Hi,
after finally finishing my upgrade from Vault 2011 to Vault Basic 2015 Server I'm facing this problem:
Vault 2015 refuses to communicate via SSL.
My Vault instance runs on Windows Server 2008 R2, IIS is configured to serve http in port 80 and HTTPS on port 443, which works fine. Everything can be accessed via browsers over http and https.
The certificate is self-signed by my own CA and issued to my servers fqdn.
However, when I try to connect with Vault Basic 2015 Client, after a long long time I get the following error:
Vault client login error: "Cannot find data management services on [Servername]"
Things I've tried:
You have created a service. To test this service, you will need to create a client and use it to call the service. You can do this using the svcutil.exe tool from the command line with the following syntax: svcutil.exe https://server-fqdn/AutodeskDM/Services/InformationService.svc?wsdl You can also access the service description as a single file: https://server-fqdn/AutodeskDM/Services/InformationService.svc?singleWsdl This will generate a configuration file and a code file that contains the client class. Add the two files to your client application and use the generated client class to call the Service. For example: ...
Error: WebServiceError [8005] (https://quantus/) Exception: WebServiceError [8005] (https://quantus/) Stacktrace: at Connectivity.Server.Proxies.ServiceAccessor`3.Execute(String remoteServer, Action`1 action) at Connectivity.Filestore.Licensing.GetProductTier() at Connectivity.Filestore.Licensing.Initialize() Exception(Inner): Could not establish trust relationship for the SSL/TLS secure channel with authority 'quantus'. Stacktrace(Inner): Server stack trace: at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(WebException webException, HttpWebRequest request, HttpAbortReason abortReason) at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout) at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at Connectivity.Server.Proxies.SiteService.SiteService.SignInSite2(SignInSite2Request request) at Connectivity.Server.Proxies.SiteAuthenticator.SignIntoSite(String remoteServer, String vaultname) at Connectivity.Server.Proxies.ServerTokenCache.Get(Lazy`1 authenticator, String remoteServer, IResourceStore vault, SecurityHeader expiredToken) at Connectivity.Server.Proxies.ServiceAccessor`3._service(String remoteServer, Boolean reSignin) at Connectivity.Server.Proxies.ServiceAccessor`3.tryexecute(String remoteServer, Action`1 action, Int32 attemptCount) at Connectivity.Server.Proxies.ServiceAccessor`3.Execute(String remoteServer, Action`1 action) Exception(Inner): The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. Stacktrace(Inner): at System.Net.HttpWebRequest.GetResponse() at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout) Exception(Inner): The remote certificate is invalid according to the validation procedure. Stacktrace(Inner): at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult) at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state) at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result) at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size) at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size) at System.Net.ConnectStream.WriteHeaders(Boolean async)
Is there a known problem with my configuration? Or is SSL just broken in 2015? The exact same configuration was working perfectly in Vault 2011.
Thanks in advance,
Hauke
Solved! Go to Solution.
Solved by HorstBort. Go to Solution.
Solved by HorstBort. Go to Solution.
Solved by smithmat. Go to Solution.
Hi Hauke,
You may be experience we identified recently with the HTTPS connection being denied due to a time out on a number of authentication sessions. We have a fix in the works for this and hope it will be delivered in the near future.
If you have a support case open on this issue I would expect support to update you when this is available otherwise please check back in on this thread and I will update status.
At the moment I am not aware of any work arounds.
Hi Allan,
thanks for the advice. Meanwhile, I tried upgrading my server to Windows Server 2012 R2 and got the same behaviour. SSL connections work only connecting from localhost using the computer name. Even from the local network, the same error as described above occurs.
Indeed, it seems to be related to authentication. This is the last request the client sends:
GET /AutodeskDM/Services/Filestore/v19/AuthService.svc
There, the server hangs.
Since it sure would be nice to have encrypted transfers in this day and age, is there any way to have the vault server running behind a reverse proxy which then handles SSL? I tried with apache but of cource ran into problems when the vault tells the client to speak plain http. Handling the internal connection between reverse proxy and IIS over SSL fails with the authentication problem again.
Best regards,
Hauke
Hi Hauke,
This is not a server issue - it seems one of my colleagues may have a work around - will look to provide some details here for you.
Hauke,
There is a known client side (Vault Explorer / Vault SDK) issue when using SSL. We are not certain that the problem you are experiencing is the same as this issue. While we are working on providing a fix for this issue, I do have a (client side) workaround that you can try for Vault Explorer:
<configuration>
...
<system.net>
<connectionManagement>
<add address = "*" maxconnection = "1000" />
</connectionManagement>
</system.net>
...
</configuration>
When we eventually provide the fix, you'll want to back-out this configuration change.
If possible, please report back letting us know if this workaround addressed your issue.
Thanks,
- Matt
Hi Matt,
that seems to actually do the trick, thanks!
One remark: Placing the highlighted part *anywhere* in the configuration section threw an error, pasting it around line 260 worked though. So my config looks like this now:
... <system.web> <webServices> <soapExtensionTypes> <add type="DataManagement.Common.Logging.Utils.LogServerSoapExtension,DataManagement.Common.Logging" priority="1" group="High"/> <add type="DataManagement.Common.Logging.Utils.LogClientSoapExtension,DataManagement.Common.Logging" priority="1" group="High"/> </soapExtensionTypes> </webServices> </system.web> <system.net> <connectionManagement> <add address = "*" maxconnection = "1000" /> </connectionManagement> </system.net> <appSettings> ...
Thanks,
Hauke
One addendum:
To make it work with Inventor 2015, I had to add the same to C:\Program Files\Autodesk\Inventor 2015\Bin\Inventor.exe.config.
Yes. This workaround would require performing the steps for each executable where the Vault SDK is used (which is the case for Inventor).