A list of typical errors and ways to solve them for users of the accounting and reporting subsystem of the State Integrated Information System. Common errors when connecting to the GIS "electronic budget Tls" client does not see the electronic certificate
Setting up an automated workplace of the Electronic Budget occurs in several stages; they are not complicated, but require care. We do everything according to the instructions for setting up an electronic budget. Short and to the point...
Electronic budget setting up a workplace
Root certificate electronic budget
Create a key folder in My Documents to store downloaded certificates in this folder:
On the website http://roskazna.ru/gis/udostoveryayushhij-centr/kornevye-sertifikaty/ in the GIS menu -> Certification Authority -> Root certificates, you need to download “ Root certificate (qualified)" (see figure), or if you received a flash drive with certificates, copy them from the Certificates folder.
Certificate Continent TLS VPN
The second certificate that needs to be downloaded is the Continent TLS VPN certificate, but I couldn’t find it on the new roskazna website, so I’m putting a link from my website. Download the Continent TLS VPN certificate to the key folder; we will need it later when we configure the Continent TLS client program.
Install the downloaded Root certificate (qualified) for working with the electronic budget.
In the START menu -> All programs -> CRYPTO-PRO -> launch the Certificates program.
Go to Certificates as shown in the figure below:
Go to the menu Action - All tasks - Import, the Certificate Import Wizard window will appear - Next - Review - Find the downloaded Root certificate (qualified) in our case it is located in My Documents in the key folder
If everything was done correctly, the root certificate of the Federal Treasury CA will appear in the certificates folder.
Installation of "Continent TLS Client" for working with electronic budget
Continent_tls_client_1.0.920.0 can be found on the Internet.
Unpack the downloaded archive, go to the CD folder and run ContinentTLSSetup.exe
From the item, click on Continent TLS Client KC2 and start the installation.
We accept the terms
Leave the destination folder as default
In the configurator launch window, check the box next to Launch configurator after installation is complete.
During installation, the Service Settings window will appear:
Address - indicate lk.budget.gov.ru
Certificate - select the second certificate downloaded earlier in the key folder.
Click OK and complete the installation, Done.
When asked to reboot operating system We answer No.
Installing the electronic signature tool “Jinn-Client”
You can download the Jinn-Client program on the Internet.
Go to the Jinn-client - CD folder, run setup.exe
Click from the Jinn-Client list, the program installation starts
We ignore the error, click Continue, Next, accept the agreement and click Next.
Enter the issued license key
Install the program as default, click Next
We complete the installation, answer the question about rebooting the operating system No
Installing a module for working with electronic signatures “Cubesign”
If you need an archive with the program, write in the comments.
Run the installation file cubesign.msi
Setting up the Mozilla Firefox browser to work with the Electronic Budget.
1. Open the "Tools" menu and select "Settings".
2. Go to the “Advanced” section to the “Network” tab
3. In the “Connection” settings section, click the “Configure…” button.
4. In the connection parameters window that opens, set the value
"Manually setting up a proxy service."
5. Set the values of the HTTP proxy fields: 127.0.0.1; Port: 8080.
6. Click the “OK” button.
7. In the “Settings” window, click the “Ok” button.
Login to your personal account of the Electronic Budget
A window will open asking you to select a certificate for logging into your Electronic Budget personal account.
We select a certificate to enter the Personal Account of the Electronic Budget, if there is a password for the closed part of the certificate, write it down and click OK, then the Personal Account of the Electronic Budget will open.
The next federal hemorrhoids crept up as planned, and as always... The basis will be taken from the instructions sent by email (with the request “incognito”), supplemented by my lyrics and notes. Because everything worked for us. By analogy with procurement in ⇒ Cloud I threw in everything you might need.
Lyrics and additions are also important, read from cover to cover.
Introductory . We have everything set up to work through Internet Explorer version 11 and the antivirus KES 10. After the ransomware epidemic, we had to disable the Firewall and now we work through the Windows Firewall. No settings were made in the “wall of fire”; EB-2012 works without problems. But I’ll show you the settings for KES 10 later. Internet Explorer 11 can be downloaded from ⇒ Yandex.
So, let's go...
Point No. 1
. Remove all versions of Jinn-Client and Continent TLS (if previously installed). Reboot.
