despite that I'm adding the below to my script, I have always the error message : Get-EsxCli Could not establish secure channel for SSL/TLS with authority
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls,[System.Net.SecurityProtocolType]::Tls11,[System.Net.SecurityProtocolType]::Tls12
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Confirm:$false
has anyone encountered this kind of problem?
Did you check the certificate on the ESXi node that fails?
It could be that there is a mismatch between the host (FQDN, hostname and/or IP) and the ones defined in the certificate.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I'm trying to find a scripted way to collect all the information, however vCenter is not resolved with its IP address.
Not sure what you mean by that?
Btw, Get-EsxCli is for ESXi nodes, where does the vCenter come into play?
Except for the Connect-VIServer.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I mean as I'm connecting to ESXi node through vCenter I'm trying to find a way to check why Get-VMHost is not working withing the script
FYI : when I just connect to vCenter I run the Cmdlet Get-VMHost it's working
really strange....:smileycry:
But it seems to be one of the ESXi nodes for which the Get-EsxCli doesn't work.
That requires a different connection to be made vs just running a Get-VMHost which only queries the vCenter.
Isn't the try-catch showing which ESXi node(s) cause(s) the error?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Yep is that one but another one also provided the same error on a different server
So did you check the certificate used by that ESXi node/ESXi nodes?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Yes and All are Good
Meaning that each certificate contains both the FQDN and the IP address as a Subject Alternative Name?
How are there ESXi nodes registered in the vCenter?
With an IP, a hostname, or an FQDN?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
server are registred with FQDN
I'm not sure if the certificate contains both FQDN and IP but I confirm that the vCenter is not resolved by its IP
I verified with a Production vcenter I can resolve the FQDN bwhen I nslookup its IP
Get-EsxCli : 24/10/2020 20:58:21 | Get-EsxCli | Could not establish secure channel for SSL/TLS with authority 'vCenter.local'. |
At X:\script.ps1:186 char:19
+ | $esxcli = Get-EsxCli -VMHost $ESX -V2 | |
+ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
+ CategoryInfo | : NotSpecified: (:) [Get-EsxCli], VimException | |
+ FullyQualifiedErrorId : Core_BaseCmdlet_UnknownError,VMware.VimAutomation.ViCore.Cmdlets.Commands.EsxCli.GetEsxC |
li
You cannot call a method on a null-valued expression.
At X:\script.ps1:188 char:9
+ | $obj = New-Object -TypeName PSObject -Property @{ | |
+ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
+ CategoryInfo | : InvalidOperation: (:) [], RuntimeException | |
+ FullyQualifiedErrorId : InvokeMethodOnNull |
I solved the issue it's working fine
Just I added the vcenter name without domain in the txt file and no error message received
tested multiple Time and it's OK
Ok, let's take a step back.
You stated that you can do the Connect-VIServer to the vCenter without a problem?
With the Set-PowerCLIConfiguration cmdlet you set InvalidCertificateAction to Ignore?
Did you configure the TLS protocols 1.2 for PowerShell?
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12
Did you check which TLS protocol(s) are supported on your vCenter and ESXi nodes?
You could use a function like the one in Testing SSL and TLS with PowerShell
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
So it looks like your vCenter certificate does not contain the FQDN but the hostname.
Ok, good it is working now.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Here the result of the function
TLSv1_0 | : False |
KeyExhange | : |
SSLv3 | : False |
TLSv1_2 | : False |
SSLv2 | : False |
HashAlgorithm :
Host | : vcenter.local |
Port | : 443 |
TLSv1_1 | : False |
From xxx.xxx.xxx.xxx to vcenter.local xxx.xxxx.xxx.xxx:443
CanRead: False
CanSeek: False
CanTimeout: True
CanWrite: False
CheckCertRevocationStatus: False
CipherAlgorithm:
CipherStrength:
HashAlgorithm:
HashStrength:
IsAuthenticated: False
IsEncrypted: False
IsMutuallyAuthenticated: False
IsServer: False
IsSigned: False
KeyExchangeAlgorithm:
KeyExchangeStrength:
LeaveInnerStreamOpen: False
Length:
LocalCertificate:
Position:
ReadTimeout: 15000
RemoteCertificate:
SslProtocol:
TransportContext: System.Net.SslStreamContext
WriteTimeout: 15000
Now I'm lost, your vCenter doesn't support any TLS protocol?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
:smileyblush::smileyblush:
This is a vCenter for test but I just discovered right now that is not support any TLS Protocol
so If have understood coorectly all TLS protocol mentionned by False means that no TLS supported is there any other things that you have identified from this output?
Correct.
So basically there is no security whatsoever on that vCenter :smileygrin:
What version is that vCenter and how were you able to install it like that out of the box?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
:smileygrin: :smileygrin:
to be honest I'm new on this firm and I'm trying to correct things
It would help if you know the version of that vCenter
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference