Forum Discussion
Win 2025 - MCC Install Failure
WSL_Mcc_Install_Transcript
[08/11/2025 14:41:51] Completed configuration of port forwarding
[08/11/2025 14:41:51] Setting WslMccUbuntuEthZeroIp
[08/11/2025 14:41:51] Creating cache folder locations within Ubuntu image
[08/11/2025 14:41:51] Successfully completed creating cache folder locations within Ubuntu image
[08/11/2025 14:41:51] Running MCC install command line within WSL Ubuntu distro...
[08/11/2025 14:45:27] MCC install command line has completed within WSL Ubuntu distro
[08/11/2025 14:45:27] Validating MCC install to ensure it has completed successfully
[08/11/2025 14:45:27] Failure: MCC failed to install during deployment, please check install from registered task install logs to diagnose issue and retry, Return Code: 13631746
[08/11/2025 14:45:27] System.Management.Automation.RuntimeException: ScriptHalted
[08/11/2025 14:45:27] [2025-08-11] [02:45:27 PM]
[08/11/2025 14:45:27] WSL MCC install failed (ReturnCode: 13633026)
[08/11/2025 14:45:27] [2025-08-11] [02:45:27 PM]
[08/11/2025 14:45:27] Setting InvocationExitCode
[08/11/2025 14:45:27] Setting InvocationErrorMessage
[08/11/2025 14:45:27] Setting LastCompletedInstallStep
Unregistering.
[08/11/2025 14:45:28] Unregistered base Ubuntu image version: Ubuntu-24.04-Mcc after successful install of MCC
WSL_Mcc_Install_FromRegisteredTask_Transcript
[✓] Certificate matches expected thumbprint!
Geo certificate verification successful. Fetching Geo response...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 270 100 270 0 0 29 0 0:00:09 0:00:09 --:--:-- 62
Using default MCC KV host.
[!] Only 1 cert(s) found. Server may not be sending full chain.
MCCKV certificate verification failed. Exiting.
[08/11/2025 14:45:26]
MCC install has completed within WSL Ubuntu distro
Instead, you can validate the certificate chain by running:
openssl s_client -connect geomcc.prod.do.dsp.mp.microsoft.com:443 -showcerts
This will show what cert is being included on the check. Based on these results the customer will have the evidence on how they should proceed. Importing MS certs is not necessary and the requests to *.prod.do.dsp.mp.microsoft must avoid going through their proxy.
------------------------------
For example, we had one customer run the Open SSL command above with the additional proxy parameter:
openssl s_client -connect geomcc.prod.do.dsp.mp.microsoft.com:443 -proxy [proxy_name] -showcerts"
And found a "temporary failure in name resolution" error. They ran the command again, this time replacing the proxy hostname with an IP address instead. Only then did the openssl command work.
As a result, they changed the "-proxyurl" in the MCC installation script to the IP address instead of the proxy hostname. This fully resolved the issue.
4 Replies
- adityamiddha
Microsoft
Instead, you can validate the certificate chain by running:
openssl s_client -connect geomcc.prod.do.dsp.mp.microsoft.com:443 -showcerts
This will show what cert is being included on the check. Based on these results the customer will have the evidence on how they should proceed. Importing MS certs is not necessary and the requests to *.prod.do.dsp.mp.microsoft must avoid going through their proxy.
------------------------------
For example, we had one customer run the Open SSL command above with the additional proxy parameter:
openssl s_client -connect geomcc.prod.do.dsp.mp.microsoft.com:443 -proxy [proxy_name] -showcerts"
And found a "temporary failure in name resolution" error. They ran the command again, this time replacing the proxy hostname with an IP address instead. Only then did the openssl command work.
As a result, they changed the "-proxyurl" in the MCC installation script to the IP address instead of the proxy hostname. This fully resolved the issue. - adityamiddha
Hi, thank you for bringing up this issue and suggesting workarounds. However, we do not recommend importing the MS certificate into the proxy.
The MCC installer pins to the MS certificate and ensures that valid endpoints from Microsoft are being used. As long as the URL is bypassed in the customer's proxy, the check will succeed.
Open SSL client does not send an http request; it only completes the TLS handshake to get the full cert chain. Receiving only 1 cert means the TLS handshake was intercepted and stamped with a different set of certs. Our prod URLs will have a full cert chain including intermediate leaf that chains back to the well-known root that we are checking against. *.prod.do.dsp.mp.microsoft.com are the URL's that continually causes issues due to the Microsoft cert lacking a trusted CA/full chain. Import the CA or skip the SSL validity checks at the firewall level.
More info: https://community.fortinet.com/t5/Support-Forum/Microsoft-Update-Secure-Server-CA-2-1-not-trusted-in-Fortgate-or/m-p/295174
How to import the ca
