VMware Cloud Community
SCharchouf
Hot Shot
Hot Shot

Get-EsxCli Could not establish secure channel for SSL/TLS with authority

despite that I'm adding the below to my script, I have always the error message : Get-EsxCli Could not establish secure channel for SSL/TLS with authority

[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls,[System.Net.SecurityProtocolType]::Tls11,[System.Net.SecurityProtocolType]::Tls12

Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Confirm:$false

has anyone encountered this kind of problem?

21 Replies
LucD
Leadership
Leadership

Did you check the certificate on the ESXi node that fails?

It could be that there is a mismatch between the host (FQDN, hostname and/or IP) and the ones defined in the certificate.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
SCharchouf
Hot Shot
Hot Shot

I'm trying to find a scripted way to collect all the information, however vCenter is not resolved with its IP address.

Reply
0 Kudos
LucD
Leadership
Leadership

Not sure what you mean by that?

Btw, Get-EsxCli is for ESXi nodes, where does the vCenter come into play?

Except for the Connect-VIServer.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
SCharchouf
Hot Shot
Hot Shot

I mean as I'm connecting to ESXi node through vCenter I'm trying to find a way to check why Get-VMHost is not working withing the script

FYI : when I just connect to vCenter I run the Cmdlet Get-VMHost it's working

really strange....:smileycry:

Reply
0 Kudos
LucD
Leadership
Leadership

But it seems to be one of the ESXi nodes for which the Get-EsxCli doesn't work.

That requires a different connection to be made vs just running a Get-VMHost which only queries the vCenter.

Isn't the try-catch showing which ESXi node(s) cause(s) the error?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
SCharchouf
Hot Shot
Hot Shot

Yep is that one but another one also provided the same error on a different server

Reply
0 Kudos
LucD
Leadership
Leadership

So did you check the certificate used by that ESXi node/ESXi nodes?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
SCharchouf
Hot Shot
Hot Shot

Yes and All are Good

Reply
0 Kudos
LucD
Leadership
Leadership

Meaning that each certificate contains both the FQDN and the IP address as a Subject Alternative Name?

How are there ESXi nodes registered in the vCenter?

With an IP, a hostname, or an FQDN?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
SCharchouf
Hot Shot
Hot Shot

server are registred with FQDN

I'm not sure if the certificate contains both FQDN and IP but I confirm that the vCenter is not resolved by its IP

I verified with a Production vcenter I can resolve the FQDN bwhen I nslookup its IP

Get-EsxCli : 24/10/2020 20:58:21    Get-EsxCli          Could not establish secure channel for SSL/TLS with authority 'vCenter.local'.

At X:\script.ps1:186 char:19

+     $esxcli = Get-EsxCli -VMHost $ESX -V2
+               ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo      : NotSpecified: (:) [Get-EsxCli], VimException
+ FullyQualifiedErrorId : Core_BaseCmdlet_UnknownError,VMware.VimAutomation.ViCore.Cmdlets.Commands.EsxCli.GetEsxC

   li

You cannot call a method on a null-valued expression.

At X:\script.ps1:188 char:9

+     $obj = New-Object -TypeName PSObject -Property @{
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo      : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
Reply
0 Kudos
SCharchouf
Hot Shot
Hot Shot

I solved the issue it's working fine

Just I added the vcenter name without domain in the txt file and no error message received

tested multiple Time and it's OK

Reply
0 Kudos
LucD
Leadership
Leadership

Ok, let's take a step back.

You stated that you can do the Connect-VIServer to the vCenter without a problem?

With the Set-PowerCLIConfiguration cmdlet you set InvalidCertificateAction to Ignore?

Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Scope AllUsers

Did you configure the TLS protocols 1.2 for PowerShell?

[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12

Did you check which TLS protocol(s) are supported on your vCenter and ESXi nodes?
You could use a function like the one in Testing SSL and TLS with PowerShell


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

LucD
Leadership
Leadership

So it looks like your vCenter certificate does not contain the FQDN but the hostname.
Ok, good it is working now.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
SCharchouf
Hot Shot
Hot Shot

Here the result of the function

TLSv1_0   : False
KeyExhange:
SSLv3     : False
TLSv1_2   : False
SSLv2     : False

HashAlgorithm :

Host      : vcenter.local
Port      : 443
TLSv1_1   : False

From xxx.xxx.xxx.xxx to vcenter.local xxx.xxxx.xxx.xxx:443

CanRead: False

CanSeek: False

CanTimeout: True

CanWrite: False

CheckCertRevocationStatus: False

CipherAlgorithm:

CipherStrength:

HashAlgorithm:

HashStrength:

IsAuthenticated: False

IsEncrypted: False

IsMutuallyAuthenticated: False

IsServer: False

IsSigned: False

KeyExchangeAlgorithm:

KeyExchangeStrength:

LeaveInnerStreamOpen: False

Length:

LocalCertificate:

Position:

ReadTimeout: 15000

RemoteCertificate:

SslProtocol:

TransportContext: System.Net.SslStreamContext

WriteTimeout: 15000

Reply
0 Kudos
LucD
Leadership
Leadership

Now I'm lost, your vCenter doesn't support any TLS protocol?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

SCharchouf
Hot Shot
Hot Shot

:smileyblush::smileyblush:

This is a vCenter for test but I just discovered right now that is not support any TLS Protocol

so If have understood coorectly all TLS protocol mentionned by False means that no TLS supported is there any other things that you have identified from this output?

Reply
0 Kudos
LucD
Leadership
Leadership

Correct.
So basically there is no security whatsoever on that vCenter :smileygrin:

What version is that vCenter and how were you able to install it like that out of the box?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
SCharchouf
Hot Shot
Hot Shot

:smileygrin: :smileygrin:

to be honest I'm new on this firm and I'm trying to correct things Smiley Wink

Reply
0 Kudos
LucD
Leadership
Leadership

It would help if you know the version of that vCenter


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos