PowerShell and SHA512 SSL Certificates
It’s a beautiful weekend, and I thought hey lets get something quick done in the home-lab before going out to the movies %). The other guy on the other end (the lab) says: DREAM ON!!!
I’m tinerking with vCloud Director 9.5 and I needed to connect with the cells via PowerCLI (simple, right?). I launched PowerShell, typed Connect-CIServer fqdn and all thoughts of going to the movies splintered into smithereens.
Connect-CIServer : 12/22/2018 1:29:42 PM Connect-CIServer No Cloud server was found on https://fqdn:443/api/.
- I browsed to my vCD cells (two setups) through the browser successfully.
- All of my cells have CA signed SSL certificates.
- I tested accessing the API via Postman, GET and SET works fine as well.
- I updated PowerCLI from 11.0.0 to 11.1.0 and I noticed the same behavior as well.
- I tried setting the InvalidCertificateAction PowerCLIConfiguration to Ignore (Set-PowerCLIConfiguration) and same results.
After exchausting what could be done, I sent a message over Slack on the PowerCLI group and I got help from Kyle Ruddy and after going through what I did, he pointed me out to this script Resolve-Error (what turned to be a real gem), what the script does is that after you run the command-let you’d call out the function and it will output all of the exceptions in details, and here is the output from mine (the output is huge, so I will only show the part which was relevant to resolving the issue):
Status : SecureChannelFailure
Response :
Message : The request was aborted: Could not create SSL/TLS secure channel.
Data : {}
InnerException :
TargetSite : System.Net.WebResponse EndGetResponse(System.IAsyncResult)
StackTrace : at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
HelpLink :
Source : System
HResult : -2146233079
Apparently PowerShell had issues with my SSL certificates after all, but it was too shy to tell me directly!! (Thank you Kyle). So I did another round of investigation but now I was keen on something:
- I know for a fact that I could connect to my vCenter Server/s with no issues, and those were signed by the same CA server.
- I am not using SHA1 (apologies for the blasphemy) in my environment.
- I did a quick comparison between my SSL certificates and found out the following:
- My vCenter Server/s uses a SHA256 signature.
- My vCD Cells are using a SHA512 signature.
On my jump box I tend to use Chrome, so I don’t touch on IE that much, on the other hand for the sake of testing things out I attempted to access my vCD cells through IE and surprisingly I couldn’t, so we’re on to something apparently.
- I ran a quick research on “Microsoft IE + SHA512 Certificates” and got a this article “SHA512 is disabled in Windows when you use TLS 1.2” on top of the search results.
I downloaded the updates, ran them one after the other, rebooted my jump machine, saw a blue screen on one of the restarts, restarted again, life goes on, and the machine is up %). Fired-up PowerShell, invoked the Connect-CIServer command and EURIKA! It worked! Launched IE and attempted to access the vCD cells FQDN and it worked fine as well.
There you have it people, its 11:00PM as of now and my secure channel skills are at +1 :-P.
I hope this was joyful,
(Abdullah)^2
Clip art resource: FCIT