Hey there,
has anyone successfully connected to Sharepoint (2016, OnPrem) using REST?
I even fail in adding the host:
item: 'Add a REST host/item3', state: 'failed', business state: 'Error', exception: 'InternalError: com.vmware.o11n.plugins.configurator.util.CertificateException: Connection reset (Workflow:Import a certificate from URL with certificate alias / Validate (item1)#5)'
There seems to be an issue with the SSL-Handshake - but I can't find the reason for it...
(Firefox' RESTClient doesn't have any of these Problems)
Any suggestions would be great!
Nico
after digging deeper, I found the reason for the „Connection reset error“:
Our Sharpoint / IIS is requiring SNI (Server Name Indication - https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-8/iis-80-server-name-indication-sn...)
openssl s_client -connect sharepointurl:443 -servername sharepointurl
returns:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: B224000060723001993B013F1DFC899CC6F2F1AD1BA9FE733454A7196915DE74
Session-ID-ctx:
Master-Key: 8A04EE01782F322CF2FA001EF14E8FDA2BFB5DF612BE5D6844C3A277F5B74DB380AF8097CF1D2B7762
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1528448733
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
openssl s_client -connect sharepointurl:443
returns:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1528448998
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
After disabling SNI (which is absolutely not required in our case), the SSL handshake worked!
Make sure the name which you're using to connect to Sharepoint is the same name that's encoded in the certificate. Also, try the separate workflow to import the cert first, then run the other.
Thanks for the question.
I already tried using both CN and all SANs - but without an effect.
I also tried to import the cert first - this only succeeds when I import the cert via file - using the URL, it fails.
When you run the workflow to import the cert from URL, can you show the error log you receive as output?
Error-Log:
[2018-04-25 16:15:16.813] [E] Workflow execution stack:
***
item: 'Import a certificate from URL with certificate alias/item3', state: 'failed', business state: 'Error', exception: 'InternalError: com.vmware.o11n.plugins.configurator.util.CertificateException: Connection reset (Workflow:Import a certificate from URL with certificate alias / Validate (item1)#5)'
workflow: 'Import a certificate from URL' (c5a874a2-e8e7-480d-bdde-d1a80b8a3011)
| 'input': name=url type=string value=https://URLWORKINGINIEANDFIREFOX
| 'input': name=ignoreWarnings type=boolean value=true
| 'no outputs'
| 'no attributes'
--workflow: 'Import a certificate from URL with certificate alias' (c61fad08-537d-4548-9280-8004a9b92cb3)
| 'attribute': name=error type=string value=InternalError: com.vmware.o11n.plugins.configurator.util.CertificateException: Connection reset (Workflow:Import a certificate from URL with certificate alias / Validate (item1)#5)
| 'attribute': name=isNotTrusted type=boolean value=__NULL__
| 'attribute': name=isCertificateExpired type=boolean value=__NULL__
| 'attribute': name=isDomainWrong type=boolean value=__NULL__
| 'attribute': name=isNotValid type=boolean value=__NULL__
| 'attribute': name=errorText type=string value=__NULL__
| 'attribute': name=certInfo type=string value=__NULL__
| 'attribute': name=installCertificate type=boolean value=true
| 'attribute': name=certificateHostName type=string value=__NULL__
| 'input': name=url type=string value=https://URLWORKINGINIEANDFIREFOX
| 'input': name=ignoreWarnings type=boolean value=true
| 'input': name=certAlias type=string value=
| 'no outputs'
*** End of execution stack.
So it's a connection reset error which usually means there's a communication problem from vRO to that node. Can vRO resolve that address? Do you have potential firewalls in the mix?
The windows-firewall is active on the Sharepoint-server, but set to allow-all.
There's only routing in between vRO and Sharepoint, no firewalls.
I can reach the Sharepoint-server using openssl, but the response looks strange to me (I don't no whether it is normal for sharepoint that there is "no peer certificate available"...
openssl s_client -connect SHAREPOINT-URL:443
write:errno=104
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1524669806
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
I don't know what's "normal" or not for Sharepoint, but what do you get when you put that URL in a browser? What does the cert say, and what does the browser complain about?
Both Firefox and IE show that the certificate is valid - no warnings at all...
after digging deeper, I found the reason for the „Connection reset error“:
Our Sharpoint / IIS is requiring SNI (Server Name Indication - https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-8/iis-80-server-name-indication-sn...)
openssl s_client -connect sharepointurl:443 -servername sharepointurl
returns:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: B224000060723001993B013F1DFC899CC6F2F1AD1BA9FE733454A7196915DE74
Session-ID-ctx:
Master-Key: 8A04EE01782F322CF2FA001EF14E8FDA2BFB5DF612BE5D6844C3A277F5B74DB380AF8097CF1D2B7762
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1528448733
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
openssl s_client -connect sharepointurl:443
returns:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1528448998
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
After disabling SNI (which is absolutely not required in our case), the SSL handshake worked!