Windows Update Failure 80072F8F with SSL-Proxy

Hallo to all,

my Win 7 clients are reporting Updatefailure 80072F8F when transperent proxy with SSL ist enabled. If only transparent proxy is enabled it works. Certifikates are installed. https sites are working perfectly. I red that this is a known issue with squid 3.4 and above, but NS 6.7 final uses Squid 3.3. Disabling disk chaching doesn’t help. I added some url i found in that article on Squid FAQ Windows Update in /etc/squid/acls/ssl_bypass.acl and did “service squid restart”, but that doesen’t help ether.
Can anybody please help me, because i want SSL enabled, to block facebook and co. Thank you.

EDIT: No one can give me a hint? :cry:
Maybe someone can help me think. In squid.conf there is “ssl_bump none bypass_ssl”. So every url witch is in this acl is bypassed. This acl is in /etc/squid/acls/ssl_bypass.acl. Bypass means that there will be no decryption. So there shouldn’t be a problem with ssl-certificates, right? So the problem itself must be a url that isn’t in this acl?? :hushed: Has anyone recognised that MS has change update-urls?


Please try these options:


Hi @GG_jr,

thanks for reply. Will try this an Monday. Tomorow i will go skiing! :grinning:

1 Like

WOW! Enjoy skiing!
Will you show some pictures to us?

1 Like

o.k. I’ll do. :grin:

1 Like

@GG_jr thanks for the hints, but unfortunately none of them helped.

and here are, as promissed, some impressions of yesterday:

in the morning:

a little later:

about noon:

finally me:

what a day:

I’m still grining :laughing:
This is Lech/Zuers at Arlberg. One of the most famous skiing resorts in the world. Just 1 h by car. I’m a lucky guy!


Very nice pictures!

I had the same error today. I had 7 PCs to install from scratch with Win 7 Pro; I have installed one of them with full updates and then I have cloned the HDDs; One of the PCs had the date in BIOS set to november 2016 …

But yours issue is only with SSL Proxy …

Did you install SSL Certificate from NS?

Yes. The certificate is installed as “trustet authorities”.

Do you know where the difference between “config setprop squid SSLBypass” and the acl stored in /etc/squid/acls/ssl_bypass.acl" ? Every url stored in that acl should bypass ssl-proxy?

EDIT: Just recognised that the db-property squid SSLBypass ist the custom part auf the templatepart “30custom”

Such a great pictures! I love skiing on my Dolomiti too :slight_smile:

I love the dolomits too, but ufortunatrly i wasn’t there for skiing yet. I’m often there for motocycling. Falzarego, Pordoi, Ronde Sella, passo Giau, etc. I love that mountains. :grinning:

1 Like

Hi @flatspin,

Did you solve the problem?

According to this, should work with Transparent proxy with SSL:

You can read also the following articles, maybe can help more: (workaround section)


Hey @GG_jr thanks once more for your effort.
No, i didn’t solve it yet. Will read all carefully and report.

I’m completely confused! I made 4 firewallobject for the server noted in wuredir.xml. (IP / / / and included them in a hostgroup. Then i gave the proxy this group as sites with out proxy.
Update work for exactly 1 time. But now i can’t reproduce. :confused:
Going for weekend!! Next work on monday. Need some time to think.
I wish the “Microsoft-Free-Office” comes true soon!

Good choice! :evergreen_tree::ski::evergreen_tree::ski:

@GG_jr Unfortunaltely weekend didn’t last that long…:wink:
I found a workaround, but i don’t understand why. When i define a proxy server in internetoptions (connections/lan…) updates are working. I configured nethserver-proxy as transparently with ssl. My config in windows network is “workgroup”. No PDC. Any hint why internetoptions need to be configured with proxy? It seems that only winupdate need that. Any other http-connections seem to work.
Many thanks. Ralf

Hi Ralf,

You’re welcome!
I’m glad that you solved the problem!

If I understand well, the windows update works with transparent proxy with ssl on NS and with proxy server defined in browser options. I’m I right?

As we seen on microsoft sites, there are downloads sites with HTTP and with HTTPS. I think they forced the download access to HTTPS.

The same thing is with google, facebook and I think and with other sites. Even if you type in browser www or http://…, the sites are opened with HTTPS.

Kind regards,

Yes, Gabriel you understand right. I red on a microsoft site something about this failure and that a proxydifinition with netsh winhttp would help. But that didn’t work. So i tried it with internet options and that worked. I recognised that the dwonload is forced to https. But why all other https-sites are working exept, win-update is a mirakle to me. :confused:
Nevertheless i will mark this thread as solved. Have a nice time and thaks.

1 Like


A possible answer (I am BMW fan!):