Electronic budget certificate. Typical mistakes "Electronic budget

One of the most common errors in the AWP "Electronic Budget" program is an error that occurs when connecting to the server, which has an index number of 434. It is quite simple to solve it, in most cases only 2 actions help:

1. TLS Continent build update to the current version. For example, version number 920 was unstable and often the connection ended with a 434 "Destination server unavailable" error. The current version can be downloaded from the site securitycode.ru.

2. Checking if the address is entered correctly personal account of the user of the "Electronic budget" program in the TLS Continent, as well as the port number (8080). The string must not contain spaces or any other characters either at the beginning or at the end of the string. The correct address would be: lk.budget.gov.ru(as in the photo). If you are setting up a proxy server through a browser, it must be configured accordingly. If you are not working through a proxy server, the checkbox in the TLS settings should not be checked. More on that below.

Error 434 "The destination server is unavailable." How to remove?

If the above two options for solving problems did not help you (updating the assembly and correctly spelling the address of your personal account), then the problem most likely lies in the incorrect installation of the root certificates of the certification center or proxy settings in the browser and it is also solvable.

- Regarding certificates- some users, when installing the program incorrectly, put the root certificates of the CA and TLS in the Registry, while according to the instructions correctly - in the Local Computer. In this case, moving the certificates will help.

If you choose to set up a proxy server in the browser - it must be enabled in the correct way. You must specify the type of proxy - HTTP and check the box that the proxy server will be used for all protocols. Firefox browser configuration example below.

Global address: crl.roskazna.ru/crl/fk01.crl

Local address (for UFC): crl.fsfk.local/crl/fk01.crl

Another solution to this error

Error 404 Solution: everything is bad with the settings. (See above)

Error 434 Solution: First of all, pay attention to the correctness of the entered address (lk.budget.gov.ru/udu-webcenter), especially the letter “c” if the address is copied from somewhere. Check the "TLS Continent" and browser settings. (All above). In rare cases, the firewall blocks (only met on a PC with comodo, avast) The port itself should not be opened unnecessarily, you just need to allow the TLS Continent to work normally. How unfortunate. Restarting the "TLS Continent" service sometimes helps.

Error 500: Server side error. Refreshing the page in the browser

Error 502: Global problem related to server operation

You need to contact sys. admin. Solution: restart the "TLS Continent" service Or simply refresh the page in the browser.

You need to contact the registrar of the FC. Decision:

The certificate attached with the application is not installed (wrote above), or the wrong certificate is selected. In the certificate selection window on the right there are serial numbers by which it is easy to identify the required certificate. To re-select the certificate, after an error, it is desirable to restart the "TLS Continent" service

- Error 401Solution: Check "TLS Continent" settings. Restarting the "TLS Continent" service
- Error 403Solution: You can install the root certificate in the local storage (local computer) , additionally check the availability of the list of revoked certificates fk01.crl, it is possible that the path is blocked for some reason.
Global address:crl.roskazna.ru/crl/fk01.crl
Local address (for UFK):crl.fsfk.local/crl/fk01.crl
Another solution to this error
- Error 404Solution: everything is bad with the settings. (See above)
- Error 434Solution: First of all, pay attention to the correctness of the entered address (lk.budget.gov.ru/udu-webcenter), especially the letter “c”, if the address is copied from somewhere. Check the "TLS Continent" and browser settings. (All above). In rare cases, the firewall blocks (only met on a PC with comodo, avast) The port itself should not be opened unnecessarily, you just need to allow the TLS Continent to work normally. How unfortunate. Restarting the "TLS Continent" service sometimes helps.
- Error 500: Server side error. Refreshing the page in the browser
- Error 502: Global problem related to server operation
- You need to contact sys. admin.
- You need to contact the registrar of the FC. Decision:
The certificate attached with the application is not installed (wrote above), or the wrong certificate is selected. In the certificate selection window on the right there are serial numbers by which it is easy to identify the required certificate. To re-select the certificate, after an error, it is desirable to restart the "TLS Continent" service

Setting up the E-budget workstation takes place in several stages, they are not complicated, but require care. We do everything according to the instructions for setting up an electronic budget. Short and to the point...

Electronic budget workplace setup

Root certificate e-budget

Create a key folder in My Documents to store downloaded certificates in this folder:

On the site http://roskazna.ru/gis/udostoveryayushhij-centr/kornevye-sertifikaty/ in the GIS menu -> Certification Authority -> Root certificates, you need to download " Root Certificate (Qualified)" (see figure), or if you received a flash drive with certificates, copy them from the Certificates folder.

Certificate Continent TLS VPN

The second certificate that you need to download is the TLS VPN Continent certificate, but I could not find it on the new roskazna website, so I put a link from my website. Download the Continent TLS VPN certificate to the key folder, we will need it later when we configure the Continent TLS client program.

Install the downloaded Root certificate (qualified) to work with the electronic budget.

In the START menu -> All Programs -> CRYPTO-PRO -> run the Certificates program.

