VMware Cloud Community
ariffazman
Contributor
Contributor
Jump to solution

Could not establish secure channel for SSL/TLS with authority using PowerCLI.

I've already set the invalid certificate action to ignore.

Able to connect to vcenter using the web or desktop client just fine,

1 Solution

Accepted Solutions
LucD
Leadership
Leadership
Jump to solution

In that case, try setting the following before the Connect-VIServer

[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls,

     [System.Net.SecurityProtocolType]::Tls11,

     [System.Net.SecurityProtocolType]::Tls12


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

17 Replies
LucD
Leadership
Leadership
Jump to solution

Try running this before

[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls11,[System.Net.SecurityProtocolType]::Tls12


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
ariffazman
Contributor
Contributor
Jump to solution

Unfortunately, same error still persists.

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

Which PowerCLI version are you using?
From where do you run this?
Can you attach a screenshot of the commands and the error?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
ariffazman
Contributor
Contributor
Jump to solution

Run from my local PC Powershell . Same error even when using our JUMP server.

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

Can you do a Get-PowerCLIConfiguration?
Check the different scopes for the InvalidCertificate settings


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
ariffazman
Contributor
Contributor
Jump to solution

Here you go.

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

Can you start a PS session as Administrator, and then do the Set-PowerCLIConfiguration setting for the AllUsers scope?

Set-PowerCLIConfiguration -Confirm:$false -Scope AllUsers -InvalidCertificateAction Ignore


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
ariffazman
Contributor
Contributor
Jump to solution

Done. Same error. Is there by any chance because of vCenter vSphere version?

Because I've managed to connect to all my other vCenter running 6.5  and those failing are 5.5 & 5.1.

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

In that case, try setting the following before the Connect-VIServer

[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls,

     [System.Net.SecurityProtocolType]::Tls11,

     [System.Net.SecurityProtocolType]::Tls12


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

ariffazman
Contributor
Contributor
Jump to solution

You sir are a lifesaver. Thanks much. It works now, so does it mean, I have to set my security protocol every time I'm gonna use Connect-Viserver?

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

Only when you want to connect to that older vCenter.
PS and vSphere moved on, and the old TLS protocol is not supported on either of them anymore.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
TScalzott
Enthusiast
Enthusiast
Jump to solution

As I understand it, best practice is to not specify specific TLS implementations, but to allow Windows to use the highest available on the client. This will work if TLS 1.2 is enabled and in the future work with TLS 1.3:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::SystemDefault

Citation: SecurityProtocolType Enum (System.Net) | Microsoft Docs

LucD
Leadership
Leadership
Jump to solution

But not when you are using a recent Windows version (where TLS is disabled) with an old vCenter version (which only knows TLS)

And with TLS I mean TLS1


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

IPsingh10
Contributor
Contributor
Jump to solution

Hi,

I am having similar issue.

when I try to connect this one VC from Powershell ISE it is working after powerCLIconfiguration.

but when I try it with jenkins (with same service account as of powershell ise) it fails with below error:

Connect-VIServer Error: Invalid server certificate. Use Set-PowerCLIConfiguration to set the value for the InvalidCertificateAction option to Prompt if you'd like to connect once or to add a permanent exception for this server.

Additional Information: Could not establish secure channel for SSL/TLS with authority

 

PS. other vcenters are having no issues after I changed powercliconfiguration of  invalidcert

 

--Get-PowerCLIConfiguration

snip attached

 

 

 

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

Did you add the [System.Net.ServicePointManager]::SecurityProtocol part to your code?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
IPsingh10
Contributor
Contributor
Jump to solution

adding This worked for me. Thank You so much.

earlier jenkins was on windows servers 2012 it worked there.

now I had  migrated to server 2022 and jenkins was showing errors.

I understand the tls could be issue in new system, but same code was working from powershell ISE without changinf/adding protocol option, any insights on this. just curious

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

Some platforms do not support older TLS protocols by default.
By explicitly specifying the supported versions, the connection can be established.

This is not a good practice, you should investigate why one of the platforms only accepts an older TLS version.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos