Microsoft Virtualization Discussions

Could not create SSL/TLS secure channel

ahmada
9,830 Views

Happy New Year Smiley Happy

 

7-Mode 8.2.4

Windows server 2012 R2

 

I am trying to run my powershell script over https but I got the below error:-

Connect-NaController : Connection to FILERNAME using HTTPS failed - The request was aborted: Could not create SSL/TLS secure channel.
The error may be resolved by generating a new certificate on the storage controller, with a longer key length.
At D:\NetApp\Scripts\7-Mode\7Snap1.ps1:35 char:6
+      Connect-NaController $netapp -Credential $cred -HTTPS
+      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidResult: (FILERNAME:NaController) [Connect-NaController], NaConnectionSSLException
    + FullyQualifiedErrorId : HttpConnectionFailed,DataONTAP.PowerShell.SDK.ConnectNaController

 

 

I have increased the key length to more than 2000 (secureadmin setup ssl)but still it is not working. Below are my filer options which I believe should be enough to get it to run over HTTPS.

 

httpd.access                 none       
httpd.admin.access           host=myhost1,myhost2,myhost3
httpd.admin.enable           off        
httpd.admin.hostsequiv.enable off        
httpd.admin.max_connections  512        
httpd.admin.ssl.enable       on         
httpd.admin.top-page.authentication on         
httpd.autoindex.enable       off        
httpd.bypass_traverse_checking off        
httpd.enable                 off        
httpd.ipv6.enable            off        
httpd.log.format             common     (value might be overwritten in takeover)
httpd.method.trace.enable    off        
httpd.rootdir                /vol/vol0/home/http 
httpd.timeout                300        (value might be overwritten in takeover)
httpd.timewait.enable        off      
tls.enable                   on
ldap.ssl.enable              off
ssl.enable                   on         
ssl.v2.enable                off        (same value required in local+partner)
ssl.v3.enable                on         (same value required in local+partner)

 

If I enable http and run the script over http it works fine. Moreover, I have the same exact configuration on my demo lab and it is working fine even with HTTPS.

I am not sure why it is not working on the production environment. Could it be a server related issue/policy ?

 

Your help is appriciated.

 

Thanks,

7 REPLIES 7

MForster
9,650 Views

Hello ahmada,

 

happy new year!

 

Can you access the webfrontend by browser over https ?

Does it produce a warning ?

 

I guess that the powershell Toolkit uses .net Components for HTTPS Communication.

 

so you could try out the .NET Foundation to test the connection.

Please see

https://blogs.technet.microsoft.com/parallel_universe_-_ms_tech_blog/2014/06/26/reading-a-certificate-off-a-remote-ssl-server-for-troubleshooting-with...

 

And try if you can get more information out of it.

To help in Troubleshooting.

 

Kind Regards

 

 

ahmada
9,609 Views

 Thanks for your replay

 

Can you access the webfrontend by browser over https ?

Does it produce a warning ?

I got the below error:-

 TLS.jpg

 

 

I have checked TLS1.1 and TLS 1.2 and both are enabled.

 

As for the code in the link provided, I got the below error:

ssl.jpg

 

However, in the test lab both tests works fine.

 

Could it be that some group policy is forced via AD that's causing the issue seen on the production environment ?

 

tmac
9,550 Views

make sure TLS 1.2 is actually enabled on your windows boxes

 

There were eveidently some "patches" that turned of TLS.

 

Verify these registry keys:

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]

"DisabledByDefault"=dword:00000000

"Enabled"=dword:00000001

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]

"DisabledByDefault"=dword:00000000

"Enabled"=dword:00000001

 

you can also check out htis link: https://portal.chicagonettech.com/kb/a187/maximizing-ssl-security-for-windows-server-2012-ssl-tls.aspx

 

Minser
7,074 Views

On 8.3 I had the same issue attempting to connect to system manager. I used three seperate browsers. Double checked TLS and SSL settings and certificates.

Finally figured it out.

Make sure the Server side is enabled.


wrote:

Happy New Year Smiley Happy

 

7-Mode 8.2.4

Windows server 2012 R2

 

I am trying to run my powershell script over https but I got the below error:-

Connect-NaController : Connection to FILERNAME using HTTPS failed - The request was aborted: Could not create SSL/TLS secure channel.
The error may be resolved by generating a new certificate on the storage controller, with a longer key length.
At D:\NetApp\Scripts\7-Mode\7Snap1.ps1:35 char:6
+      Connect-NaController $netapp -Credential $cred -HTTPS
+      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidResult: (FILERNAME:NaController) [Connect-NaController], NaConnectionSSLException
    + FullyQualifiedErrorId : HttpConnectionFailed,DataONTAP.PowerShell.SDK.ConnectNaController

 

 

I have increased the key length to more than 2000 (secureadmin setup ssl)but still it is not working. Below are my filer options which I believe should be enough to get it to run over HTTPS.

 

httpd.access                 none       
httpd.admin.access           host=myhost1,myhost2,myhost3
httpd.admin.enable           off        
httpd.admin.hostsequiv.enable off        
httpd.admin.max_connections  512        
httpd.admin.ssl.enable       on         
httpd.admin.top-page.authentication on         
httpd.autoindex.enable       off        
httpd.bypass_traverse_checking off        
httpd.enable                 off        
httpd.ipv6.enable            off        
httpd.log.format             common     (value might be overwritten in takeover)
httpd.method.trace.enable    off        
httpd.rootdir                /vol/vol0/home/http 
httpd.timeout                300        (value might be overwritten in takeover)
httpd.timewait.enable        off      
tls.enable                   on
ldap.ssl.enable              off
ssl.enable                   on         
ssl.v2.enable                off        (same value required in local+partner)
ssl.v3.enable                on         (same value required in local+partner)

 

If I enable http and run the script over http it works fine. Moreover, I have the same exact configuration on my demo lab and it is working fine even with HTTPS.

I am not sure why it is not working on the production environment. Could it be a server related issue/policy ?

 

Your help is appriciated.

 

Thanks,


 

security SSL show

          Serial                                         Server  Client
Vserver   Number Common Name                             Enabled Enabled
--------- ------ --------------------------------------- ------- -------
uspdop6lus 561E4629E0E3E uspdop6lus            true    false
 Certificate Authority: uspdop6lus

Minser
7,051 Views

sorry,

I was using a clustered OnTap responce to a 7-mode issue.

dvindika
6,523 Views

DId you resolve this issue? I'm having exact issue with Powershell.

Thanks!

ahmada
6,512 Views

I forced powershell to connect over RPC - that's for 7-mode systems-, the connection command will be something like : -

 

Connect-NaController storageName -RPC

Public