Lyrics. If you don’t have any “homemade” departmental software, I also recommend running the registry utility CCleaner. And clean until it says “No errors.” If VirtualBox is installed, only errors from it will remain. Reboot.
Point No. 2 . Remove Extended Container (if it was installed before). Reboot.
Lyrics. I didn’t figure out how to remove it, it remained in the system - it didn’t affect the final result. As a last resort, you can simply put a fresh one on top. This is where we may need the Microsoft Visual C++ libraries (which I put in a separate folder).
Information. This time our Treasury remained silent, and I looked for all the software myself and installed it according to the instructions from the forums. Ultimately, we have Extended Container not from the “official” distribution, but version 1.0.2.2 (folder "eXtendedContainer" in the Cloud).
Point No. 3 . Install the Mozilla Firefox 63.0.1 (32-bit) browser, you can update it over the old version.
Lyrics. I completed the step, but it didn’t work, but configured via Firefox SUFD flew off. The result was extra hemorrhoids. Internet Explorer 11- our everything! There's another problem here. Firefox and Chrome are constantly updated, but the final security requirements have not been formed... and extensions crash and are disabled... Firefox ESR is also going through a phase global changes... In short, it's better not to touch it.
Point No. 4 . Install CRL for GOST-2012 (from the admin in Trusted root in Local computer). You can download the latest ones from crl.roskazna.ru.
For information. Different Electronic Budget certificates indicate different paths: crl.roskazna.ru and crl.roskazna.ru/crl/. If suddenly the list turns out to be expired, you can try from a different address. Suddenly it will leak.
Lyrics. This was not needed, because we had already done all this crap with an unsuccessful attempt to install Continent-AP 3.7.7.651 (the computer was built on server hardware). I don’t know about the others, but we rolled back to Continent-AP 3.6.90.4 and continue to work without problems (Continents ⇒). We are waiting for the normal version of Continent-AP 4.0.
But problems arose with GOST-2001 in the “Electronic Budget”. And this point will be useful for general development, and to solve the problem... How do I find out where to get the CRL (aka "Certificate Revocation List")?
Click twice in Explorer on the problematic certificate. Go to the "Composition" tab and select the line "Revocation List Distribution Points (CRL)". We get addresses... Launch any Internet browser and enter the URL. If “empty” at all addresses, well, stillborn... :(
What we downloaded needs to be forced into the system. And so every time the list loses its relevance... In the same Explorer, double-click on the downloaded file and select "Install...":
And the most interesting thing is that the download paths are registered in TLS 2.0, but this c[puppy’s mother] writes that there is nothing at the specified address.
And for information: It turns out that certificates and private key containers have independent lifetimes from each other. Those. the certificate may be current, but it is no longer possible to sign the document...
Point No. 5 . We install the user’s personal certificate through CryptoPro.
Point No. 6 . Go to CryptoPro and check the “Do not check the server certificate for revocation” and “Do not check the purpose of your own certificate” checkboxes on the “TLS Settings” tab.
Point No. 7 . Install Continent TLS Client 2.0.1440. Reboot.
Lyrics. During the installation process, an access error may occur... We have already gone through this before. You need to unlock the registry branch (right during the installation process), change the rights to change it. By default, the owner of the branch is “system”, and the software is installed on behalf of the user. Since on computers of this level users must be in “Administrators” (tested by practice), we give access accordingly:
If the question arises, “What is shown in the picture above?”... It’s better not to get involved yourself, but to ask a person who knows what the “Windows System Registry” is and how to work with it.
Point No. 8 . We configure the Continent TLS (see the manual on the website roskazna.ru, section "GIS-Electronic Budget").
- lk2012.budget.gov.ru
- lk.budget.gov.ru
TLS settings:
Point No. 9 . Registering Continent TLS.
- Win+R and type %PUBLIC%\\ContinentTLSClient\\
- Find the PublicConfig.json file
- Open with Notepad for editing
- In the SerialNumber parameter, insert the value " in quotes test-50000"
- Restart TLS Continent.
Point No. 10 . Uninstall the Extended Container program through "Programs and Features" in the Control Panel. Reboot.
Lyrics. I did not complete this step. I don’t understand why it should be removed; it doesn’t interfere at all.
Point No. 11 . Install Jinn Client 1.0.3050 (serial number required). Reboot.
