Powershell script failing with Cannot create TLS/SSL secure channel - managed to restart Cloud Service roles #13742
Description
Steps to reproduce
Behavior reproducible under WS 2016 and 2019 with SEPTEMBER ROLLUP installed.
Issue not reproducible without rollup.
Customer is using a Virtual Machine to run the DevOps pipeline, where he is running a powershell script to manage the classic cloud service, he is using the below script: https://gallery.technet.microsoft.com/scriptcenter/Reboot-Cloud-Service-PaaS-b337a06d
The error customer is seeing when attempting to call Azure management endpoint (management.core.windows.net) is a TLS/SSL verification failure due to untrusted root in the certificate chain. "System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel."
We got repro in lab even with one cmdlet Import-AzurePublishSettingsFile .\1.publishsettings
It created certificate in user storage and removed private key immediately.
I collected IDNA trace and found that during the running this script powershell.exe calls ncrypt!NCryptImportKey and then after some time clr!X509Helper::DeleteKeyContainer
As we did not change anything in this script in September, but customer opened ticket on 8th of September, that means something was changed on client side.
I tried to get repro in lab on W10 1809 with August updates. And everything worked fine with the same script with the same .publishsettings file
As soon as i installed 9B cumulative update for .NET, i got repro with exception.
It looks like in .NET 9B update we have a BUG, that causes non-correct work with certificates.
For W10 1809 /WS 2019 - this is https://support.microsoft.com/en-us/help/4576627
For W10 1607 /WS2016 - this is https://support.microsoft.com/en-us/help/4576479
in our public article regarding the .NET update https://support.microsoft.com/en-us/help/4576479/kb4576479-cumulative-update-for-net-framework
CLR1 | - Addresses an issue in some 32 bit apps where, in certain scenarios, the JIT might omit a function call - Improved support for cleaning up private temporary certificate keys
i discussed the issue with Developer(Jeremy Barton), who made fix in September .NET update.
His conclusion:
"If the script is loading a certificate from the certificate store and it starts failing after some unpredictable amount of time, it's that whatever loaded the certificate into the certificate store didn't use PersistKeySet and it finally got garbage collected, erasing the "temporary" private key file".
This behavior is described here:
Cause
When the certificate is installed by using the X509Certificate or X509Certificate2 class, X509Certificate or X509Certificate2 by default creates a temporary container to import the private key. The private key is deleted when there's no longer a reference to the private key.
So guess Azure PS PGs should double check the code of all scripts, which use certificate importing functions regarding the PersistKeySet
Internal escalation: 206414717
-- | --
## Expected behavior
```none
Script from Devops pipeline should run with update installed as before.
Actual behavior
The error customer is seeing when attempting to call Azure management endpoint (management.core.windows.net) is a TLS/SSL verification failure due to untrusted root in the certificate chain. "System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel."
Environment data
Version: 5.1.14409.1005