I'm having a problem using the Get-VMHost command in a Powershell script I'm trying to develop. The command is simply
Get-VMHost <hostname> | fl
Where <hostname> is the actual name of my VMware host. The results are:
Get-VMHost : 3/9/2016 5:28:43 PM Get-VMHost The underlying connection was closed: Could not establish trust relationship for the
SSL/TLS secure channel.
At line:1 char:1
+ Get-VMHost $VMHostname | fl
+ ~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-VMHost], ViError
+ FullyQualifiedErrorId : Client20_QueryServiceImpl_RetrievePropertiesEx_ViError,VMware.VimAutomation.ViCore.Cmdlets.Commands.GetVMHost
Get-VMHost : 3/9/2016 5:28:43 PM Get-VMHost The underlying connection was closed: Could not establish trust relationship for the
SSL/TLS secure channel.
At line:1 char:1
+ Get-VMHost $VMHostname | fl
+ ~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-VMHost], ViError
+ FullyQualifiedErrorId : Client20_QueryServiceImpl_RetrievePropertiesEx_ViError,VMware.VimAutomation.ViCore.Cmdlets.Commands.GetVMHost
Get-VMHost : 3/9/2016 5:28:43 PM Get-VMHost VMHost with name <hostname> was not found using the specified filter(s).
At line:1 char:1
+ Get-VMHost $VMHostname | fl
+ ~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (:) [Get-VMHost], VimException
+ FullyQualifiedErrorId : Core_OutputHelper_WriteNotFoundError,VMware.VimAutomation.ViCore.Cmdlets.Commands.GetVMHost
Any help would be greatly appreciated.
Sounds like your vCenter does not trust or cannot validate the ESXi host's certificate.
In any case, try setting the following command and trying again.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore
I have seen this error before, you might be hitting some timeouts.
Try removing the timeout for the connection, by doing
Set-PowerCLIConfiguration -WebOperationTimeoutSeconds -1
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Did you figure this out? I'm having the same problem. I can connect-viserver and run commands but then something is happening where all the powercli stuff fails with that SSL/TLS error. Then I can disconnect/reconnect and the error goes away for a while.
I know it sounds crazy, but did you already reboot that PC?
Sometimes this is caused by a corruption in the session.
It also might be a .Net corruption, in some cases a reinstall of .Net helped.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I tried running the .net repair tool for server 2016 and then rebooted. Same problem. Here is an example of what's happening.
This runs fine:
##loading credentail and connecting to vmware
$secvmwarepw = get-content $securevmwarepwfile | ConvertTo-SecureString -key $key
$cred = New-Object system.Management.Automation.PSCredential("ent\26165-", $secvmwarepw)
Connect-VIServer ahpap1173.ent.lolcentral.com -Credential $cred -verbose
##loading credential and connecting to pure array
$secpurepw = get-content $securepurepwfile | ConvertTo-SecureString
$ahpure01 = New-PfaArray -EndPoint ahpure01.ent.lolcentral.com -username 26165- -Password $Secpurepw -IgnoreCertificateError
##prompt for VM name to do recovery from. If it matches multiple listings, prompt for correct server. If no match, re-promt for input and give option to type exit to quit.
