W10 14971 Certificate is invalid

For discussions related to using VirtualBox on Windows pre-releases (e.g. Windows 10 > build 10240).
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: W10 14971 Certificate is invalid

Post by socratis »

Jacob Klein wrote:It would be nice if an Oracle dev let us know their take on this particular issue, even if no fix is warranted. But it's okay if we don't get that communication, too.
They did. Klaus, 3 posts before yours. Please read it, in case that you missed it...
klaus wrote:So never ever expect Insider Preview for anything but toying around. It's NOT meant for production use.
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Jacob Klein
Posts: 696
Joined: 20. Nov 2013, 01:07

Re: W10 14971 Certificate is invalid

Post by Jacob Klein »

socratis wrote:
Jacob Klein wrote:It would be nice if an Oracle dev let us know their take on this particular issue, even if no fix is warranted. But it's okay if we don't get that communication, too.
They did. Klaus, 3 posts before yours. Please read it, in case that you missed it...
klaus wrote:So never ever expect Insider Preview for anything but toying around. It's NOT meant for production use.
I read it, earlier.

As I said, I was curious about Oracle's take on this particular certificate issue - OS bug that Oracle can ignore indefinitely, or OS change likely to be committed in a general release that will eventually require on Oracle change.

I'm not expecting a response, but it'd be nice :) I completely understand if they think it's not worth investigating at this time :) We understand that there is no obligation.

PS: Your responses sometimes come across as antagonizing and confrontational. But it could be my interpretation - I'm under quite a bit of stress.
rseiler
Posts: 158
Joined: 5. Feb 2009, 20:26

Re: W10 14971 Certificate is invalid

Post by rseiler »

Jacob Klein wrote:As I said, I was curious about Oracle's take on this particular certificate issue - OS bug that Oracle can ignore indefinitely, or OS change likely to be committed in a general release that will eventually require on Oracle change.
Me, too. A large swath of Windows uses this DLL, and more than a few 3rd-party apps, too (ones that I have running right now: Outlook, Firefox, Skype), yet it's all working except....

I was also intrigued by the "licensing documents" line. It is true that IP builds forcibly have all telemetry elements enabled (as they should for an ongoing beta), but there would be no chance of "proprietary information transferred off a Windows 10 IP install" (even allowing for the possibility that that's what MS telemetry gathering includes, which it does not), because there never would be proprietary information on a test machine in the first place. It's a test PC. It could even be an isolated PC.

Is this all to suggest that Oracle has had zero(!) IP builds installed to date?
Martin
Volunteer
Posts: 2560
Joined: 30. May 2007, 18:05
Primary OS: Fedora other
VBox Version: PUEL
Guest OSses: XP, Win7, Win10, Linux, OS/2

Re: W10 14971 Certificate is invalid

Post by Martin »

Most of the other programs don't care about unsigned DLLs injecting themselves into their program space.
Oracle uses standard Windows system calls to verfiy the signature of such DLLs and from time to time Microsoft changes something there or they don't use/create a valid certification tree so that this check fails. In most cases this gets fixed in the next insider build.
Jacob Klein
Posts: 696
Joined: 20. Nov 2013, 01:07

Re: W10 14971 Certificate is invalid

Post by Jacob Klein »

Martin wrote:...or they don't use/create a valid certification tree so that this check fails. In most cases this gets fixed in the next insider build.
Hmmm, I have been testing every Fast Ring build since Insider inception, and this is the first time I've seen a VirtualBox failure relating to an invalid certificate, I think.
Jacob Klein
Posts: 696
Joined: 20. Nov 2013, 01:07

Re: W10 14971 Certificate is invalid

Post by Jacob Klein »

Here are my details regarding this problem:

========================================================================================================
Dialog Box 1:
---------------------------
VirtualBox - Error In supR3HardNtChildPurify
---------------------------
<html><b>supHardenedWinVerifyProcess failed with VERR_CR_X509_CPV_NOT_VALID_AT_TIME: (rc=-23033)</b><br/><br/><br><br><!--EOM-->where: supR3HardNtChildPurify
what: 5
VERR_CR_X509_CPV_NOT_VALID_AT_TIME (-23033) - Certificate path validator: The certificate is not valid at the specified time.
</html>
---------------------------
OK
---------------------------

========================================================================================================
Dialog Box 2:
---------------------------
VirtualBox - Error
---------------------------
Failed to open a session for the virtual machine boinc_c2eadc1e63dade66 Clone 4 Clone xxx.

The virtual machine 'boinc_c2eadc1e63dade66 Clone 4 Clone xxx' has terminated unexpectedly during startup with exit code 1 (0x1). More details may be available in 'E:\VirtualBox VMs\boinc_c2eadc1e63dade66 Clone 4 Clone xxx\Logs\VBoxHardening.log'.

