I have a problem regarding running powershell scripts with web requests. I hope you can point me in the right direction. If there is a similar thread with a solution please forgive me for not finding that one. I’m still new to CD and may not have used the appropriate buzzwords
We use Octopus On-Premise in a Windows server environment.
I have written a script which checks the availability of a deployed Angular frontend application hosted on IIS with certificates in place. Basically after deployment I check for a status code 200 and check a specific json file for its entries, namely version and build number/date. I wanted to run the script from the octopus server, to check implicitly a working network connection (had some problems with that in the past).
When running the script manually on the octopus servers server (login as my or the service user) the script works as expected, running as LocalAdmin as well as the Service User of the Octopus Server. When running the script from Octopus itself (or any tentacle) the script fails with:
Polling IIS for ****-frontend at https://apps-dev.****/****/assets/release.json
Instance found...
Checking deployed version against https://apps-dev.****/****/assets/release.json
System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. --->
System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
I kinda understand the error but not why the certificate is not found. We use a company certification chain which is installed on every Windows Server as well as an appropriate Webserver certificate signed by this chain which private key is available in the “Personal” cert store of the server for the relevant users.
I am not setting any tls specific configuration in my script, although I already tried setting (maybe with wrong combinations)
[System.Net.ServicePointManager]::SecurityProtocol = …Type to Tls, Tls11, Tls12, Tls13
Do you know how to solve this issue or have any suggestions in debugging this? What am I missing since running the script manually works fine (even as the service user of the octopus server/tenatcle)?
I’m seeing on the server that two powershell processes spawn when running this script from Octopus as step. Might this be the source to this error?
I can post the relevant parts of my script if that might help.
Thank you for reaching out to us with your certificate query.
It sounds like this should work, so we’ll need to do a bit of investigation. There are a few possible explanations - the certificate might not be trusted in context, the script might not be running as a user with access to the certificate and so on.
Would you be able to modify your PowerShell script to iterate over the certificate store to check that it can see and access the certificate? It might also be worth having the script write out the user it is running as, just to ensure it matches what you expect.
many thanks for your quick reply as well as your input. Helped me a lot.
After I checked twice that I use the same User (Octopus runs as Local System unfortunately) when running the script manually and from within Octopus, the same behaviour occured. Manually works fine, the script running as Octopus Step failed.
Logging out the certificate in use as well as the chain led me to our proxy server whos certificate wants to be verified. Setting the proxy settings and bypass rules explicitly on the server (VM) didn’t solve the problem as the Octopus Server doesn’t use the bypass rules.
Conclusion (please correct me if I’m wrong!):
The Octopus Server does not use the Windows proxy profiles if running as Local System.
This is possibly a default(???) Windows Server behaviour.
Guess I have to talk the admins in to using a dedicated service user
at the beginning of my script solved it then as the default proxy rules (Group Policy) of the server are used and the connection and certificate validation performs as expected.
So, Charles, problem solved and again thank you very much for pointing me on the simple certificate logging.
Best regards
Benjamin
If other people might hit a similar problem I will post my relevant “debug” code:
# Get user and stuff
Write-Host "env:Username -> $($env:UserName)"
Write-Host "env:UserDomain -> $($env:UserDomain)"
Write-Host "env:ComputerName -> $($env:ComputerName)"
# Initiate web request and certificate chain object
$webrequest = [Net.WebRequest]::CreateHttp($appUrl)
$webrequest.AllowAutoRedirect = $true # to try out the https redirection on IIS
$chain = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Chain
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
try {$response = $webrequest.GetResponse()}
catch {}
# get the different values
$certificate = $webrequest.ServicePoint.Certificate.Handle
$certificate
$issuer = $webrequest.ServicePoint.Certificate.Issuer
$subject = $webrequest.ServicePoint.Certificate.Subject
$chain.Build($certificate)
write-host $chain.ChainElements.Count # == 1? None of the chain certs/CA certs are included
write-host $chain.ChainElements[0].Certificate.IssuerName.Name
Thank you for your message, I’m pleased to hear that the problem is solved. I also really appreciate you sharing your solution - it’ll be helpful if any other users have the same problem in future.
Please get back in touch if you have any questions.
