Skip to main content
Kofax

Kofax Web Capture Install/Uninstall Errors Related to URL Registration and SSL Certificate Binding

If the Kofax Web Capture service cannot be installed (or uninstalled), one possible cause is that the installer is failing to add or remove certificates, URL namespace registrations, or SSL certificate bindings.

 

306456

Normal Install/Uninstall Behavior

Normally, when installing the Kofax Web Capture Service the installer will import certificates, add SSL certificate bindings, and add URL namespace reservations.  When uninstalling, each of these elements is removed.  Also under normal conditions a problem during install or uninstall should cause a clean rollback to the original state.  However if for some reason these elements are in an inconsistent state, this may prevent the upgrade, uninstall, or reinstall of Web Capture.  To gather details about the current state of these elements, run the below script which will output the information to a text file.

cd /d %~dp0
set log=WebCaptureInstallDetails.txt
echo Web Capture Install Details > %log%
echo. >> %log%
echo. >> %log%
echo Server Cert  >> %log%
echo. >> %log%
certutil -store "MY" Kofax.WebCapture.Localhost 1>> %log% 2>>&1
echo. >> %log%
echo. >> %log%
echo CA Cert  >> %log%
echo. >> %log%
certutil -store "Root" "Kofax Web Capture Service" 1>> %log% 2>>&1
echo. >> %log%
echo. >> %log%
echo URL ACL  >> %log%
echo. >> %log%
netsh http show urlacl 1>> %log% 2>>&1
echo. >> %log%
echo. >> %log%
echo SSL Cert Binding  >> %log%
echo. >> %log%
netsh http show sslcert 1>> %log% 2>>&1

Fixing an Inconsistent State

Extract Certificates from MSI

The certificate used in the installer can be different in different versions of Web Capture.  To correct the inconsistent state, we need the certificate from the version of Web Capture that is having the problem.  If a problem occurs when trying to uninstall, then this requires the MSI of the the version that needs to be uninstalled.  If a problem occurs when trying to install, then this requires the MSI of the version that needs to be installed.  An upgrade is actually just an uninstall followed by an install, so if the problem occurs when upgrading between versions, uninstall first to determine the point of failure.  Because this is an in-depth process, it may be useful to open a support case for assistance in determining if this is the appropriate solution for your problem.

Extracting the certificate can be done with a number of MSI tools, with SuperOrca shown as an example.

  • Open the MSI, and navigate to the Binary table.

SuperOrca-BinaryTable.png

  • Click on ca.cert.bin, then right click on the corresponding cell in the Data column, and click “Write Binary to file” to save as “ca.cer”.
  • Click on server.cert.bin, then right click on the corresponding cell in the Data column, and click “Write Binary to file” to save as “server.pfx”.
  • Add ca.cer and server.pfx to the same folder as the scripts that will be run.

SuperOrca-SaveBinary.png

Fixing Errors During Install

To ensure that installation can complete, we want to make sure that certificates, bindings, and URL registrations are not present on the system.  With ca.cer and server.pfx in the same folder, run the following batch script from an elevated command prompt (or right click, Run As Admin).

@echo off
set me=WCSInstallFix:
echo %me% Make sure to run this script as admin
REM Running as admin changes working directory.  This changes it back to the folder where the script is.
cd /d %~dp0

echo.
echo %me% Deleting registrations/cert bindings
netsh http delete urlacl url=http://127.0.0.1:23023/
netsh http delete urlacl url=https://127.0.0.1:23024/
netsh http delete sslcert ipport=0.0.0.0:23024
echo %me% If "file not found" errors occur here, this indiciates that registrations/cert bindings were already removed. The errors can be ignored.
echo.

echo.
echo %me% Getting hash from certificate files
for /f "tokens=3-22" %%f in ('certutil.exe ca.cer ^| findstr /c:"Cert Hash(sha1)"') do @set cahash=%%f%%g%%h%%i%%j%%k%%l%%m%%n%%o%%p%%q%%r%%s%%t%%u%%v%%w%%x%%y
for /f "tokens=3-22" %%f in ('certutil.exe -p "" server.pfx ^| findstr /c:"Cert Hash(sha1)"') do @set serverhash=%%f%%g%%h%%i%%j%%k%%l%%m%%n%%o%%p%%q%%r%%s%%t%%u%%v%%w%%x%%y
echo.
echo %me% server.pfx hash: %serverhash%
echo %me% ca.cer hash: %cahash%
echo.

echo %me% Deleting server cert
echo.
certutil -delstore "MY" %serverhash%

echo.
echo %me% Deleting CA cert
echo.
certutil -delstore "Root" %cahash%

REM These can also be deleted by name
REM certutil -delstore "MY" Kofax.WebCapture.Localhost
REM certutil -delstore "Root" "Kofax Web Capture Service"

pause

Fixing Errors During Uninstall

To ensure that an uninstall can complete, we want to make sure that the expected certificates, bindings, and URL registrations are present on the system so that the uninstall process can remove them as expected.  With ca.cer and server.pfx in the same folder, run the following batch script from an elevated command prompt (or right click, Run As Admin).

@echo off
set me=WCSUninstallFix:
echo %me% Make sure to run this script as admin
REM Running as admin changes working directory.  This changes it back to the folder where the script is.
cd /d %~dp0

echo.
echo %me% Importing certificates
echo %me% These certificates must have been extracted from the Kofax Web Capture MSI into the same folder as this script.
echo.
certutil -addstore "Root" ca.cer
certutil -p "" -importPFX server.pfx

echo.
echo %me% Adding url namespace registrations
netsh http add urlacl url=http://127.0.0.1:23023/ sddl=D:(A;;GX;;;BU)
netsh http add urlacl url=https://127.0.0.1:23024/ sddl=D:(A;;GX;;;BU)
echo.

echo.
echo %me% Getting hash from server.pfx
for /f "tokens=3-22" %%f in ('certutil.exe -p "" server.pfx ^| findstr /c:"Cert Hash(sha1)"') do @set serverhash=%%f%%g%%h%%i%%j%%k%%l%%m%%n%%o%%p%%q%%r%%s%%t%%u%%v%%w%%x%%y
echo.
echo %me% server.pfx hash: %serverhash%
echo.

echo %me% Binding Certificates 
echo %me% If error 1312 occurs here, this indicates that certificates were not successfully imported in previous steps.
netsh http add sslcert ipport=0.0.0.0:23024 certhash=%serverhash% appid={44140043-5CD0-460E-BF47-C77CA5DA537D}

pause

Scripts

These are the scripts detailed in the above sections: WebCaptureServiceScripts.zip

Author:  Stephen Klancher

  • Was this article helpful?