Invoke-WebRequest : The request was aborted: Could not create SSL/TLS secure channel.

[rubenz91]

Hello,

So I recently upgraded on of our Brik and decided to update as well my 5.2 SDK that had been working without issues.

My environment is two Servers that function as the Gateway to connect to Rubrik. One of those servers is in passive state, meaning is waiting in case anything happens in the main one.

Upgrade was performed in both, but my passive one now is triggering the below code error when trying to run:

Connect-Rubrik XXXXXXX -Credential domain\user securepassword

Current Behavior:

VERBOSE: Allowing self-signed certificates
VERBOSE: Gather API Data for Connect-Rubrik
VERBOSE: Gather API Data for Get-RubrikSoftwareVersion
VERBOSE: Selected 1.0 API Data for Get-RubrikSoftwareVersion
VERBOSE: Load API data for Get-RubrikSoftwareVersion
VERBOSE: Description: Retrieves software version of the Rubrik cluster
VERBOSE: Build the URI
VERBOSE: URI = https://XXXXXX/api/v1/cluster/me/version
VERBOSE: Build the query parameters for <null>
VERBOSE: URI = https://XXXXXX/api/v1/cluster/me/version
VERBOSE: Submitting the request
VERBOSE: Invoking request with a custom timeout of 100 seconds
VERBOSE: GET https://XXXXXX/api/v1/cluster/me/version with 0-byte payload
Invoke-WebRequest : The request was aborted: Could not create SSL/TLS secure channel.
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Rubrik\Private\Invoke-RubrikWebRequest.ps1:36 char:23
+ ...   $result = Invoke-WebRequest -UseBasicParsing -TimeoutSec $rubrikOpt ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

Expected Behavior:

I'm expecting to go over and log on normally over Powershell

Steps to Reproduce:

Please provide detailed steps for reproducing the issue.

1- Automation System call to a powershell script 2- Powershell Script import the rubrik module and try to connect

Context:

• Rubrik PowerShell Module Version: Use Get-Module -ListAvailable Rubrik

  ModuleType Version    Name                                ExportedCommands                                                                                               
  ---------- -------    ----                                ----------------                                                                                               
  Script     6.0.0      Rubrik                              {Connect-Rubrik, Disconnect-Rubrik, Export-RubrikDatabase, Export-RubrikReport...} 

• PowerShell Version: Use $PSVersiontable.PSVersion

Name                           Value                                                                                                                                     
----                           -----                                                                                                                                     
PSVersion                      5.1.17763.2268                                                                                                                            
PSEdition                      Desktop                                                                                                                                   
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                                   
BuildVersion                   10.0.17763.2268                                                                                                                           
CLRVersion                     4.0.30319.42000                                                                                                                           
WSManStackVersion              3.0                                                                                                                                       
PSRemotingProtocolVersion      2.3                                                                                                                                       
SerializationVersion           1.1.0.1 

[jaapbrasser]

Hello @rubenz91,

It sounds like a TLS issue, could you try running:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

And then connecting to your Rubrik Cluster using Connect-Rubrik to see if that makes any difference.

In case this is the issue, we've got this documented, for the installation of the module here:

• Installation Option 1: PowerShell Gallery (Recommended)

Or head over to the official Microsoft documentation, also linked to in our documentation, on configuring TLS 1.2 for older systems:

• Docs.Microsoft.com - How to enable TLS 1.2 on clients

Let me know if that helps!

[rubenz91]

I get a new error:

VERBOSE: Allowing self-signed certificates
VERBOSE: Gather API Data for Connect-Rubrik
VERBOSE: Gather API Data for Get-RubrikSoftwareVersion
VERBOSE: Selected 1.0 API Data for Get-RubrikSoftwareVersion
VERBOSE: Load API data for Get-RubrikSoftwareVersion
VERBOSE: Description: Retrieves software version of the Rubrik cluster
VERBOSE: Build the URI
VERBOSE: URI = https://xxxxx/api/v1/cluster/me/version
VERBOSE: Build the query parameters for <null>
VERBOSE: URI = https://xxxxx/api/v1/cluster/me/version
VERBOSE: Submitting the request
VERBOSE: Invoking request with a custom timeout of 100 seconds
VERBOSE: GET https://xxxxx/api/v1/cluster/me/version with 0-byte payload
Invoke-WebRequest : The request was aborted: Could not create SSL/TLS secure channel.
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Rubrik\Private\Invoke-RubrikWebRequest.ps1:36 char:23
+ ...   $result = Invoke-WebRequest -UseBasicParsing -TimeoutSec $rubrikOpt ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
   eption
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

