Unable to install Chrome extension using AD GPO policy if the Update URL points to a local HTTPS server (Chrome browser version 60)

1,116 views
Skip to first unread message

Sumeet Agrawal

unread,
Aug 22, 2017, 2:50:27 AM8/22/17
to Chromium-discuss
Unable to install Chrome extension using AD GPO policy if the Update URL points to a local HTTPS server (Chrome browser version 60)

I have a Windows 7 SP1 system that is a part of a domain. I've imported the domain GPO chrome .admxfile and then created the Chrome GPO policy for 'ExtensionInstallForceList' property by using http://dev.chromium.org/administrators/policy-list-3#ExtensionInstallForcelist as the reference.

To verify that this crx is installed successfully, I packed the extension using the 'Pack Extension' button on Chrome browser that appears in the Developer mode and then I drag-n-drop the '.crx' file to the Chrome browser on the same machine. 

I followed instructions as seen here: https://developer.chrome.com/extensions/external_extensions


First, publish the extension in the Chrome Web Store, or package a .crx file and make sure that it installs successfully


Here is how it looked like:



Extension from packing machine


I used the ID from the above window for the updates.xml file. I even modified the manifest.json file of my extension before packing to add the parameter 'Update_Url' as specified on the page: https://developer.chrome.com/extensions/autoupdate


Then I used a local HTTPS server (prepared using IIS 8.0 on a Windows 2012 server and a self-signed SSL certificate) to place the packed extension '.crx' file as well as the updates.xml file.

Also found that the web.config file in the root path of the IIS server specified the following properties:


  • application/xml for the update manifest
  • application/octet-stream for the CRX file


 So the (incorrect value here for demo purpose only) GPO settings that I used were:


eelojgpfkmaaabbbccneneemcahoehjo;https://<some.ip.address>:9443/crx


See attached snapshot for reference:


Chrome GPO policy setting


In my IIS server, I've enabled Directory browsing and then chose the root path of the server to point to the parent folder of 'crx'. I am able to access the updates.xml file present inside crx using this above URL.


The list of GPO policies I have in place now (at the time of taking the snapshot it was a Tomcat HTTP server. Later I've tried using IIS HTTPS server too but it still hasn't worked):


FQDN-based-GPO3. 


For the GPO setting for 'Forced list extension installation', I tried by specifying the path upto updates.xml and also tried by specifying only the path to the folder that contains the updates.xml; however extension didn't install either way.


Can someone please help me point out exactly what is missing?

  • Could there be some issue in the way I configured my IIS server? or
  • Could it be because I used an IP address instead of an FQDN? or
  • Is it because of some other possible configuration error?

PhistucK

unread,
Aug 22, 2017, 2:54:08 AM8/22/17
to slg....@gmail.com, Chromium-discuss
1. When you use Chrome to browse to the update URL, does it show any security/SSL/TLS/certificate error?
2. Does it work if you use an HTTP (not HTTPS) server?


PhistucK

--
--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

---
You received this message because you are subscribed to the Google Groups "Chromium-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discuss+unsubscribe@chromium.org.

Sumeet Agrawal

unread,
Aug 22, 2017, 3:02:36 AM8/22/17
to Chromium-discuss, slg....@gmail.com
1. It first showed me the certificate error but I had to use the 'Advanced' option and continue to the website and then I added the website address to the 'Safe Websites List' in Chrome settings. Now it doesn't show me any certificate errors for that website; instead it just shows me 'Not Secure' in the place where it normally shows 'Https' and then if I click on it, it says I've disabled warnings for this site.
2. I've tried to do same steps using a Tomcat HTTP server on same system but it still didn't work. But then am not sure if the failure of extension installation was due to my incorrect Tomcat configuration or due to something else.


PhistucK

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discu...@chromium.org.

PhistucK

unread,
Aug 22, 2017, 4:49:13 AM8/22/17
to Sumeet Agrawal, Chromium-discuss
Generally, you can try and use Fiddler2 in order to see what Google returns for update check requests. You can trigger update checks by going to chrome:extensions, enabling the "Developer mode" and clicking on "Update extensions now".

Regarding the certificate error, I am not sure, but I imagine that Chrome might not accept certificate errors while checking for updates, even if you accepted it (and even if you accepted it, it only remembers it for the session anyway, so restarting the browser at some point will forget the consent). You should generally avoid certificate errors.


PhistucK

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discuss+unsubscribe@chromium.org.

Reply all
Reply to author
Forward
0 new messages