Error on MacOS when attempting to use New-NSXLogicalSwitch

[Zsoldier]

Host Config: Name : ConsoleHost Version : 6.0.1 InstanceId : abad303e-f899-4287-96cc-8d15f65c40c4 UI : System.Management.Automation.Internal.Host.InternalHostUserInterface CurrentCulture : en-US CurrentUICulture : en-US PrivateData : Microsoft.PowerShell.ConsoleHost+ConsoleColorProxy DebuggerEnabled : True IsRunspacePushed : False Runspace : System.Management.Automation.Runspaces.LocalRunspace Version Name

---

3.0.1091 PowerNSX
3.0.1088 PowerNSX
10.0.0.7895300 VMware.PowerCLI

invoke-nsxwebrequest : Invoke-NsxWebRequest : An unknown exception occured calling invoke-internalwebrequest. System.AggregateException: One or more errors occurred. (The handler does not support custom handling of certificates with this combination of libcurl (7.54.0) and its SSL backend ("LibreSSL/2.0.20").) ---> System.PlatformNotSupportedException: The handler does not support custom handling of certificates with this combination of libcurl (7.54.0) and its SSL backend ("LibreSSL/2.0.20"). at System.Net.Http.CurlHandler.SslProvider.SetSslOptions(EasyRequest easy, ClientCertificateOption clientCertOption) at System.Net.Http.CurlHandler.EasyRequest.InitializeCurl() at System.Net.Http.CurlHandler.MultiAgent.ActivateNewRequest(EasyRequest easy) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.ConfiguredTaskAwaitable1.ConfiguredTaskAwaiter.GetResult() at System.Net.Http.HttpClient.<FinishSendAsyncBuffered>d__58.MoveNext() --- End of inner exception stack trace --- at System.Management.Automation.MshCommandRuntime.ThrowTerminatingError(ErrorRecord errorRecord) ---> (Inner Exception #0) System.PlatformNotSupportedException: The handler does not support custom handling of certificates with this combination of libcurl (7.54.0) and its SSL backend ("LibreSSL/2.0.20"). at System.Net.Http.CurlHandler.SslProvider.SetSslOptions(EasyRequest easy, ClientCertificateOption clientCertOption) at System.Net.Http.CurlHandler.EasyRequest.InitializeCurl() at System.Net.Http.CurlHandler.MultiAgent.ActivateNewRequest(EasyRequest easy) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.ConfiguredTaskAwaitable1.ConfiguredTaskAwaiter.GetResult() at System.Net.Http.HttpClient.d__58.MoveNext()<---

StackTrace: at Invoke-InternalWebRequest, /usr/local/share/powershell/Modules/PowerNSX/3.0.1088/PowerNSX.psm1: line 3765 at Invoke-NsxWebRequest, /usr/local/share/powershell/Modules/PowerNSX/3.0.1088/PowerNSX.psm1: line 4218 at New-NsxLogicalSwitch, /usr/local/share/powershell/Modules/PowerNSX/3.0.1088/PowerNSX.psm1: line 9968 at , : line 1 At /usr/local/share/powershell/Modules/PowerNSX/3.0.1088/PowerNSX.psm1:9968 char:21

• ... $response = invoke-nsxwebrequest -method "post" -uri $URI -body $body ...
• CategoryInfo : InvalidResult: (Invoke-NsxWebRequest:String) [Invoke-NsxWebRequest], InternalNsxApiException
• FullyQualifiedErrorId : NsxAPIFailureResult,Invoke-NsxWebRequest

The property 'content' cannot be found on this object. Verify that the property exists. At /usr/local/share/powershell/Modules/PowerNSX/3.0.1088/PowerNSX.psm1:9971 char:9

• Get-NsxLogicalSwitch -virtualWireId $response.content -connec ...
• CategoryInfo : NotSpecified: (:) [], PropertyNotFoundException
• FullyQualifiedErrorId : PropertyNotFoundStrict

[alagoutte]

Hi Zsoldier

it look like very similar to #488 (and https://github.com/dotnet/corefx/issues/27000)

[Zsoldier]

@alagoutte yep, that's the exact issue. So appears to be a base .net core issue. Lovely. Still reading through to see if workarounds listed work.

[Zsoldier]

Looks like I can get around this issue by modifying the client handler. Just unsure if it's a permanent solution or if it might break other things. $InternalHttpClientHandler = @" using System.Net.Http; public class InternalHttpClientHandler : HttpClientHandler { public InternalHttpClientHandler(bool SkipCertificateCheck) { if (SkipCertificateCheck) { ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator; } } } "@

[alagoutte]

Can your push a PR with the fix ?

[dcoghlan]

Thanks for the investigation @Zsoldier. This is also the same potential fix that we are looking into, but like you mentioned, we need to make sure that we aren't going to effect anything else before we implement any changes as it touches quite a core component of PowerNSX.

[Zsoldier]

@alagoutte I was going to, but being a git noob, I am unsure how to do 'another' pull request when my current pull request has still not been merged. Sounds like @dcoghlan has got it though.

So far the 'fix' has been pretty smooth sailing for me on powershell core on Mac. I'll need to try it on a Windows and Linux system though.

[nmbradford]

Hi guys - thanks for the investigation @Zsoldier and @dcoghlan.

So, the easy workaround is simply to modify $InternalHttpClientHandler as directed above and those with the issue should have a working module again.

To fix this properly is a little harder for us at the moment- while the simple fix is to write detection code for the platform and handle accordingly - the proper way is a lot of refactoring to remove the many workarounds we put in to support PowerShell Core in the alpha releases that are no longer required and to deprecate support for alpha PoSH Core completely. I'd prefer the second approach, but it will take longer and requires updates to our CI. Regardless of the approach, we cant execute tests, as our CI is not available at the moment as the underlying platform is also being refreshed (and this is where we are currently spending our spare time!)

Long story short - this will probably be a few weeks at least before a fix is available. Depending on impact, we might be able to do something earlier, but there are other things we need to be working on at the moment.

If this issue impacts you and you arent able to apply the workaround above manually, please +1 this comment so we can gauge impact.

[nmbradford]

BTW - @Zsoldier has a blog article describing the fix nice and succinctly if you need instructions. http://tech.zsoldier.com/2018/03/vmware-powernsx-on-mac-invoke.html. Thanks @Zsoldier !

[Zsoldier]

٩( ᐛ )و

[alagoutte]

+1 with second approach ;-)

[nmbradford]

try clicking the 'thumbs up emoji' on my post - so I don't have to count the hundreds of 'oh yes, me too please' comments ;)

[Zsoldier]

@nmbradford looks like this fix was implemented? If so, can probably close out this bug.

[nmbradford]

indeed!