[jaapbrasser]

What kind of output do you get when you run the following:

[Net.ServicePointManager]::SecurityProtocol

[rubenz91]

This is the results in both the server working and the one that is giving the messages I have posted here so far.

Tls, Tls11, Tls12

[jaapbrasser]

I've been looking at replicating the issue, but the only way I can get PowerShell 5.1 to generate this error on my end is when TLS isn't configured correctly. So I have come up with the following 3 things we can try:

• Install PowerShell 7 and attempt to run Connect-Rubrik from PowerShell 7. If you don't have administrative permissions on the box, you can download the ZIP version and just unzip, import the Rubrik module and test if it also fails there: https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows?view=powershell-7.2
• Follow the instructions in the following doc to enable TLS on a system-wide level: https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client
• Do additional troubleshooting by running the following code, and share the verbose output. This will allow me to get a better idea of what's happening. Make sure the output is sanitized (remove any ip address, server names, passwords or base64 encoded creds) or alternatively open a Support Case on the portal where you can share the full output without sanitizing the verbose output.

# Enter your credentials & cluster name
$Credential = Get-Credential
$YourRubrikCluster = 'your.cluster.com'

$VerbosePreference = 'Continue'
$ErrorActionPreference = 'Stop'

& {
    trap {$_.exception.tostring()}
    [Net.ServicePointManager]::SecurityProtocol.value__
    Connect-Rubrik -Server $YourRubrikCluster -Credential $Credential
    [Net.ServicePointManager]::SecurityProtocol.value__
}

& {
    trap {$_.exception.tostring()}

    [Net.ServicePointManager]::SecurityProtocol.value__
    Invoke-Webrequest -uri "https://$YourRubrikCluster/api/v1/vmware/vm?limit=1" -method get -header @{'Authorization' = 'Basic {0}' -f [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("$($credential.UserName):$($credential.GetNetworkCredential().password)"))} -UseBasicParsing
    [Net.ServicePointManager]::SecurityProtocol.value__
}

& {
    trap {$_.exception.tostring()}
    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
    [Net.ServicePointManager]::SecurityProtocol.value__
    Connect-Rubrik -Server $YourRubrikCluster -Credential $Credential
    [Net.ServicePointManager]::SecurityProtocol.value__
}

& {
    trap {$_.exception.tostring()}
    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
    [Net.ServicePointManager]::SecurityProtocol.value__
    Invoke-Webrequest -uri "https://$YourRubrikCluster/api/v1/vmware/vm?limit=1" -method get -header @{'Authorization' = 'Basic {0}' -f [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("$($credential.UserName):$($credential.GetNetworkCredential().password)"))}
    [Net.ServicePointManager]::SecurityProtocol.value__
}

& {
    trap {$_.exception.tostring()}

    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12
    [Net.ServicePointManager]::SecurityProtocol.value__
    Connect-Rubrik -Server $YourRubrikCluster -Credential $Credential
    [Net.ServicePointManager]::SecurityProtocol.value__
}

& {
    trap {$_.exception.tostring()}
    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12
    [Net.ServicePointManager]::SecurityProtocol.value__
    Invoke-Webrequest -uri "https://$YourRubrikCluster/api/v1/vmware/vm?limit=1" -method get -header @{'Authorization' = 'Basic {0}' -f [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("$($credential.UserName):$($credential.GetNetworkCredential().password)"))} -UseBasicParsing
    [Net.ServicePointManager]::SecurityProtocol.value__
}