search

microsoft / AL

Home of the Dynamics 365 Business Central AL Language extension for Visual Studio Code. Used to track issues regarding the latest version of the AL compiler and developer tools available in the Visual Studio Code Marketplace or as part of the AL Developer Preview builds for Dynamics 365 Business Central.
MIT License
728 stars 241 forks source link

Error: The SSL connection could not be established, see inner exception. Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.. #7612

Closed bouncy99 closed 6 months ago

bouncy99 commented 8 months ago

Please include the following with each issue:

1. Describe the bug With DeveloperServicesSSLEnabled on a business central instance, while using a valid CA issued cert, when publishing to the DeveloperServicesPort of a the business central 21 instance, we are experiencing the error message "Error: The SSL connection could not be established, see inner exception. Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.."

2. To Reproduce Simply publish code to BC21 SSL enabled instance

  1. Go to '...'
AL code snippet that demonstrates the issue or a link to a code repository the developers can easily pull down to recreate the issue locally.

Note: Because the developers need to copy and paste the code snippet, including a code snippet as a media file (i.e. .gif) is not sufficient.

3. Expected behavior That the connection would be established, and code published

4. Actual behavior A clear and concise description of what happened accompanied by images, animations, or a link to a video showing the issue occurring

image

5. Versions:

Final Checklist

Please remember to do the following:

SBalslev commented 8 months ago

We rely on the underlying tools for http requests so not much more info there. However it is clear that there is something wrong with the SSL certificate you have configured or the client you are running this from, I would recommend you check a simple browser request for the metadata yourself on the same machine. And inspect the certificate for validity on the client.

rdebath commented 7 months ago

This looks like the what you get when the Certificate and client are fine but the service tier hasn't been able to install the certificate into the kernel's TLS functions. (But it can also be caused by TLS inspecting firewalls and AV)

You have to reregister the certificate with on server URL and port, this also tends to collide with the urlacl for both HTTP and HTTPS. Changing the port to an unpolluted one will probably work too.

This is an example with cmd shell variables for a SOAP or ODATA port, I don't usually try with the dev port but use the more reliable http over a VPN instead.

netsh http delete urlacl url=http://+:%PORT%/%INST%/
netsh http delete sslcert ipport=0.0.0.0:%PORT%
netsh http delete urlacl url=https://+:%PORT%/%INST%/
netsh http add urlacl url=https://+:%PORT%/%INST% user=%WINUSER%
netsh http add sslcert ipport=0.0.0.0:%PORT% certhash=%CERTTHUMB% appid=%RAND%
SBalslev commented 6 months ago

There is no further action at this point.