I've dug a little deeper into this, written some test code to try to debug the problem, and I've found something interesting. The CertAddCertificateContextToStore function is failing with Access Denied when trying to add the cert with CERT_STORE_ADD_REPLACE_EXISTING, which is failing the installer. This only appears to fail if there are two copies of the same certificate in the store with the same serial number, which may or may not be left there from the installer as well (that's problem #2-problem #1 is not failing the installer in the first place).
I tried manually checking the store for duplicates and deleting them before installing (with CertDeleteCertificateFromStore), but this returned Access denied as well. When I tried changing the parameter on the add function to use CERT_STORE_ADD_USE_EXISTING though, it worked without returning an error. It looks like the difference is that replace existing tries to do a delete first, while the use existing version updates the existing cert. The first question is, why is the delete failing? I have admin rights on the machine, and if there are 0 or 1 copies of the cert in the store, the operation works fine. The second question is, why should the certificate be duplicated in the first place? I tried writing code that used CERT_STORE_ADD_ALWAYS, but it still only left me with one copy of the certificate. Is it possible that a call to add a certificate with replacement is adding a new certificate without deleting the old one? Any experts in the crypto API here? If not, does anyone have any thoughts on where else I could look for answers? -----Original Message----- From: Chris Bardon [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 14, 2008 2:51 PM To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] Certificate install to local machinefailswith code 26352 That's the impression I get from the documentation as well. Looks like I'll have to have a closer look at that method. I'll let you guys know if I find anything-it seems to be a tricky bug to reproduce. Somehow you have to get the same cert in the store twice. -----Original Message----- From: Rob Mensching [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2008 4:59 PM To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] Certificate install to local machine failswith code 26352 This is the code that is failing: if (!::CertAddCertificateContextToStore(hStore, pCertContext, CERT_STORE_ADD_REPLACE_EXISTING, NULL)) { MessageExitOnLastError(hr, msierrCERTFailedAdd, "Failed to add certificate to the store."); } Seems like it *should* replace the certificate if possible. -----Original Message----- From: Chris Bardon [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2008 13:15 To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] Certificate install to local machine fails with code 26352 I managed to get a log for the failure-here's the relevant section: MSI (s) (E0:BC) [15:46:35:871]: Executing op: ActionStart(Name=RollbackAddMachineCertificate,,) Action 15:46:35: RollbackAddMachineCertificate. MSI (s) (E0:BC) [15:46:35:874]: Executing op: CustomActionSchedule(Action=RollbackAddMachineCertificate,ActionType=115 21,Source=BinaryData,Target=**********,CustomActionData=**********) MSI (s) (E0:BC) [15:46:35:875]: Executing op: ActionStart(Name=AddMachineCertificate,,) Action 15:46:35: AddMachineCertificate. MSI (s) (E0:BC) [15:46:35:876]: Executing op: CustomActionSchedule(Action=AddMachineCertificate,ActionType=11265,Sourc e=BinaryData,Target=**********,CustomActionData=**********) MSI (s) (E0:F0) [15:46:35:887]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIC98F.tmp, Entrypoint: AddMachineCertificate MSI (s) (E0:F0) [15:46:35:887]: Generating random cookie. MSI (s) (E0:F0) [15:46:35:901]: Created Custom Action Server with PID 4628 (0x1214). MSI (s) (E0:64) [15:46:36:554]: Running as a service. MSI (s) (E0:64) [15:46:36:557]: Hello, I'm your 32bit Elevated custom action server. AddMachineCertificate: Adding certificate: CTTCA AddMachineCertificate: Error 0x80070005: Failed to add certificate to the store. The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 26352. The arguments are: -2147024891, , MSI (s) (E0!38) [15:46:39:008]: Product: iceBAR -- The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 26352. The arguments are: -2147024891, , AddMachineCertificate: Error 0x80070005: Failed to install certificate. AddMachineCertificate: Error 0x80070005: Failed to install per-machine certificate. I checked the local machine store on the machine where the failure happened, and the cert was already in the store twice (same serial number). I'm not sure what happened to get it there multiple times, but I can't have my installer failing like this if the cert is already there. Anyone have any ideas? -----Original Message----- From: Rob Mensching [mailto:[EMAIL PROTECTED] Sent: Friday, September 26, 2008 12:36 PM To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] Certificate install to local machine fails with code 26352 I doubt overwrite will help. Can you get a log file from a failure? That will go a long way to diagnosing the problem. -----Original Message----- From: Chris Bardon [mailto:[EMAIL PROTECTED] Sent: Friday, September 26, 2008 07:22 To: General discussion for Windows Installer XML toolset. Subject: [WiX-users] Certificate install to local machine fails with code 26352 I've had some users complain about a problem with an installer that attempts to add a certificate to the trusted root cert store. I added a component to my setup that looks like this: <Component Id="RootCA" Guid="A1106EC4-9546-4a4f-AE6D-4F94DE066C0E" Permanent="yes"> <Condition>CERTPATH</Condition> <CreateFolder/> <iis:Certificate Name="CTTCA" Id='CTTCA' Request='no' CertificatePath='[CERTPATH]' StoreLocation='localMachine' StoreName='root'/> </Component> Most of the time, this works fine, and the root CA cert is put in the local machine store (so the app can form TLS connections based on the certs our CA issues). In some cases though, the installer will fail with error 26352, and I've found that removing the certificate install option lets the installer run successfully. In all the cases where this happens, I've noticed that the local machine and current user stores contain multiple certificates with the same name. I'm not sure how to replicate this (since every time I try to add a certificate twice it fails), but if nothing else, I'd like to be able to fail non-catastrophically if the certificate install fails. Is there a way to make the certificacte component non-vital, so that if it fails to install to the store, the rest of the application can still be installed? I'm going to try using the Overwrite attribute on the certificate element to see if that helps. Thanks! Chris ------------------------------------------------------------------------ - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ------------------------------------------------------------------------ - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ------------------------------------------------------------------------ - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ------------------------------------------------------------------------ - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ------------------------------------------------------------------------ - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
