Microsoft WinGet package manager failing from expired SSL certificate

Microsoft’s WinGet package manager is currently having problems installing or upgrading packages after WinGet CDN’s SSL/TLS certificate expired.

, the open source Windows Package Manager (WinGet) allows users to install applications directly from the command line.

WinGet down after CDN’s SSL expires

Starting late evening hours of Saturday, Windows users began reporting issues when attempting to install or upgrade apps via WinGet.

WinGet user Tiger Wang on GitHub of their command line throwing an “InternetOpenUrl() failed” error as they tried running simple WinGet commands, such as:

winget upgrade --all --verbose.

Users report errors while using WinGet
Users report errors while using WinGet (GitHub)

This report was seconded by who was also experiencing the issue. The problem appears to be connected to WinGet CDN’s SSL/TLS certificate that has now expired.

When navigating to the CDN URL, in Chrome, BleepingComputer received the following error:

WinGet CDN SSL expiration
WinGet CDN’s SSL/TLS certificate expiration warning (BleepingComputer)

Both the warning and the certificate details confirm that WinGet CDN’s certificate stopped being valid over the weekend:

SSL expiry date
Certificate’s expiry date shown in GMT+05:30 (BleepingComputer)

What is a temporary solution?

Until Microsoft renews the SSL certificate, WinGet users can rest easy knowing there’s an alternate workaround to address the situation.

This involves adding the following source URL to WinGet’s list of sources, as opposed to relying solely on That way, WinGet can fetch the packages from this alternate server which has a valid certificate at the time of writing.

“You can add a source like using the command below,” GitHub user qilme .

sudo winget source add -n winget

The enables users to manage sources for Windows Package Manager. With the source command, one can add, list, edit, delete, reset, or export repositories used by WinGet.

Note: When executing the above command, ‘sudo’ is not required if the command is being run in PowerShell by an administrator account. Should you experience errors, try  prior to adding the new azureedge link.

The azureedge URL in question is an alias for WinGet’s CDN, albeit with a valid certificate which makes it a viable solution for WinGet devs:

nslookup DNS query for WinGet CDN
‘nslookup’ results for WinGet CDN’s hostname (BleepingComputer)

Once Microsoft has renewed the primary CDN’s certificate, users can optionally choose to reset their source URLs by running another command:

“You can always run winget source reset –force (as admin) to get back to defaults,” GitHub user Adam Langbert.

Prior to today, WinGet’s last widespread disruption  due to the CDN returning a “0-byte database file” when queried.