Go to the Certificates item as shown in the figure below:

Go to the Action menu - All tasks - Import, the Certificate Import Wizard window will appear - Next - Overview - Find the downloaded Root certificate (qualified) in our case, it is located in My Documents in the key folder

If everything is done correctly, then the root certificate of the CA of the Federal Treasury will appear in the certificates folder.

Installation "Continent TLS Client" for working with electronic budget

Continent_tls_client_1.0.920.0 can be found on the internet.

Unpack the downloaded archive, go to the CD folder and run ContinentTLSSetup.exe

From the item, click on the Continent TLS Client KC2 and start the installation.

We accept the conditions

In the destination folder, leave by default

In the launch configurator window, check the box Run configurator after installation is complete.

During installation, the Service settings window will appear:

Address - specify lk.budget.gov.ru

Certificate - select the second certificate downloaded earlier in the key folder.

Click OK and complete the installation, Done.

Answer No to the prompt to restart the operating system.

Installing the electronic signature tool "Jinn-Client"

You can download the Jinn-Client program on the Internet.

Go to the folder Jinn-client - CD, run setup.exe

Click from the Jinn-Client list, the installation of the program starts

Ignore the error, click Continue, Next, accept the agreement and click Next.

Enter the issued license key

Set the default program, click Next

We complete the installation, answer the question about restarting the operating system No

Installing the module for working with the electronic signature "Cubesign"

If you need an archive with the program, write in the comments.

Run the installation file cubesign.msi

Setting up the Mozilla Firefox browser to work with the Electronic Budget.

1. Open the "Tools" menu and select "Settings".

2. Go to the "Advanced" section on the "Network" tab

3. In the “Connection” settings section, click the “Configure…” button.

4. In the connection parameters window that opens, set the value

"Manual configuration of the proxy service."

5. Set the values ​​of the HTTP proxy fields: 127.0.0.1; Port: 8080.

6. Press the OK button.

7. In the "Settings" window, click the "OK" button.

Login to the personal account of the Electronic budget

A window will open with the choice of a certificate for entering the personal account of the Electronic Budget.

We select a certificate to enter the Personal Account of the Electronic Budget, if there is a password for the private part of the certificate, write and click OK, after which the Personal Account of the Electronic Budget will open.

Another federal hemorrhoids crept up as planned, and as always... The instruction sent by e-mail (with a request "incognito") will be taken as the basis, supplemented by my lyrics and notes. Because we've got it all working. By analogy with purchases in ⇒ Cloud threw in everything you might need.

Lyrics and additions are also important, read from cover to cover.

introductory . We have everything set up to work through Internet Explorer version 11 and the KES 10 antivirus is installed. After the ransomware epidemic, we had to disable the Firewall and now we work through the Windows Firewall. No settings were made in the "fire wall", EB-2012 works without problems. But I will show the settings for KES 10 later. Internet Explorer 11 can be downloaded from ⇒ Yandex.

So let's go...

Item #1 . Remove all versions of Jinn-Client and Continent TLS (if installed before). Reboot.

Lyrics. If you do not need any "self-written" departmental software, I recommend that you also run the registry with the utility ccleaner. And clean until it gives out "No Errors". If there is VirtualBox - there will be errors only from it. Reboot.

Item #2 . Remove Extended Container (if installed before). Reboot.

Lyrics. I did not figure out how to remove it, it remained in the system - this did not affect the final result. In extreme cases, you can simply then put a fresh one on top. Here we may need the Microsoft Visual C ++ libraries (which I put in a separate folder).

Information. Our Treasury was silent this time, and I searched for all the software on my own and installed it according to instructions from the forums. Ultimately, Extended Container is not from the "official" distribution, but version 1.0.2.2 (folder "eXtendedContainer" in the Cloud).

Item #3 . Install Mozilla Firefox 63.0.1 (32-bit) browser, you can upgrade over the old version.

Lyrics. Item completed, but it did not work, but configured through Firefox SUFD flew off. Got extra hemorrhoids. Internet Explorer 11- our everything! There's still a problem here. Firefox and Chrome are constantly updated, but the final security requirements have not been formed, .. and extensions crash and turn off ... Firefox ESR is also undergoing a stage of global changes ... In short, it's better not to touch it.

Item #4 . Install CRL for GOST-2012 (from admin to Trusted Roots on Local Computer). You can download fresh ones from crl.roskazna.ru.

For information. Different E-Budget certificates have different paths: crl.roskazna.ru and crl.roskazna.ru/crl/ . If suddenly the list turns out to be overdue, then you can try from a different address. Suddenly it leaks.

Lyrics. It was not necessary, because we already did all this crap with an unsuccessful attempt to install Continent-AP 3.7.7.651 (the computer was built on server hardware). I don’t know about the rest, but we rolled back to Continent-AP 3.6.90.4 and continue to work without problems (Continents ⇒ ). We are waiting for the normal version of Continent-AP 4.0.

But with GOST-2001 in the "Electronic budget" there were problems. And this paragraph will be useful both for general development and for solving the problem ... How can I find out where to get the CRL (aka "Certificate Revocation List")?

