6

I have been provided a new Server 2012 box to setup.

I'm trying to use powershell to install chocolatey

iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))

and getting the error

Exception calling "DownloadString" with "1" argument(s): "The underlying connection was closed: An unexpected error occurred on a receive." At line:1 char:1 + iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/in ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : WebException

I can visit that URL in the browser.

At first I thought this was something to do with Chocolatey but then I realised that

(New-Object System.Net.WebClient).DownloadString('http://google.com'))

can download the html content

but

((New-Object System.Net.WebClient).DownloadString('https://google.com'))

fails with the same error

The underlying connection was closed: An unexpected error occurred on a receive.

The box:

  • is windows server 2012 build 9600
  • doesn't use a proxy
  • has the firewall turned off

I feel sure I'm doing something silly but can't see what...

--- Update ---

Based on this answer

I followed these steps:

``` 1.In Control Panel, click Administrative Tools, and then double-click Local Security Policy.

2.In Local Security Settings, expand Local Policies, and then click Security Options.

3.Under Policy in the right pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, and then click Enabled.

  1. Ran gpupdate /force ```

After that the chocolatey install script can be downloaded but then fails with:

STDOUT: FIPS Mode detected - run 'choco feature enable -n useFipsCompliantChecksums' to use Chocolatey. When FIPS Mode is enabled, Chocolatey requires useFipsCompliantChecksums feature also be enabled. STDERR: ---- End output of C:\ProgramData\chocolatey/bin/choco.exe list -l -r ---- Ran C:\ProgramData\chocolatey/bin/choco.exe list -l -r returned 1

Still feels like the GPO change shouldn't be necessary

Paul D'Ambra
  • 7,629
  • 3
  • 51
  • 96
  • Try to execute the following before your download the content: `[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}` – Martin Brandl Nov 09 '16 at 09:37
  • can that be run one after the other at the command line? if so that had no effect. but also does that turn off certificate validation for good? That feels a little bit dangerous – Paul D'Ambra Nov 09 '16 at 09:39
  • 1
    Yes, this turns off the certificate validation. It is usefull if you for example work with selfsigned certificates and don't want to install it on all of your clients e. g. test purpose. However thats probably not your issue – Martin Brandl Nov 09 '16 at 09:43

2 Answers2

15

It turns out this was as a result of TLS 1.0 being disabled in our server images in order to comply with PCI DSS 3.1.

Rolling back that change to the image resolved the powershell issue.

In the short term we can run

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 before using System.Net.WebClient but I'd like to find a way to enforce that at a machine level too...

I logged this with Chocolatey and they resolved the issue \o/

Paul D'Ambra
  • 7,629
  • 3
  • 51
  • 96
1

try this :

$WBC = New-Object System.Net.WebClient

$WBC.DownloadString("https://google.com")
saftargholi
  • 896
  • 1
  • 9
  • 25
  • 2
    that's just the same command spread over two lines. doesn't work that way either – Paul D'Ambra Nov 09 '16 at 11:10
  • While this code snippet may solve the question, including an explanation [really helps](//meta.stackexchange.com/q/114762) to improve the quality of your post. Remember that you are answering the question for readers in the future, not just the person asking now! Please [edit] your answer to add explanation, and give an indication of what limitations and assumptions apply. – Toby Speight Nov 11 '16 at 13:19