PowerShell and SHA512 SSL Certificates

It’s a beautiful weekend, and I thought hey lets get something quick done in the home-lab before going out to the movies %). The other guy on the other end (the lab) says: DREAM ON!!!

I’m tinerking with vCloud Director 9.5 and I needed to connect with the cells via PowerCLI (simple, right?). I launched PowerShell, typed Connect-CIServer fqdn and all thoughts of going to the movies splintered into smithereens.

Connect-CIServer : 12/22/2018 1:29:42 PM Connect-CIServer No Cloud server was found on https://fqdn:443/api/.

  • I browsed to my vCD cells (two setups) through the browser successfully.
  • All of my cells have CA signed SSL certificates.
  • I tested accessing the API via Postman, GET and SET works fine as well.
  • I updated PowerCLI from 11.0.0 to 11.1.0 and I noticed the same behavior as well.
  • I tried setting the InvalidCertificateAction PowerCLIConfiguration to Ignore (Set-PowerCLIConfiguration) and same results.

After exchausting what could be done, I sent a message over Slack on the PowerCLI group and I got help from Kyle Ruddy and after going through what I did, he pointed me out to this script Resolve-Error (what turned to be a real gem), what the script does is that after you run the command-let you’d call out the function and it will output all of the exceptions in details, and here is the output from mine (the output is huge, so I will only show the part which was relevant to resolving the issue):

Status : SecureChannelFailure
Response :
Message : The request was aborted: Could not create SSL/TLS secure channel.
Data : {}
InnerException :
TargetSite : System.Net.WebResponse EndGetResponse(System.IAsyncResult)
StackTrace : at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
HelpLink :
Source : System
HResult : -2146233079

Apparently PowerShell had issues with my SSL certificates after all, but it was too shy to tell me directly!! (Thank you Kyle). So I did another round of investigation but now I was keen on something:

  • I know for a fact that I could connect to my vCenter Server/s with no issues, and those were signed by the same CA server.
  • I am not using SHA1 (apologies for the blasphemy) in my environment.
  • I did a quick comparison between my SSL certificates and found out the following:
    • My vCenter Server/s uses a SHA256 signature.
    • My vCD Cells are using a SHA512 signature.

On my jump box I tend to use Chrome, so I don’t touch on IE that much, on the other hand for the sake of testing things out I attempted to access my vCD cells through IE and surprisingly I couldn’t, so we’re on to something apparently.

I downloaded the updates, ran them one after the other, rebooted my jump machine, saw a blue screen on one of the restarts, restarted again, life goes on, and the machine is up %). Fired-up PowerShell, invoked the Connect-CIServer command and EURIKA! It worked! Launched IE and attempted to access the vCD cells FQDN and it worked fine as well.

There you have it people, its 11:00PM as of now and my secure channel skills are at +1 :-P.

I hope this was joyful,
(Abdullah)^2

Clip art resource: FCIT

 

 

11508 Total Views 2 Views Today

Abdullah

Knowledge is limitless.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.