Windows task (run as system) tls: failed to verify certificate: x509: certificate signed by unknown authority

[RvdHout]

I have had a Windows Task Scheduler tasks (Windows Server 2019) thats updates GeoLite databases for ages, lately i have started to notice the mmdb files are not updated any longer...not entirely sure when this started, the task is ran under the SYSTEM account.

When i manually run (https://learn.microsoft.com/nl-nl/sysinternals/downloads/psexec) PsExec64.exe -s -i C:\GeoIP\geoipupdate.exe -v

Repeated error(s) returned are like:

Couldn't download GeoLite2-ASN, retrying in 364.535167ms: performing metadata request: Get "https://updates.maxmind.com/geoip/updates/metadata?edition_id=GeoLite2-ASN": tls: failed to verify certificate: x509: certificate signed by unknown authority

Strange thing... same task ran under a Administrator account works fine, also same task (running as SYSTEM) on another server (Windows Server 2022 in this case) works without problems. I am able to reproduce the issue on 2 independent Windows Server 2019 instances.

[oschwald]

I believe Go just uses the Windows certificate store. It sounds likely that the administrator has up-to-date certificates in their user store and the certificates in the the local machine store are older. I would expect the latest certificates to be available via Windows Update for the machine store, but I am not an Windows expert.

[RvdHout]

I am no expert either but I see the same Root and Intermediate certificates in the Windows certificate store when ran normally as Current User, Local Computer or even as SYSTEM user with psexec (PsExec64.exe -s -i c:\windows\system32\mmc.exe c:\windows\system32\certmgr.msc)

CN = Baltimore CyberTrust Root
Thumbprint = d4de20d05e66fc53fe1a50882c78db2852cae474

CN = Cloudflare Inc ECC CA-3
Thumbprint = b3dd7606d2b5a8b4a13771dbecc9ee1cecafa38a