Invoke-WebRequest : The request was aborted: Could not create SSL/TLS secure channel.
rubenz91 opened this issue · 5 comments
Hello,
So I recently upgraded on of our Brik and decided to update as well my 5.2 SDK that had been working without issues.
My environment is two Servers that function as the Gateway to connect to Rubrik. One of those servers is in passive state, meaning is waiting in case anything happens in the main one.
Upgrade was performed in both, but my passive one now is triggering the below code error when trying to run:
Connect-Rubrik XXXXXXX -Credential domain\user securepassword
Current Behavior:
VERBOSE: Allowing self-signed certificates
VERBOSE: Gather API Data for Connect-Rubrik
VERBOSE: Gather API Data for Get-RubrikSoftwareVersion
VERBOSE: Selected 1.0 API Data for Get-RubrikSoftwareVersion
VERBOSE: Load API data for Get-RubrikSoftwareVersion
VERBOSE: Description: Retrieves software version of the Rubrik cluster
VERBOSE: Build the URI
VERBOSE: URI = https://XXXXXX/api/v1/cluster/me/version
VERBOSE: Build the query parameters for <null>
VERBOSE: URI = https://XXXXXX/api/v1/cluster/me/version
VERBOSE: Submitting the request
VERBOSE: Invoking request with a custom timeout of 100 seconds
VERBOSE: GET https://XXXXXX/api/v1/cluster/me/version with 0-byte payload
Invoke-WebRequest : The request was aborted: Could not create SSL/TLS secure channel.
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Rubrik\Private\Invoke-RubrikWebRequest.ps1:36 char:23
+ ... $result = Invoke-WebRequest -UseBasicParsing -TimeoutSec $rubrikOpt ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
Expected Behavior:
I'm expecting to go over and log on normally over Powershell
Steps to Reproduce:
Please provide detailed steps for reproducing the issue.
1- Automation System call to a powershell script
2- Powershell Script import the rubrik module and try to connect
Context:
- Rubrik PowerShell Module Version: Use
Get-Module -ListAvailable Rubrik
ModuleType Version Name ExportedCommands
---------- ------- ---- ----------------
Script 6.0.0 Rubrik {Connect-Rubrik, Disconnect-Rubrik, Export-RubrikDatabase, Export-RubrikReport...}
- PowerShell Version: Use
$PSVersiontable.PSVersion
Name Value
---- -----
PSVersion 5.1.17763.2268
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.17763.2268
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
Hello @rubenz91,
It sounds like a TLS issue, could you try running:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
And then connecting to your Rubrik Cluster using Connect-Rubrik to see if that makes any difference.
In case this is the issue, we've got this documented, for the installation of the module here:
Or head over to the official Microsoft documentation, also linked to in our documentation, on configuring TLS 1.2 for older systems:
Let me know if that helps!
I get a new error:
VERBOSE: Allowing self-signed certificates
VERBOSE: Gather API Data for Connect-Rubrik
VERBOSE: Gather API Data for Get-RubrikSoftwareVersion
VERBOSE: Selected 1.0 API Data for Get-RubrikSoftwareVersion
VERBOSE: Load API data for Get-RubrikSoftwareVersion
VERBOSE: Description: Retrieves software version of the Rubrik cluster
VERBOSE: Build the URI
VERBOSE: URI = https://xxxxx/api/v1/cluster/me/version
VERBOSE: Build the query parameters for <null>
VERBOSE: URI = https://xxxxx/api/v1/cluster/me/version
VERBOSE: Submitting the request
VERBOSE: Invoking request with a custom timeout of 100 seconds
VERBOSE: GET https://xxxxx/api/v1/cluster/me/version with 0-byte payload
Invoke-WebRequest : The request was aborted: Could not create SSL/TLS secure channel.
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Rubrik\Private\Invoke-RubrikWebRequest.ps1:36 char:23
+ ... $result = Invoke-WebRequest -UseBasicParsing -TimeoutSec $rubrikOpt ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
eption
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
What kind of output do you get when you run the following:
[Net.ServicePointManager]::SecurityProtocol
This is the results in both the server working and the one that is giving the messages I have posted here so far.
Tls, Tls11, Tls12
I've been looking at replicating the issue, but the only way I can get PowerShell 5.1 to generate this error on my end is when TLS isn't configured correctly. So I have come up with the following 3 things we can try:
- Install PowerShell 7 and attempt to run Connect-Rubrik from PowerShell 7. If you don't have administrative permissions on the box, you can download the ZIP version and just unzip, import the Rubrik module and test if it also fails there: https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows?view=powershell-7.2
- Follow the instructions in the following doc to enable TLS on a system-wide level: https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client
- Do additional troubleshooting by running the following code, and share the verbose output. This will allow me to get a better idea of what's happening. Make sure the output is sanitized (remove any ip address, server names, passwords or base64 encoded creds) or alternatively open a Support Case on the portal where you can share the full output without sanitizing the verbose output.
# Enter your credentials & cluster name
$Credential = Get-Credential
$YourRubrikCluster = 'your.cluster.com'
$VerbosePreference = 'Continue'
$ErrorActionPreference = 'Stop'
& {
trap {$_.exception.tostring()}
[Net.ServicePointManager]::SecurityProtocol.value__
Connect-Rubrik -Server $YourRubrikCluster -Credential $Credential
[Net.ServicePointManager]::SecurityProtocol.value__
}
& {
trap {$_.exception.tostring()}
[Net.ServicePointManager]::SecurityProtocol.value__
Invoke-Webrequest -uri "https://$YourRubrikCluster/api/v1/vmware/vm?limit=1" -method get -header @{'Authorization' = 'Basic {0}' -f [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("$($credential.UserName):$($credential.GetNetworkCredential().password)"))} -UseBasicParsing
[Net.ServicePointManager]::SecurityProtocol.value__
}
& {
trap {$_.exception.tostring()}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
[Net.ServicePointManager]::SecurityProtocol.value__
Connect-Rubrik -Server $YourRubrikCluster -Credential $Credential
[Net.ServicePointManager]::SecurityProtocol.value__
}
& {
trap {$_.exception.tostring()}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
[Net.ServicePointManager]::SecurityProtocol.value__
Invoke-Webrequest -uri "https://$YourRubrikCluster/api/v1/vmware/vm?limit=1" -method get -header @{'Authorization' = 'Basic {0}' -f [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("$($credential.UserName):$($credential.GetNetworkCredential().password)"))}
[Net.ServicePointManager]::SecurityProtocol.value__
}
& {
trap {$_.exception.tostring()}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12
[Net.ServicePointManager]::SecurityProtocol.value__
Connect-Rubrik -Server $YourRubrikCluster -Credential $Credential
[Net.ServicePointManager]::SecurityProtocol.value__
}
& {
trap {$_.exception.tostring()}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12
[Net.ServicePointManager]::SecurityProtocol.value__
Invoke-Webrequest -uri "https://$YourRubrikCluster/api/v1/vmware/vm?limit=1" -method get -header @{'Authorization' = 'Basic {0}' -f [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("$($credential.UserName):$($credential.GetNetworkCredential().password)"))} -UseBasicParsing
[Net.ServicePointManager]::SecurityProtocol.value__
}