAT_FLAG_ALL, 0, &dwEncodingType, &dwContentType, &dwFormatType, NULL, NULL, (LPCVOID*)&pNewContext); if(pNewContext) { //install the certificate //strange-replace existing fails, but use existing works. Replace does a delete though, so perhaps that's why? if(!CertAddCertificateContextToStore(hCertStore, pNewContext, CERT_STORE_ADD_USE_EXISTING, NULL)) //if(!CertAddCertificateContextToStore(hCertStore, pNewContext, CERT_STORE_ADD_REPLACE_EXISTING, NULL)) { DWORD dwErr=GetLastError(); return dwErr; } } //close the store CertCloseStore(hCertStore, 0); delete certBuffer; delete certPath; return ERROR_SUCCESS; } And then I just run it in my installer like this: CERTPATH AND NOT REMOVE So far, everything seems to work, so all I really have to do is tighten up a couple of things in the CA source. Any idea why my code works, but the code in iisextension doesn't? If I change the line that installs the cert to the one that's commented out, it gives me the same error as the one I logged. -Original Message- From: Rob Mensching [mailto:[EMAIL PROTECTED] Sent: Monday, November 24, 2008 2:29 PM To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] Certificate install to local machine failswith code 26352 As noted in my bug comment, the other code is commented out. I changed the only location that was actually being executed. Ultimately, I don't think this change did anything. -Original Message- From: Chris Bardon [mailto:[EMAIL PROTECTED] Sent: Thursday, November 13, 2008 12:43 To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] Certificate install to local machine fails with code 26352 I just checked the latest weekly, and it looks like the change only got made in one place. It looks like I still get the same cert install error-is there a reason that it didn't change in scacert.cpp? -Original Message- From: Rob Mensching [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2008 2:01 PM To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] Certificate install tolocal machinefailswithcode 26352 Yes, but I didn't make the 4624 build. If you look in CVS then you'll see the change. -Original Message- From: Chris Bardon [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2008 10:51 To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] Certificate install to local machinefailswithcode 26352 I checked out the latest weekly build, and it looks like the problem is still there. The source for the build is also identical to what was there before-Rob, did you change anything? -Original Message- From: Chris Bardon [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 21, 2008 1:13 PM To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] Certificate install to local machinefailswithcode 26352 Thanks, I've opened a bug (number 2184946). -Original Message- From: Rob Mensching [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 21, 2008 12:24 PM To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] Certificate install to local machine failswithcode 26352 Wow, nice analysis. Is there a bug open on this issue right now? If not, can you open one and I'll try to get this change in Th
Re: [WiX-users] Certificate install to local machine failswith code 26352
That's the impression I get from the documentation as well. Looks like I'll have to have a closer look at that method. I'll let you guys know if I find anything-it seems to be a tricky bug to reproduce. Somehow you have to get the same cert in the store twice. -Original Message- From: Rob Mensching [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2008 4:59 PM To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] Certificate install to local machine failswith code 26352 This is the code that is failing: if (!::CertAddCertificateContextToStore(hStore, pCertContext, CERT_STORE_ADD_REPLACE_EXISTING, NULL)) { MessageExitOnLastError(hr, msierrCERTFailedAdd, "Failed to add certificate to the store."); } Seems like it *should* replace the certificate if possible. -Original Message- From: Chris Bardon [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2008 13:15 To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] Certificate install to local machine fails with code 26352 I managed to get a log for the failure-here's the relevant section: MSI (s) (E0:BC) [15:46:35:871]: Executing op: ActionStart(Name=RollbackAddMachineCertificate,,) Action 15:46:35: RollbackAddMachineCertificate. MSI (s) (E0:BC) [15:46:35:874]: Executing op: CustomActionSchedule(Action=RollbackAddMachineCertificate,ActionType=115 21,Source=BinaryData,Target=**,CustomActionData=**) MSI (s) (E0:BC) [15:46:35:875]: Executing op: ActionStart(Name=AddMachineCertificate,,) Action 15:46:35: AddMachineCertificate. MSI (s) (E0:BC) [15:46:35:876]: Executing op: CustomActionSchedule(Action=AddMachineCertificate,ActionType=11265,Sourc e=BinaryData,Target=**,CustomActionData=**) MSI (s) (E0:F0) [15:46:35:887]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIC98F.tmp, Entrypoint: AddMachineCertificate MSI (s) (E0:F0) [15:46:35:887]: Generating random cookie. MSI (s) (E0:F0) [15:46:35:901]: Created Custom Action Server with PID 4628 (0x1214). MSI (s) (E0:64) [15:46:36:554]: Running as a service. MSI (s) (E0:64) [15:46:36:557]: Hello, I'm your 32bit Elevated custom action server. AddMachineCertificate: Adding certificate: CTTCA AddMachineCertificate: Error 0x80070005: Failed to add certificate to the store. The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 26352. The arguments are: -2147024891, , MSI (s) (E0!38) [15:46:39:008]: Product: iceBAR -- The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 26352. The arguments are: -2147024891, , AddMachineCertificate: Error 0x80070005: Failed to install certificate. AddMachineCertificate: Error 0x80070005: Failed to install per-machine certificate. I checked the local machine store on the machine where the failure happened, and the cert was already in the store twice (same serial number). I'm not sure what happened to get it there multiple times, but I can't have my installer failing like this if the cert is already there. Anyone have any ideas? -Original Message- From: Rob Mensching [mailto:[EMAIL PROTECTED] Sent: Friday, September 26, 2008 12:36 PM To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] Certificate install to local machine fails with code 26352 I doubt overwrite will help. Can you get a log file from a failure? That will go a long way to diagnosing the problem. -Original Message- From: Chris Bardon [mailto:[EMAIL PROTECTED] Sent: Friday, September 26, 2008 07:22 To: General discussion for Windows Installer XML toolset. Subject: [WiX-users] Certificate install to local machine fails with code 26352 I've had some users complain about a problem with an installer that attempts to add a certificate to the trusted root cert store. I added a component to my setup that looks like this: CERTPATH Most of the time, this works fine, and the root CA cert is put in the local machine store (so the app can form TLS connections based on the certs our CA issues). In some cases though, the installer will fail with error 26352, and I've found that removing the certificate install option lets the installer run successfully. In all the cases where this happens, I've noticed that the local machine and current user stores contain multiple certificates with the same name. I'm not sure how to replicate this (since every time I try to add a certificate twice it fails), but if nothing else, I'd like to be able to fail non-catastrophically if the certificate install fails. Is there a way to make the certificacte component non-vital, so that if it fails to install to the store, the rest of the application can still be installed? I'm goin