Unable to update FSRM definitions with 500 server error

[neileroberts]

This is just to notify you that as of today, all of my definition updates are failing. I am getting the following output when I run the script.

Exception calling "DownloadString" with "1" argument(s): "The remote server returned an error: (500) Internal Server Er ror." At line:1 char:37

• $jsonStr = $webClient.DownloadString <<<< ("https://fsrm.experiant.ca/api/v1/get")
  • CategoryInfo : NotSpecified: (:) [], MethodInvocationException
  • FullyQualifiedErrorId : DotNetMethodException

[davidande]

same for me

[nexxai]

Hey guys, everything seems to be working right now as far as I can tell. Can you confirm if you're still seeing error 500?

@davidande @neileroberts

[neileroberts]

Still having problems.

The following shares needing to be protected: F:\Data,F:\Departments,G:\Departments,E:\Home,F:\VIP Archive Checking File Server Resource Manager.. Exception calling "DownloadString" with "1" argument(s): "The remote server returned an error: (500) Internal Server Error." At \craadmts01\Scripts\DeployCryptoBlocker.ps1:139 char:1

• $jsonStr = $webClient.DownloadString("https://fsrm.experiant.ca/api/v1/get")

• 
  + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
  + FullyQualifiedErrorId : WebException

[nexxai]

@davidande Can you connect to the FSRM website from the box you're actually trying to update, and tell me if you get the same error? And if so, can you post a screenshot to imgur or somewhere that I can take a look? Because I'm not seeing any error 500s in the logs so I'm curious if it might be a CloudFlare issue.

[davidande]

@nexxai Yes I connect the site without problem

[neileroberts]

The same @nexxai I can get to the site normally.

[kenny42inc]

@nexxai I am experiencing the same issue. Here are the screenshots you requested. https://imgur.com/a/YoUoT

[davidande]

connecting to the list download page:

• from IE it prompt to save under combined.json
• from Firefox it shows the page If this can help

[nexxai]

Alright, is it possible that any of you ran updates last night that may have updated your SSL ciphers? I ask because we haven't made any changes to the site and as far as I know, CloudFlare hasn't made any changes, so it seems like something to do with PowerShell not connecting to the server.

If you run the script 5 times, does it actually fail all 5 times, or will it work 1 or 2 times out of 5?

[neileroberts]

When I run it, it fails consistently.

[kenny42inc]

It fails consistently for me aswell. The example server is 2008 R2 and is only missing one security update according to our patch management. I noticed this issue yesterday evening so I rebooted the server overnight just to be certain the problem wasn't related to a pending patch or something. Tried it again this morning and still receive the same error.

[schorschroch]

Hi there,

I had the same problem this morning. Looking at #23 , I tried to exchange the line in the powerscript where $jsonStr is loaded with the following: $jsonStr = Invoke-WebRequest -Uri https://fsrm.experiant.ca/api/v1/get For me this worked. I'm running this script on an SBS 2011 server.

Hope this helps you too,

Regards,

Schorsch

[neileroberts]

I tried what @schorschroch suggested and it has fixed it for me as well. Server 2012.

[nexxai]

@neileroberts What OS are you running?

[neileroberts]

Server 2012 R2. It is still failing on 2008 R2.

[kenny42inc]

What @schorschroch suggested requires that Invoke-WebRequest be available. And on 2008 R2 with Powershell 2 installed it is not available. I believe it is if PowerShell is upgraded to version 3.

[nexxai]

@HORRIBLEGASPAIN Yeah, that's why I was asking.

I don't think requiring users to have PowerShell 3 or higher isn't too much to ask, but what are your guys' thoughts?

[neileroberts]

I still run some legacy 2008 R2 servers but can get powershell upgraded. It's not a big deal for me. Might be for some though.

[kenny42inc]

There are some prerequisites for Microsoft Managment Framework 3 on Server 2008 R2 that may need to be pointed out if Powershell 3 is going to be required going forward. See: https://www.microsoft.com/en-us/download/details.aspx?id=34595

[arcimus]

I received 500 error in PHP using file_get_contents, and "SSL certificate problem: unable to get local issuer certificate" using curl. I got curl to work using: curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);

[nexxai]

@arcimus That likely means that your computer's SSL ciphers are out of date and should be updated, or that CloudFlare's root CA isn't trusted on your machine. Either way, you should definitely NOT be ignoring peer verification as that means that if your DNS request is intercepted, the attacker could feed you bad data and you'd never know.

[jkmurphy1]

Not that this applies really, unless someone would like to create a batch script instead of a PS script, but the following will retrieve and write out the json to a file:

using System;
using Newtonsoft.Json;
using System.Net;
using System.IO;

namespace WriteJSONFile
{
    class Program
    {
        static void Main(string[] args)
        {
            WebClient getCryptoBlocker = new WebClient();
            getCryptoBlocker.Headers[HttpRequestHeader.UserAgent] = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.121 Safari/535.2";
            Uri address = new Uri("https://fsrm.experiant.ca/api/v1/get/");
            string json = getCryptoBlocker.DownloadString(address);

            File.WriteAllText(Environment.CurrentDirectory + "\\hereIsThe.json",json);
        }
    }
}

[nexxai]

I've pushed a new commit that checks for PowerShell v3 and exits if it does not find it. I also updated it to use Invoke-WebRequest instead of the old method.

Can some of you please get the latest version and let me know if it solves your issue?

[davidande]

$jsonStr = Invoke-WebRequest -Uri https://fsrm.experiant.ca/api/v1/get works for me to on 2012 r2 is it working on 2008?

[nexxai]

@davidande It should work on 2008 as long as you have PowerShell v3 or higher.

[kenny42inc]

@nexxai Just confirmed on 2008 R2 with PowerShell 3 installed that the file groups are successfully downloaded & updated. No errors.

[nexxai]

@HORRIBLEGASPAIN Awesome. Thanks for your help!

[neileroberts]

Interesting observation. The script will fail if the user running it has not instantiated Internet Explorer. Mine is run by a service account so I need to use a runas in order to get an IE profile.

I used: -

runas /user:WILLIAM-REED\AntiCrypto.Service "C:\Program Files\Internet Explorer\iexplore.exe"

[nexxai]

Well that's something new, considering nothing we do comes even remotely close to using IE.

Is anyone else having the same issue, and if so, could you please post the error message you receive?

[kenny42inc]

This can happen on server core 2012 r2 and if the script is run via remote PowerShell session. In my testing, it seems that if I do:

runas /user:User c:\path\to\DeployCryptoBlocker.ps1

It appears to work OK.