Lyrics. The Treasury issued us version 1.0.1130.0, this did not affect the performance in any way. We take the serial number from the old version of the previously issued distribution.
Point No. 12 . Install Extended Container from the distribution with Jinn Client (a separate serial number is required).
Lyrics. I have no idea what serial number we are talking about. It didn't exist before. Perhaps this means the number issued in the latest distribution. Unlike Jinn, there are no restrictions on the number of installations. I installed the new Extended (version 1.0.2.2) earlier in an attempt to solve the problem on my own.
Point No. 13 . Let's go to C:\Program Files\Secure Code\CSP\ and find the file csp_uninstal.exe. We launch it and remove the crypto provider from the Security Code. Reboot.
Point No. 14 . Let's go Install JinnSignExtensionProvider(for interaction with Chrome and Firefox browsers).
Lyrics. I also missed this point, because we have Internet Explorer 11. I didn’t try it on Chrome, but Firefox didn’t work.
Point No. 15 . Install CadesPlugin (aka CryptoPro EDS Browser Plug-in).
Lyrics. You can download ⇒. Download the most latest version. We register the site "http://lk2012.budget.gov.ru" in the plugin settings:
Point No. 16 . Setting up browsers:
- Internet Explorer: add to Trusted Sites - http://lk2012.budget.gov.ru And https://lk2012.budget.gov.ru
- Firefox: add the JinnSignExtension.xpi extension and disable the old proxy setting in the network settings (set to "No proxy")
- Chrome: add the JinnSignExtension extension (drag the folder with the extension into the extension installation window)
FURTHER something that was not in the instructions.
Creating shortcuts on the desktop for both options (GOST-2001 and GOST-2012) by writing the following lines in the objects:
- "C:\Program Files\Internet Explorer\iexplore.exe" http://lk.budget.gov.ru/udu-webcenter
- "C:\Program Files\Internet Explorer\iexplore.exe" http://lk2012.budget.gov.ru/udu-webcenter
This is necessary so that the browser does not switch to the HTTPS protocol while working.
Setting up Anti-Virus. The network recommends disabling your antivirus completely. Great joke, especially on a money management computer. I suggest settings for Kaspersky Endpoint Security 10. You need to create similar rules on other antiviruses.
First, disable traffic checking:
Then we add both versions (x86 and x64) of Internet Explorer to application control exceptions:
Of course, this is not right, but it is the least evil of all possible.
You will have to convert the keys. Download Private key converter and there is a file in the archive Readme.doc with installation instructions. To convert, you don’t need an additional flash drive, we do everything on the same one, files with the new key format will just be added. The medium will become universal. Both new and old keys are converted without problems.
Change user has become much easier. Now you don’t need to restart the service, just change the certificate in the “Default user certificate” line in the Continent TLS settings.
Good luck in your difficult struggle with federal portals!
Often when using a software product for working with the Federal Treasury Continent AP users encounter the error " Root certificate not found". There may be several reasons for this error to appear; in this article we will list the main ones and find out what to do in such cases and how to remove the error. Please note that the information is relevant at the time of writing, if the listed methods do not help you cope on your own with a problem - you can always contact the technical support department of the Treasury or the developers of the Continent AP program.
Reasons for the error "Root certificate not found" in Continent AP
1. Root certificates not installed certification center (CA) of the Federal Treasury. Usually, UFK employees record them on a flash drive along with personal certificate user. Here you need to check their presence in trusted root certification authorities. To do this you need to enter using the following path: Start - Control Panel - Internet Options- Tab " Content" - Paragraph " Certificates" - Paragraph " Trusted Root Certification Authorities", lower the slider into them and see which root certificates are installed with the Russian designation. If everything is done correctly, you should see something like this:
If you do not have these certificates in the list, you need to download and install them, the procedure is described below. You can also check the presence of installed certificates in the system by pressing the Win key (the key in the bottom row of the keyboard with the Windows icon) + R and in the window that appears, type certmgr.msc and press Enter.
2. Root CA certificates were mistakenly or intentionally deleted. Again - download and install certificates.
3. Root certificates have expired. A very rare mistake, KS are issued for a long period - from 5 to 10 years, but sometimes other versions are issued. Resolving the error in this case is the same - download and install fresh root certificates.
