Subscribe

Could not create SSL/TLS secure channel

Happy New Year Smiley Happy

 

7-Mode 8.2.4

Windows server 2012 R2

 

I am trying to run my powershell script over https but I got the below error:-

Connect-NaController : Connection to FILERNAME using HTTPS failed - The request was aborted: Could not create SSL/TLS secure channel.
The error may be resolved by generating a new certificate on the storage controller, with a longer key length.
At D:\NetApp\Scripts\7-Mode\7Snap1.ps1:35 char:6
+      Connect-NaController $netapp -Credential $cred -HTTPS
+      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidResult: (FILERNAME:NaController) [Connect-NaController], NaConnectionSSLException
    + FullyQualifiedErrorId : HttpConnectionFailed,DataONTAP.PowerShell.SDK.ConnectNaController

 

 

I have increased the key length to more than 2000 (secureadmin setup ssl)but still it is not working. Below are my filer options which I believe should be enough to get it to run over HTTPS.

 

httpd.access                 none       
httpd.admin.access           host=myhost1,myhost2,myhost3
httpd.admin.enable           off        
httpd.admin.hostsequiv.enable off        
httpd.admin.max_connections  512        
httpd.admin.ssl.enable       on         
httpd.admin.top-page.authentication on         
httpd.autoindex.enable       off        
httpd.bypass_traverse_checking off        
httpd.enable                 off        
httpd.ipv6.enable            off        
httpd.log.format             common     (value might be overwritten in takeover)
httpd.method.trace.enable    off        
httpd.rootdir                /vol/vol0/home/http 
httpd.timeout                300        (value might be overwritten in takeover)
httpd.timewait.enable        off      
tls.enable                   on
ldap.ssl.enable              off
ssl.enable                   on         
ssl.v2.enable                off        (same value required in local+partner)
ssl.v3.enable                on         (same value required in local+partner)

 

If I enable http and run the script over http it works fine. Moreover, I have the same exact configuration on my demo lab and it is working fine even with HTTPS.

I am not sure why it is not working on the production environment. Could it be a server related issue/policy ?

 

Your help is appriciated.

 

Thanks,

Re: Could not create SSL/TLS secure channel

Hello ahmada,

 

happy new year!

 

Can you access the webfrontend by browser over https ?

Does it produce a warning ?

 

I guess that the powershell Toolkit uses .net Components for HTTPS Communication.

 

so you could try out the .NET Foundation to test the connection.

Please see

https://blogs.technet.microsoft.com/parallel_universe_-_ms_tech_blog/2014/06/26/reading-a-certificate-off-a-remote-ssl-server-for-troubleshooting-with...

 

And try if you can get more information out of it.

To help in Troubleshooting.

 

Kind Regards

 

 

Re: Could not create SSL/TLS secure channel

 Thanks for your replay

 

Can you access the webfrontend by browser over https ?

Does it produce a warning ?

I got the below error:-

 TLS.jpg

 

 

I have checked TLS1.1 and TLS 1.2 and both are enabled.

 

As for the code in the link provided, I got the below error:

ssl.jpg

 

However, in the test lab both tests works fine.

 

Could it be that some group policy is forced via AD that's causing the issue seen on the production environment ?

 

Re: Could not create SSL/TLS secure channel

make sure TLS 1.2 is actually enabled on your windows boxes

 

There were eveidently some "patches" that turned of TLS.

 

Verify these registry keys:

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]

"DisabledByDefault"=dword:00000000

"Enabled"=dword:00000001

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]

"DisabledByDefault"=dword:00000000

"Enabled"=dword:00000001

 

you can also check out htis link: https://portal.chicagonettech.com/kb/a187/maximizing-ssl-security-for-windows-server-2012-ssl-tls.aspx