##If a VM is matched it will be set to the $server2recover variable
$matchedvm = $null
$searchforvm = read-host "Enter the server to recover from and press enter`n"
while (!$matchedvm) {
$matchedvm = get-vm | where {$_.name -like "$searchforvm*"}
If($matchedvm.Count -gt 1){
$IDX = 0
$(foreach ($item in $matchedvm){
$item | select @{l='IDX';e={$IDX}},name
$IDX++}) |
Out-GridView -Title 'Multiple names matched query, plese select the correct VM' -OutputMode single |
foreach { $server2recover = $matchedvm[$_.IDX].Name }
}
else {$server2recover=$matchedvm.name}
if (!$matchedvm) {
$searchforvm = read-host "Unable to match entered name to a VM. Try again or type `"exit`" to quit`n"
if ($searchforvm -eq 'exit'){
exit
}
}
}
Get-VM -name $server2recover | select *
Then when I executed the next block, it failed:
$assigneddisksobject = ForEach ($VM in (Get-VM -name $server2recover | Sort-Object -Property Name)) {
ForEach ($HardDisk in ($VM | Get-HardDisk | Sort-Object -Property Name)) {
"" | Select-Object -Property @{N="VM";E={$VM.Name}},
@{N="Datacenter";E={$Datacenter.name}},
@{N="Cluster";E={$Cluster.Name}},
@{N="Hard Disk";E={$HardDisk.Name}},
@{N="Datastore";E={$HardDisk.FileName.Split("]")[0].TrimStart("[")}},
@{N="VMDKpath";E={$HardDisk.FileName}}
}
}
Get-VM : 4/19/2017 1:02:46 PM | Get-VM | Could not establish trust relationship for the SSL/TLS secure channel with authority 'ahpap1173.ent.lolcentral.com'. |
At line:1 char:41
+ ... eddisksobject = ForEach ($VM in (Get-VM -name $server2recover | Sort- ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-VM], VimException
+ FullyQualifiedErrorId : Core_BaseCmdlet_UnknownError,VMware.VimAutomation.ViCore.Cmdlets.Commands.GetVM
Get-VM : 4/19/2017 1:02:47 PM | Get-VM | VM with name 'AHPAP1176' was not found using the specified filter(s). |
At line:1 char:41
+ ... eddisksobject = ForEach ($VM in (Get-VM -name $server2recover | Sort- ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (:) [Get-VM], VimException
+ FullyQualifiedErrorId : Core_OutputHelper_WriteNotFoundError,VMware.VimAutomation.ViCore.Cmdlets.Commands.GetVM
At that point if I go back and run any of the powercli cmdlets it fails with that error. Even stuff that just ran a moment before like Get-VM -name $server2recover | select *
Now after a disconnect-viserver / connect-viserver that same code block that just failed, works.
VMware support isn't helping me because we didn't pay for SDK/API support.
Any other thoughts? It doesn't seem to be a common problem since this thread was the only hit I got after spending hours googling it.
I just tested it on a 2008 server as well. It showed up a couple commands later in my first test but I got the same error.
I think this is a powercli 6.x problem. I had the issue in 6.5, 6.3, and 6.0. I don't appear to be having it in 5.8
I have hit this quite a few times too. I have tried all kinds of things, ran it from a variety of different hosts and still get it, and I agree it seems to only have happened with 6.x. I am having increasing numbers of customers hitting it and they are also unable to get support from VMware because they do not have a SDK entitlement. I unfortunately cannot repeat it enough to open my own support case.
There are some semi-related issues for other products:
Data collection fails for VMware vRealize Orchestrator 6.0.x endpoints (2123455) | VMware KB
And this issue with a certain PowerCLI command that William talked about:
Which is also in the release notes for PowerCLI. But both solutions point to the same basic resolution (a MS patch), which has not stopped it for me of my customers.
Nooooo. I just got the error in 5.8
You are not alone.
I am just evaluating the vcheck,ps1 script (http://www.virtu-al.net/vcheck-pluginsheaders/vcheck/). Every now and then I get the same error in different plugins, typically plugins using Get-Datastore, Get-VM.
PowerCLIConfiguration is
Scope ProxyPolicy DefaultVIServerMode InvalidCertificateAction DisplayDeprecationWarnings WebOperationTimeout
Seconds
----- ----------- ------------------- ------------------------ -------------------------- -------------------
Session UseSystemProxy Multiple Ignore True 300
User Multiple
AllUsers Ignore
PowerCLIVersion is
PowerCLI Version
----------------
VMware PowerCLI 6.5 Release 1 build 4624819
---------------
Component Versions
---------------
VMware Cis Core PowerCLI Component 6.5 build 4624453
VMware VimAutomation Core PowerCLI Component 6.5 build 4624450
VMWare ImageBuilder PowerCLI Component 6.5 build 4561891
VMWare AutoDeploy PowerCLI Component 6.5 build 4561891
VMware Vds PowerCLI Component 6.5 build 4624695
VMware Cloud PowerCLI Component 6.5 build 4624821
VMware HA PowerCLI Component 6.0 build 4525225
VMware HorizonView PowerCLI Component 7.0.2 build 4596620
VMware Licensing PowerCLI Component 6.5 build 4624822
VMware PCloud PowerCLI Component 6.5 build 4624825
VMware Storage PowerCLI Component 6.5 build 4624820
VMware vROps PowerCLI Component 6.5 build 4624824
VMware vSphere Update Manager PowerCLI 6.5 build 4540462
vCenter is the appliance, Version 5.5.0.30500 Build 4180648
The error is not reproducible, but accidential. This drives me crazy.