Result Code: E_FAIL (0x80004005)
Component: MachineWrap
Interface: IMachine {f30138d4-e5ea-4b3a-8858-a059de4c93fd}

========================================================================================================
"VBoxHardening.log" Log File (attached)
...
2890.3c18: Error (rc=-23033):
2890.3c18: supHardenedWinVerifyProcess failed with Unknown Status -23033 (0xffffa607): Certificate is not valid (ValidTime=2088-08-14T12:05:18.000000000Z Validity=[2014-05-28T17:33:33.000000000Z...2029-05-28T17:43:33.000000000Z]): \Device\HarddiskVolume4\Windows\System32\ntdll.dll
2890.3c18: Error -23033 in supR3HardNtChildPurify! (enmWhat=5)
2890.3c18: supHardenedWinVerifyProcess failed with Unknown Status -23033 (0xffffa607): Certificate is not valid (ValidTime=2088-08-14T12:05:18.000000000Z Validity=[2014-05-28T17:33:33.000000000Z...2029-05-28T17:43:33.000000000Z]): \Device\HarddiskVolume4\Windows\System32\ntdll.dll

========================================================================================================


Hmm... I wonder where it's getting that "ValidTime=2088-08-14T12:05:18.000000000Z" value from. I've tried to look at all 3 certificates in the chain, but can't find "year 2088" anywhere!
It's almost like it's maybe thinking "today is 2088", and then thinking "cert only valid 2014-2029"... meaning the problem might actually be "getting current date" somehow?
Attachments
VBoxHardening.log
(9.9 KiB) Downloaded 74 times
rseiler
Posts: 158
Joined: 5. Feb 2009, 20:26

Re: W10 14971 Certificate is invalid

Post by rseiler »

Martin wrote:Most of the other programs don't care about unsigned DLLs injecting themselves into their program space.
Oracle uses standard Windows system calls to verfiy the signature of such DLLs and from time to time Microsoft changes something there or they don't use/create a valid certification tree so that this check fails. In most cases this gets fixed in the next insider build.
OK, maybe there is something different about it that the other programs and all of the many system services don't care about, but it's definitely not unsigned. I've clicked all through its certificate, so it's most definitely there, and Windows declares that "This certificate is OK."

I wonder if the certificate is a red herring, like sometimes with a BSOD, when the module cited has nothing to do with why your system crashed. Usually it does, but not always.

Attached is just a bit of the cert's properties.
Attachments
Capture.JPG
Capture.JPG (21.97 KiB) Viewed 9624 times
Jacob Klein
Posts: 696
Joined: 20. Nov 2013, 01:07

Re: W10 14971 Certificate is invalid

Post by Jacob Klein »

rseiler:

Did you read the error message, regarding "ValidTime" - where did that 2088 date come from, do you think?
rseiler
Posts: 158
Joined: 5. Feb 2009, 20:26

Re: W10 14971 Certificate is invalid

Post by rseiler »

Jacob Klein wrote:Did you read the error message, regarding "ValidTime" - where did that 2088 date come from, do you think?
No, where is that field?
Jacob Klein
Posts: 696
Joined: 20. Nov 2013, 01:07

Re: W10 14971 Certificate is invalid

Post by Jacob Klein »

Read your VBoxHardening.log file more closely :)
And also the comment at the bottom of my post where I posted my full details.
FireNWater
Posts: 2
Joined: 27. Jul 2016, 18:52

Re: Discussion of Problems due to Hardened Security

Post by FireNWater »

.
ditto
.
LtRadar wrote:1)Win10 vbox ver Version 5.1.9 r111957 (Qt5.6.2) also in 5.1.8 hence tried latest test build
2)attached log
3)related stuff
Just autoupdated to latest win 10 insider 14971.1000 build and got this message
Image

and "Failed to open a session for the virtual machine xp.

The virtual machine 'xp' has terminated unexpectedly during startup with exit code 1 (0x1). More details may be available in 'D:\Virtual Machines\xp\Logs\VBoxHardening.log'.

Result Code: E_FAIL (0x80004005)
Component: MachineWrap
Interface: IMachine

"
was working fine in 14965 and 5.1.8
AVG Internet Security
Intel inbuild graphics
No firewall
UAC disabled
On windows insider program fast channel
developer mode
no issues on sfc or chkdsk
rseiler
Posts: 158
Joined: 5. Feb 2009, 20:26

Re: W10 14971 Certificate is invalid

Post by rseiler »

Jacob Klein wrote:Read your VBoxHardening.log file more closely :)
And also the comment at the bottom of my post where I posted my full details.
I thought you meant in the properties of the cert, which I had just posted (I hadn't seen the end of your prior post before).

Perhaps we should set our machines back then to 1944.
Jacob Klein
Posts: 696
Joined: 20. Nov 2013, 01:07

Re: W10 14971 Certificate is invalid

Post by Jacob Klein »

:) I do not intend to try that, but you or someone else are certainly welcome to. I'd be curious if that test would affect the 2088 date or not.
rseiler
Posts: 158
Joined: 5. Feb 2009, 20:26

Re: W10 14971 Certificate is invalid

Post by rseiler »

Jacob Klein wrote::) I do not intend to try that, but you or someone else are certainly welcome to. I'd be curious if that test would affect the 2088 date or not.
Wikipedia says that Windows supports an "epoch" of 1 January 1601 to AD 30,828, but I can't get earlier than 1980.

Windows 10 is not time-machine ready. Sad!

This program does let you do it, but Vbox doesn't run at all with it regardless of date:
http://www.nirsoft.net/utils/run_as_date.html
bird
Oracle Corporation
Posts: 127
Joined: 10. May 2007, 10:27

Re: W10 14971 Certificate is invalid

Post by bird »

We suspect the problem is some certificate or signature parsing issue caused by some slight change in the output from the microsoft signing tools or CA. However, in order to fix it we need the offending ntdll.dll and are eagerly waiting for the laptop with the insider build setup to feel like update itself so we can get it. With a bit of luck we'll have it fixed soon...
-bird
Knut St. Osmundsen
Oracle Corporation
Post Reply