topic Re: Could not create SSL/TLS secure channel in Microsoft Virtualization Discussions

Could not create SSL/TLS secure channel

ahmada — Wed, 04 Jun 2025 15:36:47 GMT

Happy New Year

7-Mode 8.2.4

Windows server 2012 R2

I am trying to run my powershell script over https but I got the below error:-

Connect-NaController : Connection to FILERNAME using HTTPS failed - The request was aborted: Could not create SSL/TLS secure channel.
The error may be resolved by generating a new certificate on the storage controller, with a longer key length.
At D:\NetApp\Scripts\7-Mode\7Snap1.ps1:35 char:6
+      Connect-NaController $netapp -Credential $cred -HTTPS
+      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidResult: (FILERNAME:NaController) [Connect-NaController], NaConnectionSSLException
    + FullyQualifiedErrorId : HttpConnectionFailed,DataONTAP.PowerShell.SDK.ConnectNaController

I have increased the key length to more than 2000 (secureadmin setup ssl)but still it is not working. Below are my filer options which I believe should be enough to get it to run over HTTPS.

httpd.access none

httpd.admin.access host=myhost1,myhost2,myhost3

httpd.admin.enable off

httpd.admin.hostsequiv.enable off

httpd.admin.max_connections 512

httpd.admin.ssl.enable on

httpd.admin.top-page.authentication on

httpd.autoindex.enable off

httpd.bypass_traverse_checking off

httpd.enable off

httpd.ipv6.enable off

httpd.log.format common (value might be overwritten in takeover)

httpd.method.trace.enable off

httpd.rootdir /vol/vol0/home/http

httpd.timeout 300 (value might be overwritten in takeover)

httpd.timewait.enable off

tls.enable on

ldap.ssl.enable off

ssl.enable on

ssl.v2.enable off (same value required in local+partner)

ssl.v3.enable on (same value required in local+partner)

If I enable http and run the script over http it works fine. Moreover, I have the same exact configuration on my demo lab and it is working fine even with HTTPS.

I am not sure why it is not working on the production environment. Could it be a server related issue/policy ?

Your help is appriciated.

Thanks,

Re: Could not create SSL/TLS secure channel

MForster — Tue, 03 Jan 2017 08:03:07 GMT

Hello ahmada,

happy new year!

Can you access the webfrontend by browser over https ?

Does it produce a warning ?

I guess that the powershell Toolkit uses .net Components for HTTPS Communication.

so you could try out the .NET Foundation to test the connection.

Please see

https://blogs.technet.microsoft.com/parallel_universe_-_ms_tech_blog/2014/06/26/reading-a-certificate-off-a-remote-ssl-server-for-troubleshooting-with-powershell/

And try if you can get more information out of it.

To help in Troubleshooting.

Kind Regards

Re: Could not create SSL/TLS secure channel

ahmada — Wed, 04 Jan 2017 05:42:31 GMT

Thanks for your replay

Can you access the webfrontend by browser over https ?

Does it produce a warning ?

I got the below error:-

I have checked TLS1.1 and TLS 1.2 and both are enabled.

As for the code in the link provided, I got the below error:

However, in the test lab both tests works fine.

Could it be that some group policy is forced via AD that's causing the issue seen on the production environment ?

Re: Could not create SSL/TLS secure channel

tmac — Thu, 05 Jan 2017 15:33:50 GMT

make sure TLS 1.2 is actually enabled on your windows boxes

There were eveidently some "patches" that turned of TLS.

Verify these registry keys:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]

"DisabledByDefault"=dword:00000000

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]

"DisabledByDefault"=dword:00000000

"Enabled"=dword:00000001

you can also check out htis link: https://portal.chicagonettech.com/kb/a187/maximizing-ssl-security-for-windows-server-2012-ssl-tls.aspx

Re: Could not create SSL/TLS secure channel

Minser — Mon, 29 Jan 2018 18:28:45 GMT

On 8.3 I had the same issue attempting to connect to system manager. I used three seperate browsers. Double checked TLS and SSL settings and certificates.

Finally figured it out.

Make sure the Server side is enabled.

wrote:
Happy New Year

7-Mode 8.2.4
Windows server 2012 R2

I am trying to run my powershell script over https but I got the below error:-
Connect-NaController : Connection to FILERNAME using HTTPS failed - The request was aborted: Could not create SSL/TLS secure channel.
The error may be resolved by generating a new certificate on the storage controller, with a longer key length.
At D:\NetApp\Scripts\7-Mode\7Snap1.ps1:35 char:6
+      Connect-NaController $netapp -Credential $cred -HTTPS
+      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidResult: (FILERNAME:NaController) [Connect-NaController], NaConnectionSSLException
    + FullyQualifiedErrorId : HttpConnectionFailed,DataONTAP.PowerShell.SDK.ConnectNaController
I have increased the key length to more than 2000 (secureadmin setup ssl)but still it is not working. Below are my filer options which I believe should be enough to get it to run over HTTPS.

httpd.access                 none
httpd.admin.access           host=myhost1,myhost2,myhost3
httpd.admin.enable           off
httpd.admin.hostsequiv.enable off
httpd.admin.max_connections 512
httpd.admin.ssl.enable       on
httpd.admin.top-page.authentication on
httpd.autoindex.enable       off
httpd.bypass_traverse_checking off
httpd.enable                 off
httpd.ipv6.enable            off
httpd.log.format             common     (value might be overwritten in takeover)
httpd.method.trace.enable    off
httpd.rootdir                /vol/vol0/home/http
httpd.timeout                300        (value might be overwritten in takeover)
httpd.timewait.enable        off
tls.enable                   on
ldap.ssl.enable              off
ssl.enable                   on
ssl.v2.enable                off        (same value required in local+partner)
ssl.v3.enable                on         (same value required in local+partner)

If I enable http and run the script over http it works fine. Moreover, I have the same exact configuration on my demo lab and it is working fine even with HTTPS.
I am not sure why it is not working on the production environment. Could it be a server related issue/policy ?

Your help is appriciated.

Thanks,

security SSL show

          Serial                                         Server Client
Vserver   Number Common Name                             Enabled Enabled
--------- ------ --------------------------------------- ------- -------
uspdop6lus 561E4629E0E3E uspdop6lus            true    false
Certificate Authority: uspdop6lus

Re: Could not create SSL/TLS secure channel

Minser — Mon, 29 Jan 2018 21:39:59 GMT

sorry,

I was using a clustered OnTap responce to a 7-mode issue.

Re: Could not create SSL/TLS secure channel

dvindika — Thu, 01 Mar 2018 06:03:57 GMT

DId you resolve this issue? I'm having exact issue with Powershell.

Thanks!

Re: Could not create SSL/TLS secure channel

ahmada — Thu, 01 Mar 2018 06:34:29 GMT

I forced powershell to connect over RPC - that's for 7-mode systems-, the connection command will be something like : -

Connect-NaController storageName -RPC