DSC client can't get configurations from pull server after update

This topic contains 2 replies, has 2 voices, and was last updated by  Rickard 5 months, 2 weeks ago.

  • Author
    Posts
  • #72098

    Rickard
    Participant

    Hello folks,
    I have run into a problem after an update with our base image that we use when deploying new servers with DSC.
    After the update I get this error:

    Job {DFB1E732-49DF-11E7-90FC-001DD8B736E9} : 
    WebDownloadManager for configuration 5fe70830-f941-4c05-975f-b43909398e55 Do-DscAction command, GET call result: 
    FullyQualifiedErrorId :WebDownloadManagerGetActionFailed
     CategoryInfo:InvalidResult: (:) [], InvalidOperationException
     ExceptionMessage:Failed to get the action from server https://[PULLSERVER]/PSDSCPullServer.svc/Action(ConfigurationId='5fe70830-f941-4c05-975f-b43909398e55')/GetAction.
    , InnerExceptionSystem.AggregateException: One or more errors occurred. ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
    

    And the error message that follows is that the client thinks there is no partial configurations availible on the pull server.

    As it says there are som certificate issue. But I can´t figure out what's the problem with that certificate.
    Both client and pull server is running on Server 2016 and with latest wmf 5.1. When im trying with an older image that have not been patched recently every thing works great.
    I'm woundering if Microsoft have changed som requirements during the last two month or if someone else is having the same issue.
    Side note – both client and pull server is fully patched (May-patch) and with the latest modules on the pull server.

  • #72100

    Don Jones
    Keymaster

    Id' probably start by trying to visit the PullServer.svc URL using Edge and see if you get any better information. I'd also check the node's trust of the CA that issued the server's SSL certificate. A lot can go wrong – for example, if the node is attempting to use OCSP to verify the certificate, but the issuing CA doesn't provide OCSP, that can be a problem for the "validation procedure."

  • #72496

    Rickard
    Participant

    Thanks Don, you were spot on. We had a issue in our CA chain.

You must be logged in to reply to this topic.