Can confirm, this is driving me crazy. I can reproduce it about 75% of the time I run the script I'm working on
I've tried powercli 6.5, 6.3, 6.1, 5.8, and now 5.1, look what happened
get-harddisk : 4/20/2017 9:23:20 AM | Get-HardDisk | The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. |
Our vcenter server is 6.0.0 build 3018524
Scope ProxyPolicy DefaultVIServerMode InvalidCertificateAction DisplayDeprecationWarnings WebOperationTimeout
Seconds
----- ----------- ------------------- ------------------------ -------------------------- -------------------
Session UseSystemProxy Multiple Ignore True -1
User Multiple
AllUsers Ignore -1
PowerCLI Version
----------------
VMware vSphere PowerCLI 5.1 Release 2 Patch 2 build 3090428
---------------
Snapin Versions
---------------
VMWare AutoDeploy PowerCLI Component 5.1 build 3084724
VMWare ImageBuilder PowerCLI Component 5.1 build 3084724
VMware License PowerCLI Component 5.1 build 669840
VMware VDS PowerCLI Component 5.1 build 3062849
VMware vSphere PowerCLI Component 5.1 Patch 2 build 3062849
Seems to be independent of vcenter version, we use
Vendor: | VMware Inc. | |
Appliance Name: | VMware vCenter Server Appliance | |
Appliance Version: |
|
There is no general solution for issues related to the secure channel.
The certificate validation handler is global for a PowerShell process and is shared by all cmdlets. In the case of the script above:
New-PfaArray ... -IgnoreCertificateError
might be causing PowerCLI to not ignore a certificate error (due to a conflict in the way the shared handler is used by the commands of the PureStoragePowerShellSDK module and how PowerCLI expects this to happen).
You can try the following:
- Reorder the commands in such a way that you don't use commands from the PureStoragePowerShellSDK while you have an active connection to vCenter/ESX (e.g. after Connect-VIServer and before Disconnect-VIServer)
- The ideal solution is to have your server certificates be valid according to the Windows OS (e.g. trust them/their CA in the OS certificate store or issue them from a Certificate Authority that is trusted by your OS).
If the certificate is trusted by the OS but the secure channel still fails, it might be that your OS does not support the cryptography used by the server (might be the case for newer vCenter and older OS). It might be missing support for SHA512 is some cases. You can read this MS support article on how to update your OS if that is the case: https://support.microsoft.com/en-us/help/2973337/sha512-is-disabled-in-windows-when-you-use-tls-1.2
Thank you for the reply. I'll comment the pure storage stuff out, see if I can still generate the error, and report back.
Any update on this? I am getting similar error, not reproducible. Some days it does it, other days it doesn't seem to have the problem, what I do know is it causes my vcheck script to stop and therefore my other vcenters don't get run that come after it.
Maybe I should open a ticket, I do think my company has SDK/API support.
Yes, I agree, open an SR.
Btw, a normal support contract is sufficient to create a SR (provided the problem is with cmdlet and not with your script).
No need to have API/SDK support
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Get-HardDisk : 5/24/2017 8:27:54 AM | Get-HardDisk | Could not establish trust relationship for the SSL/TLS secure channel with authority 'xx.xx.xx.xxx'. |
At C:\Users\PAKAUFFM\Downloads\vCheck-vSphere-master\vCheck-vSphere-master - XXXXX\Plugins\60 VM\106 Find Phantom Snapshots.ps1:8 char:28
+ $theVMdisks = $theVM | Get-HardDisk
+ ~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-HardDisk], ViError
+ FullyQualifiedErrorId : Client20_QueryServiceImpl_RetrievePropertiesEx_ViError,VMware.VimAutomation.ViCore.Cmdlets.Commands.VirtualDevice.GetHardDisk
Before I do that, is this commend also depreciated or something? I also get the error a lot with this Get-HardDisk.
No, the Get-HardDisk cmdlet is not depreciated.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I did open an SR and they would not help me.
After the reply about the way powershell handles the SSL I put a cert on my pure storage array so I didn't have to use the -IgnoreCertificateError. It appeared to fix the problem, but I only ran through it once so it could still be an issue.
I had another script where I was using the pure storage cmdlets along with some azure/powerbi ones and I ran into the same SSL error from the powerbi command while using -IgnoreCertificateError on the pure stuff. Removing it did fix the problem in those scripts.
Are other people that are getting this message mixing the vmware cmdlets with someone else's?
Christian