Insulation materials Insulation Blocks

The electronic budget does not allow you to select a certificate. Typical mistakes “Electronic budget. Electronic budget setting up a workplace

One of the most common errors in the Electronic Budget workstation program is an error that occurs when connecting to the server, with index number 434. Solving it is quite simple; in most cases, only 2 actions help:

1. Continent TLS build update to the current version. For example, version number 920 was unstable and often the connection failed with the 434 error “Destination server is unavailable.” The current version can be downloaded from the website

2. Checking whether the address is entered correctly personal account of the user of the Electronic Budget program in Continent TLS, as well as the port number (8080). The line must not contain spaces or any other characters either at the beginning or at the end of the line. The correct address would be: in the photo). If you are setting up a proxy server through a browser, it must be configured accordingly. If you do not work through a proxy server, the TLS settings should not be checked. More on this below.

Error 434 "The destination server is unavailable." How to remove?

If the two above options for solving problems did not help you (updating the assembly and spelling the address of your personal account correctly), then the problem most likely lies in the incorrect installation of root certificates of the certification authority or proxy settings in the browser, and it can also be solved.

- Regarding certificates- some users, if the program is installed incorrectly, place the CA and TLS root certificates in the Registry, whereas according to the instructions it is correct - in the Local Computer. In this case, moving certificates will help.

If you choose to set a proxy server in your browser, it must be enabled in the correct way. You must specify the proxy type - HTTP and check the box that the proxy server will be used for all protocols. An example of setting up the Firefox browser is below.

Often when using a software product for working with the Federal Treasury Continent AP users encounter the error " Root certificate not found". There may be several reasons for the appearance of this error; in this article we will list the main ones and find out what to do in such cases and how to remove the error. Please note that the information is relevant at the time of writing, if the listed methods do not help you cope on your own with a problem - you can always contact the technical support department of the Treasury or the developers of the Continent AP program.

Reasons for the error "Root certificate not found" in Continent AP

1. Root certificates not installed certification center (CA) of the Federal Treasury. Typically, UFK employees record them on a flash drive along with the user’s personal certificate. Here you need to check their presence in trusted root certification authorities. To do this you need to enter using the following path: Start - Control Panel - Internet Options- Tab " Content" - Paragraph " Certificates" - Paragraph " Trusted Root Certification Authorities", lower the slider into them and see which root certificates are installed with the Russian designation. If everything is done correctly, you should see something like this:

If you do not have these certificates in the list, you need to download and install them, the procedure is described below. You can also check the presence of installed certificates in the system by pressing the Win key (the key in the bottom row of the keyboard with the Windows icon) + R and in the window that appears, type certmgr.msc and press Enter.

2. Root CA certificates were mistakenly or intentionally deleted. Again - download and install certificates.

3. Root certificates have expired. A very rare mistake, KS are issued for a long period - from 5 to 10 years, but sometimes other versions are issued. Resolving the error in this case is the same - download and install fresh root certificates.

4. Problem with Crypto Pro. Often updated versions of the Crypto Pro program do not work correctly with Treasury programs and certificates. We have already written about this, for example. The solution is to reinstall Crypto Pro to a newer or, conversely, older version.

5. Limited user rights. The Continent AP error “Root certificate not found” was noticed in version 10 of Windows. The solution is to give the user full rights.

6. Incorrect operation of the Continent AP program. The solution is complete removal and installation of the current version of the Continent AP program according to the Guide available on the official website.

Link to download Treasury root certificates

You can download current root certificates of the Treasury Certification Authority from the official website at the link:
For correct operation, you need to download and install both offered certificate files:

1. Certificate of the Main Certification Center of the Ministry of Telecom and Mass Communications,
2. Certificate of the Certification Center of the Federal Treasury.

Their release dates may vary; as a rule, they are released for several years.

How to install

Before installing the CA root certificate, you must make sure that you have the Crypto-Pro program installed and its license is active. You need to right-click on the downloaded certificate and select Install Certificate from the menu. Next, select the storage location - User or Local Computer. We recommend choosing the second option. Click the Next button. Select Place certificates in the following store, click Browse, click on Trusted Root Certification Authorities, click Ok, Next and Finish. A sign warning you about the installation will appear:

If you did everything correctly, a message will appear indicating that the import was successful. The same procedure must be done to install the second root certificate. You can download the archive with the current Root certificates at the time of writing:

Not long ago, budgetary organizations, namely the administrations of village councils, began to contact me with a request to help them set up the Electronic Budget system. This is another project of our government, give_them_health, as part of the services of the Electronic Government of the Russian Federation project. Grandmothers and aunties in villages and rural councils have old computers and very slow Internet. Join our group on VK! Get it repaired! Smart workshop!