4. Problem with Crypto Pro. Often updated versions of the Crypto Pro program do not work correctly with Treasury programs and certificates. We have already written about this, for example. The solution is to reinstall Crypto Pro to a newer or, conversely, older version.
5. Limited user rights. The Continent AP error “Root certificate not found” was noticed in version 10 of Windows. The solution is to give the user full rights.
6. Incorrect operation of the Continent AP program. Solution - complete removal and installation of the current version of the Continent AP program according to the Manual available on the official website.
Link to download Treasury root certificates
You can download current root certificates of the Treasury Certification Authority from the official website at the link: roskazna.ru/gis/udostoveryayushhij-centr/kornevye-sertifikaty/For correct operation, you need to download and install both offered certificate files:
1. Certificate of the Main Certification Center of the Ministry of Telecom and Mass Communications,
2. Certificate of the Certification Center of the Federal Treasury.
Their release dates may vary; as a rule, they are released for several years.
How to install
Before installing the CA root certificate, you must make sure that you have the Crypto-Pro program installed and its license is active. You need to right-click on the downloaded certificate and select Install Certificate from the menu. Next, select the storage location - User or Local Computer. We recommend choosing the second option. Click the Next button. Select Place certificates in the following store, click Browse, click on Trusted Root Certification Authorities, click Ok, Next and Finish. A sign warning you about the installation will appear:
If you did everything correctly, a message will appear stating that the import was successful. The same procedure must be done to install the second root certificate. You can download the archive with the current Root certificates at the time of writing:
Not long ago, people started contacting me budgetary organizations, namely the administration of village councils with a request to help them set up the Electronic Budget system. This is another project of our government, give_them_health, as part of the services of the Electronic Government of the Russian Federation project. Grandmothers and aunties in villages and rural councils have old computers and very slow Internet. Join our group on VK! Under repair! Smart workshop!
They are obliged, just like everyone else, to be able to install this according to the instructions and use it. Otherwise, the deadlines. Someone is waiting for fulfillment, so workers of rural administrations are reaching out to those who can help them with this. Naturally, they don’t have a full-time programmer. Well, okay, these are all lyrics. Let's get down to business. People have a disk in their hands, apparently with distribution kits, and a desire for this kind of Electronic Budget to work for them.
On the disk, in principle, everything is neatly laid out and it was not a problem to install the whole thing according to the instructions. By the way, the instructions are also on the Roskazna website itself. There were no special problems following the instructions to install a set of programs, certificates, etc. As a result, after the last reboot and setting up a proxy in the browser (Mozilla was selected). Trying to access the site http://lk.budget.gov.ru/ was not successful. After selecting a user certificate, the site began to complain: The root certificate was not found. Although I personally installed it, adding it to the trusted root certificates according to the instructions. After sitting for a while and looking through the instructions again, I discovered this interesting point, which I think other people may encounter.
But for me it stubbornly displays as:
As we can see, there is no Local Computer storage here. This is where the dog rummaged. Well, okay, apparently they know better there, and we’ll go around, adding where necessary. To do this, click Start and in the line Find programs and services we type: certmgr.msc.
The System Certificates management console opens. Let's go to Trusted Root Certification Authorities -> Local computer-> Right click on Certificates -> All tasks -> Import.
The Certificate Import Wizard will open. Click Next -> Browse -> and specify the path to the root certificate file. By the way, if you haven’t downloaded it according to the instructions, you can download it from the Roskazna website by choosing a qualified one.
If you opened certmgr.mscand you don’t even have branches there Local computer. Don’t get upset, there is still a way, click Start and in the line Find programs and services we type: mmc. If you are a Win 7 or higher user, I advise you to run mmc as an administrator. I wrote how to do this. In the console that opens, go to the menu File -> Add remove snap-in. We look for available equipment in the list Certificates. We sequentially add the equipment for the current user and the local computer.
And voila, going to http://lk.budget.gov.ru/ making sure everything works. The root certificate error should at least go away. But I can’t promise that everything will work. In general, I advise you to log in every time through http://budget.gov.ru/ After Entrance in the upper right corner, and on the large button Login to the personal account of the “Electronic Budget” system. Well, don’t be afraid of mistakes, etc. The system is currently running in test mode, and it is not the first time that it is logged in. We poke and we suffer :)
Join our group on VK!
Loading...