Click twice in Explorer on the problematic certificate. Go to the "Composition" tab and select the line "Revocation List Distribution Points (CRL)". Getting addresses... We launch any Internet browser and drive in the URL. If "empty" at all addresses, well, stillborn... :(

What we downloaded needs to be forced into the system. And so every time the list is no longer relevant... In the same Explorer, double-click on the downloaded file and select "Install ...":

And the most interesting thing is that the download paths are registered in TLS 2.0, but this c[puppy's mother]a writes that there is nothing at the specified address.

And for information: It turns out that certificates and private key containers are independent in terms of lifetime from each other. Those. the certificate may be up to date, but the document can no longer be signed...

Item #5 . We install the user's personal certificate through CryptoPro.

Item #6 . Log in to CryptoPro and set the checkboxes "Do not check the server certificate for revocation" and "Do not check the purpose of your own certificate" on the "TLS Settings" tab.

Item #7 . Install Continent TLS Client 2.0.1440. Reboot.

Lyrics. During the installation process, an access error may occur ... We have already gone through this before. You need to unlock the registry branch (right during the installation process), change the rights to change it. By default, the owner of the branch is "system", and the software is installed on behalf of the user. Since on computers of this level, users must be in "Administrators" (verified by practice), then we give access accordingly:

If the question arose, "What is shown in the picture above?" ... It's better not to go in yourself, but ask a person who knows what the "Windows Registry" is and how to work with it.

Item #8 . We are setting up the TLS Continent (see the manual on the site roskazna.ru, section "GIS-Electronic budget").

• lk2012.budget.gov.ru
• lk.budget.gov.ru

TLS settings:

Item #9 . Register TLS Continent.

• Win+R and type %PUBLIC%\\ContinentTLSClient\\
• Find PublicConfig.json file
• Open notepad for editing
• In the SerialNumber parameter, insert the value " in quotes test-50000"
• Restart TLS Continent.

Lyrics. You can do it easier, there is no sedition in this - register officially. They won't ask for money.

Item #10 . We uninstall the Extended Container program through "Programs and Features" in the Control Panel. Reboot.

Lyrics. I did not complete this item. I did not understand why it should be removed, it does not interfere at all.

Item #11 . Install Jinn Client 1.0.3050 (serial number required). Reboot.

Lyrics. The Treasury issued version 1.0.1130.0 to us, this did not affect the performance in any way. We take the serial from the old version of the previously issued distribution.

Item #12 . Install Extended Container from the distribution with Jinn Client (requires a separate serial number).

Lyrics. I have no idea what serial number you are talking about. It didn't exist before. Perhaps it means the issued number in the fresh distribution. Unlike Jinn, there are no restrictions on the number of installations. The new Extended (version 1.0.2.2) was installed earlier in an attempt to solve the problem on its own.

Item #13 . We go to C:\Program Files\Secure Code\CSP\ and find the file csp_uninstal.exe. We launch it and remove the crypto provider from the Security Code. Reboot.

Item #14 . We go Install JinnSignExtensionProvider(for interoperability with Chrome and Firefox browsers).

Lyrics. I also missed this point, because we have Internet Explorer 11. I did not try it on Chrome, but Firefox did not work.

Item #15 . Install CadesPlugin (aka CryptoPro EDS Browser Plug-in).

Lyrics. You can download ⇒. Downloading the latest version. We register the site "http://lk2012.budget.gov.ru" in the plugin settings:

Item #16 . Setting up browsers:

• Internet Explorer: add to Trusted Sites - http://lk2012.budget.gov.ru and https://lk2012.budget.gov.ru
• Firefox: add the extension JinnSignExtension.xpi and disable the old proxy setting in the network settings (set to "No proxy")
• Chrome: add the JinnSignExtension extension (drag the folder with the extension to the extension installation window)

Lyrics. Even in Internet Explorer, you need to disable Proxy completely:

FURTHER something that was not in the instructions.

Create shortcuts on the desktop for both options (GOST-2001 and GOST-2012) by writing lines in the objects:

• "C:\Program Files\Internet Explorer\iexplore.exe" http://lk.budget.gov.ru/udu-webcenter
• "C:\Program Files\Internet Explorer\iexplore.exe" http://lk2012.budget.gov.ru/udu-webcenter

And just in case, in the properties we provide for running on behalf of the Administrator:

This is necessary so that the browser does not jump to the HTTPS protocol during operation.

Setting up Antivirus. The network recommends disabling the antivirus completely. Great joke, especially on a money management computer. Suggest settings for Kaspersky Endpoint Security 10. On other antiviruses, you need to create similar rules.

First, turn off traffic checking:

Then we add both versions (x86 and x64) of Internet Explorer to the program control exceptions:

Of course, this is not correct, but it is the lesser evil of all possible.

Keys will have to be converted. Downloading Private key converter and there is a file in the archive Readme.doc with installation instructions. For conversion, an additional flash drive is not needed, we do everything on the same one, we just add files with a new key format. The carrier will become universal. Both new keys and old ones are converted without problems.

User change has become much easier. Now you do not need to restart the service, just change the certificate in the "Default User Certificate" line in the TLS Continent settings.

Good luck in your difficult fight against federal portals!