They are obliged, just like everyone else, to be able to install this according to the instructions and use it. Otherwise, the deadlines. Someone is waiting for fulfillment, so workers of rural administrations are reaching out to those who can help them with this. Naturally, they don’t have a full-time programmer. Well, okay, these are all lyrics. Let's get down to business. People have a disk in their hands, apparently with distribution kits, and a desire for this kind of Electronic Budget to work for them.

On the disk, in principle, everything is neatly laid out and it was not a problem to install the whole thing according to the instructions. By the way, the instructions are also on the Roskazna website itself. There were no special problems following the instructions to install a set of programs, certificates, etc. As a result, after the last reboot and setting up a proxy in the browser (Mozilla was selected). Trying to access the site was not successful. After selecting a user certificate, the site began to complain: The root certificate was not found. Although I personally installed it, adding it to the trusted root certificates according to the instructions. After sitting for a while and looking through the instructions again, I discovered this interesting point, which I think other people may encounter.

But for me it stubbornly displays as:

As we can see, there is no Local Computer storage here. This is where the dog rummaged. Well, okay, apparently they know better there, and we’ll go around, adding where necessary. To do this, click Start and in the line Find programs and services we type: certmgr.msc.

The System Certificates management console opens. Let's go to Trusted Root Certification Authorities -> Local computer-> Right click on Certificates -> All tasks -> Import.

The Certificate Import Wizard will open. Click Next -> Browse -> and specify the path to the root certificate file. By the way, if you haven’t downloaded it according to the instructions, you can download it from the Roskazna website by choosing a qualified one.

If you opened certmgr.mscand you don’t even have branches there Local computer. Don’t get upset, there is still a way, click Start and in the line Find programs and services we type: mmc. If you are a Win 7 or higher user, I advise you to run mmc as an administrator. I wrote how to do this. In the console that opens, go to the menu File -> Add remove snap-in. We look for available equipment in the list Certificates. We sequentially add the equipment for the current user and the local computer.

And voila, going to making sure everything works. The root certificate error should at least go away. But I can’t promise that everything will work. In general, I advise you to log in every time through After Entrance in the upper right corner, and on the large Login button personal account“Electronic budget” system. Well, don’t be afraid of mistakes, etc. system in at the moment It works in test mode, and does not log into it the first time. We poke and we suffer :)

Join our group on VK!

Another federal hemorrhoids crept up as planned, and as always... The basis will be taken from the instructions sent by email (with the request “incognito”), supplemented by my lyrics and notes. Because everything worked for us. By analogy with procurement in ⇒ Cloud I threw in everything you might need.

Lyrics and additions also have important, read from cover to cover.

Introductory . We have everything configured to work through Internet Explorer version 11 and have KES 10 antivirus installed. After the ransomware epidemic, we had to disable Firewall and now we work through Windows Firewall. No settings were made in the “wall of fire”; EB-2012 works without problems. But I’ll show you the settings for KES 10 later. Internet Explorer 11 can be downloaded from ⇒ Yandex.

So, let's go...

Point No. 1 . Remove all versions of Jinn-Client and Continent TLS (if previously installed). Reboot.

Lyrics. If you don’t have any “home-written” departmental software, I also recommend running the registry utility CCleaner. And clean until it says “No errors.” If VirtualBox is installed, only errors from it will remain. Reboot.

Point No. 2 . Remove Extended Container (if it was installed before). Reboot.

Lyrics. I didn’t figure out how to remove it, it remained in the system - it didn’t affect the final result. As a last resort, you can simply put a fresh one on top. This is where we may need the Microsoft Visual C++ libraries (which I put in a separate folder).

Information. This time our Treasury remained silent, and I looked for all the software myself and installed it according to the instructions from the forums. Ultimately, we have Extended Container not from the “official” distribution, but version (folder "eXtendedContainer" in the Cloud).

Point No. 3 . Install the Mozilla Firefox 63.0.1 (32-bit) browser, you can update it on top old version.

Lyrics. I completed the step, but it didn’t work, but configured via Firefox SUFD flew off. The result was extra hemorrhoids. Internet Explorer 11- our everything! There's another problem here. Firefox and Chrome are constantly updated, but the final security requirements have not been formed... and extensions crash and are disabled... Firefox ESR is also going through a phase global changes... In short, it's better not to touch it.

Point No. 4 . Install CRL for GOST-2012 (from the admin in Trusted root in Local computer). You can download the latest ones from

For information. Different Electronic Budget certificates indicate different paths: and If suddenly the list turns out to be expired, you can try from a different address. Suddenly it will leak.

Lyrics. This was not needed, because we had already done all this crap with an unsuccessful attempt to install Continent-AP (the computer was built on server hardware). I don’t know about the others, but we rolled back to Continent-AP and continue to work without problems (Continents ⇒ ). We are waiting for the normal version of Continent-AP 4.0.

But problems arose with GOST-2001 in the “Electronic Budget”. And this point will be useful for general development, and to solve the problem... How do I find out where to get the CRL (aka "Certificate Revocation List")?

