B&R Upgrades SSL/TLS failed

Hello Community,

Im not able to perform any upgrade installation anymore. It fails every time with the same message:

Im using AS 6.5.2.12 SP.

I have tried already to restart the service with elevated log on (Local system).

BR and thanks Kenan

Hello,

This is a known issue with the Upgrade Service. Today we got a new Service Pack SP3.
Can you please install this upgrade and test again. I think there should be a fix in it.

V6.5 AS Upgrade (6.5.3.11_SP) | B&R Industrial Automation

Another section is here…
How-to guide - Tools => Upgrades Troubleshooting - Share Info & Ideas / How-To & Wikis - B&R Community

You can also Consult your IT if they have blocked some access.

Greetings
Michael

Just tested it, same issue:

According to our companies IT all domains that the upgrade service is trying to reach are unlocked.

Maybe there is more, could you provide a list of domains or something similar?

Do you have anything else i could try?

Hi Kenan, I was seeing some issues with the B&R Upgrades service after installing AS 6.5.3, but after restarting Automation Studio, it now appears to be working fine.

Can you please try closing AS and reopening it with right-click > Run as Administrator? Additionally, can you please try restarting your PC and try it again?

Hello,

As far as i know this is the URL the Upgrade Service is connecting to.
wbxapi.br-automation.com
You might check if IT has added it to thair whitelist.

A normal responce to this URL in Browser is HTTP Error 403. If you get anything else there is an issue.

Greetings
Michael

Sadly it doesnt work for me…

Ill have to double check with our IT.

Thanks guys.

I just installed AS6.5.3.11 this morning and I’ve got the same issue as @Kenan_Dautovic.

I restated the PC and started AS as admin. Nothing helped.

When trying to connect to wbxapi.br-automation.com I get HTTP Error 403 in my browser. So that should also not be the problem.

If you find something else or have some more suggestions please let me know

Hi all, I have confirmed internally that this issue is actively being troubleshooted by L2 Support / R&D. I will follow up as soon as I have received more information, hopefully including a resolution.

Hi all, following up here, I have received some more information on this issue. In AS 6.5.3, certain measures were implemented to satisfy a CRA policy which have mistakenly caused the online verification of AS to be blocked during SSL-inspection when installing an Upgrade. This will be fixed in a new version of AS 6.5.3 that will replace the currently available one on the website.

Fully excited about the new release from today (6.7.0.187) I have tried the upgrade feature again.

Unfortunatly the issue is still present.

BR Kenan

Hello Rafael,

do you have any information about when such an update will be available. AS6.7 sadly doesnt hold a fix for this..

BR Kenan

Hi Kenan,

Apologies for the delayed response. If you are still experiencing the issue after upgrading to AS 6.5.3 / AS 6.7, then you are likely encountering a known effect of the same cybersecurity changes that were made in AS 6.5, however not related to the “issue” that was resolved in a later release of 6.5.3 and 6.7.

The cybersecurity change that was made in AS 6.5 (as part of ongoing CRA activities and remediation of CRA vulnerabilities) was an implementation of TLS CRL (Certificate Revocation List) checking. This check ensures that certificates can be verified as not revoked before establishing a secure TLS connection. For this purpose, the CRL URIs included in the certificate are evaluated.

However, we identified an issue in environments where customers use firewalls with SSL/TLS interception. In such setups, the firewall replaces the original server certificate with its own certificate and forwards it to the client.

Some firewalls performed this interception, but removed the CRL URIs from the substituted certificate. As a result, the client (AS Upgrade) was no longer able to verify the revocation status of the certificate.

Since a certificate without CRL information cannot be validated properly, the TLS connection could not be established.

Resolution: Therefore, if you are using SSL/TLS interception, should ensure that Certificate Revocation List (CRL) information is preserved or properly handled for the following domains:

For your information, the Help was extended from AS 6.7 onward, the information on this topic can be found in the Online Help at this link: B&R Online Help

Please let me know if you have any questions on this.

Alright, thank you for your help. I will recheck with our IT and come back here if this helped.

BR Kenan