Click twice in Explorer on the problematic certificate. Go to the "Composition" tab and select the line "Revocation List Distribution Points (CRL)". We get addresses... Launch any Internet browser and enter the URL. If “empty” at all addresses, well, stillborn... :(

What we downloaded needs to be forced into the system. And so every time the list loses its relevance... In the same Explorer, double-click on the downloaded file and select "Install...":

And the most interesting thing is that the download paths are registered in TLS 2.0, but this c[puppy’s mother] writes that there is nothing at the specified address.

And for information: It turns out that certificates and private key containers have independent lifetimes from each other. Those. the certificate may be current, but it is no longer possible to sign the document...

Point No. 5 . Install personal certificate user via CryptoPro.

Point No. 6 . Go to CryptoPro and check the “Do not check the server certificate for revocation” and “Do not check the purpose of your own certificate” checkboxes on the “TLS Settings” tab.

Point No. 7 . Install Continent TLS Client 2.0.1440. Reboot.

Lyrics. During the installation process, an access error may occur... We have already gone through this before. You need to unlock the registry branch (right during the installation process), change the rights to change it. By default, the owner of the branch is “system”, and the software is installed on behalf of the user. Since on computers of this level users must be in “Administrators” (tested by practice), we give access accordingly:

If the question arises, “What is shown in the picture above?”... It’s better not to get involved yourself, but to ask a person who knows what the “Windows System Registry” is and how to work with it.

Point No. 8 . We configure the Continent TLS (see the manual on the website, section "GIS-Electronic Budget").


TLS settings:

Point No. 9 . Registering Continent TLS.

  • Win+R and type %PUBLIC%\\ContinentTLSClient\\
  • Find the PublicConfig.json file
  • Open with Notepad for editing
  • In the SerialNumber parameter, insert the value " in quotes test-50000"
  • Restart TLS Continent.
Lyrics. You can do it easier, there is no sedition in this - register officially. They won't ask for money for this.

Point No. 10 . Uninstall the Extended Container program through "Programs and Features" in the Control Panel. Reboot.

Lyrics. I did not complete this step. I don’t understand why it should be removed; it doesn’t interfere at all.

Point No. 11 . Install Jinn Client 1.0.3050 (serial number required). Reboot.

Lyrics. The Treasury issued us version 1.0.1130.0, this did not affect the performance in any way. We take the serial number from the old version of the previously issued distribution.

Point No. 12 . Install Extended Container from the distribution with Jinn Client (a separate serial number is required).

Lyrics. About what serial number I'm talking about I have no idea. It didn't exist before. Perhaps this means the number issued in the latest distribution. Unlike Jinn, there are no restrictions on the number of installations. I installed the new Extended (version earlier in an attempt to solve the problem on my own.

Point No. 13 . Let's go to C:\Program Files\Secure Code\CSP\ and find the file csp_uninstal.exe. We launch it and remove the crypto provider from the Security Code. Reboot.

Point No. 14 . Let's go Install JinnSignExtensionProvider(to interact with Chrome browsers and Firefox).

Lyrics. I also missed this point, because we have Internet Explorer 11. I didn’t try it on Chrome, but Firefox didn’t work.

Point No. 15 . Install CadesPlugin (aka CryptoPro EDS Browser Plug-in).

Lyrics. You can download ⇒. Download the most latest version. We register the site "" in the plugin settings:

Point No. 16 . Setting up browsers:
  • Internet Explorer: add to Trusted Sites - And
  • Firefox: add the JinnSignExtension.xpi extension and disable the old proxy setting in the network settings (set to "No proxy")
  • Chrome: add the JinnSignExtension extension (drag the folder with the extension into the extension installation window)
Lyrics. You also need to disable Proxy completely in Internet Explorer:

NEXT something that was not in the instructions.

Creating shortcuts on the desktop for both options (GOST-2001 and GOST-2012) by writing strings in objects:

  • "C:\Program Files\Internet Explorer\iexplore.exe"
  • "C:\Program Files\Internet Explorer\iexplore.exe"
And just in case, in the properties we provide for launching as Administrator:

This is necessary so that the browser does not switch to the HTTPS protocol while working.

Setting up Anti-Virus. The network recommends disabling your antivirus completely. Great joke, especially on a money management computer. I suggest settings for Kaspersky Endpoint Security 10. You need to create similar rules on other antiviruses.

First, disable traffic checking:

Then we add both versions (x86 and x64) of Internet Explorer to application control exceptions:

Of course, this is not right, but it is the least evil of all possible.

You will have to convert the keys. Download Private key converter and there is a file in the archive Readme.doc with installation instructions. For conversion, you don’t need an additional flash drive, we do everything on the same one, files with the new key format will just be added. The medium will become universal. Both new and old keys are converted without problems.

Change user has become much easier. Now you don’t need to restart the service, just change the certificate in the “Default user certificate” line in the Continent TLS settings.

Good luck in your difficult struggle with federal portals!