We were able to connect to the keyvault from .NET 5 api running from my local machine till 2 days back. It is giving the below error recently
Retry failed after 4 tries. Retry settings can be adjusted in ClientOptions.Retry. (The SSL connection could not be established, see inner exception.) (The SSL connection could not be established, see inner exception.)
(The SSL connection could not be established, see inner exception.)
(The SSL connection could not be established, see inner exception.)
we are accessing the keyvault using the DefaultAzureCredential (pls see the below code) and configured my email
though Visual Studio -->Tools> Options-->Azure Service Authentication-->Account Selection--> "XXyemail#.com".
This email has list access like (list, add, get ,delete, upddate) in access polices of KeyVault.
public static IHostBuilder CreateHostBuilder(string[] args) =>
Host.CreateDefaultBuilder(args)
.ConfigureAppConfiguration((context, config) =>
{
var appSettings = config.Build();
var credentialOptions = new DefaultAzureCredentialOptions();
var credential = new DefaultAzureCredential(credentialOptions);
config.AddAzureKeyVault(new Uri(appSettings["KeyVault:Url"]), credential);
})
.ConfigureWebHostDefaults(webBuilder =>
{
webBuilder.UseSerilog();
webBuilder.UseStartup<Startup>();
});
}
Retry failed after 4 tries. Retry settings can be adjusted in ClientOptions.Retry. (The SSL connection could not be established, see inner exception.) (The SSL connection could not be established, see inner exception.)
(The SSL connection could not be established, see inner exception.)
(The SSL connection could not be established, see inner exception.)
can anybody let me know what would be the reason for this ?
thanks,
My understanding is that the Key Vault was not available for some reason or, since the error mentions an SSL connection, there was an error specifically with the SSL certificate. For example, we experienced a similar error when our Kubernetes cluster was modified (upgraded). The error could also have to do with Azure not being available or maybe even not having network connectivity for a while.
Related
I'm using Angular 14 and the ngx-mqtt front-end lib.
Here's my connection string which works fine:
getEmqxCloudConnection(): IMqttServiceOptions {
return {
hostname: 'xx.xx.xx.182',
port: 8083,
path: '/mqtt',
clean: true, // retain
connectTimeout: 4000,
reconnectPeriod: 4000,
clientId: 'HarBrowserTest1',
username: 'myUser',
password: 'myPass',
protocol: 'ws',
connectOnCreate: false,
};
}
As per their Broker dashboard the available ports are:
Ports: 1883(mqtt), 8883(mqtts), 8083(ws), 8084(wss)
I have already imported our SSL Certificate into the EMQX Dashboard, yet when I change my conn string to port: 8084 and protocol: 'wss' - IT DOESN'T CONNECT !
They have some screenshots here showing their Client Tool, but for reason every one shows port=1883 (a mistake maybe). https://docs.emqx.com/en/cloud/latest/connect_to_deployments/mqttx.html#connection-configuration
In my Chrome browser network tab, here's what I see for the std insecure ws - A successful ws conn to the Mqtt Broker.
Here is the certificate UI which I used to imported the PEM-Encoded cert body and key:
This will most likely be down to the certificate you have used for the broker.
First unless you have created the certificate just right (using the correct SAN entries) that include the IP address as the principal for the certificate, then the connection will get rejected because the certificate doesn't match the hostname/IP address the broker is using to connect.
Second, if it is a self signed certificate then the browser will just reject it, unless you have manually imported the CA (or if it really is self signed the cert it's self) into the browsers trust store and marked it as trusted. The browser will NOT show you a warning and ask to accept for a WebSocket connection like it does with a webpage, it will just fail with an error in the console and nothing else.
P.S. - You should not hard code the client id in web apps, this is because client ids must be unique across ALL clients, so hardcoding it means that everybody that visits the page will use the same client id and each new connection will kick off the last one (and probably end up in a reconnect fight)
If you check the logs of EMQX, maybe you can get more helpful information.
The following are possible reasons for common TLS connection failures.
First of all, as mentioned in the previous answer, your certificate may have a domain name or IP address set as CN or SAN when it is issued, but the address you specified when connecting does not match the values of the CN and SAN fields.
In this case, the TLS client will think that the server you are connecting to may not be what you really expect, so it will refuse the connection.
We have three ways to solve it:
Turn off the verification of the peer certificate, if your client has this option. However, we do not recommend this as it increases the security risk.
Reissue a certificate that matches your server address
Set the SNI field (full name Server Name Indication) when the client connects, so that TLS will check whether the SNI matches the CN and SAN fields of the certificate, instead of your actual connection address.
The second possible reason is that your certificate path is incomplete, such as the lack of intermediate certificates, or the client does not specify a trusted root certificate, its keyword in the EMQX log is unknown_ca.
For more TLS error reasons, you can refer to SSL Connection Error.
In a browser environment, you should use a server certificate issued by a CA Signed than a self-signed certificate.
Self-Signed SSL Vs Trusted CA Signed SSL Certificateļ¼ see the https://cheapsslsecurity.com/blog/self-signed-ssl-versus-trusted-ca-signed-ssl-certificate/
I have an application that makes outbound calls using following mechanisms.
HTTP
HTTPS
HTTPS with mSSL
Should I have one connection pool for all applications or should I be using different connection pool per client/outbound connection because the SSL context is configured on the connection pool with the certificates?
If I have one connection pool wouldn't the HTTP call also be made with the SSL context configured on the connection pool.
Reactor Netty will create 3 different connection pools in the case above. It is not possible to use a connection pool with TLS for calls that are HTTP. The selection of the connection pool that will be used is based on the remote address + the configuration for the client.
I have a service that calls CRM 365. The authentication is done with OAuth resp. a bearer token. This worked like a charm but suddenly a CommunicationException is thrown on every call. Maybe this is due to the update of the CRM version to v9.
This is how I create my IOrganizationService:
var crmProxy = new OrganizationWebProxyClient(serviceUri, false)
{
HeaderToken = bearerToken
};
where serviceUri is something like https://mydomain.crm.dynamics.com/xrmservices/2011/organization.svc/web?SdkClientVersion=9.0.0.0
When I make a call against this proxy (like ExecuteRequest or RetrieveMultiple) a CommunicationException is thrown with the following message:
System.ServiceModel.CommunicationException: An error occurred while making the HTTP request to
https://mydomain.crm.dynamics.com/xrmservices/2011/organization.svc/web?SdkClientVersion=9.0.0.0.
This could be due to the fact that the server certificate is not
configured properly with HTTP.SYS in the HTTPS case. This could also
be caused by a mismatch of the security binding between the client and
the server. ---> System.Net.WebException: The underlying connection
was closed: An unexpected error occurred on a send. --->
System.IO.IOException: Unable to read data from the transport
connection: An existing connection was forcibly closed by the remote
host. ---> System.Net.Sockets.SocketException: An existing connection
was forcibly closed by the remote host
I already updated the CRM SDK assembly to version 9.0.2.4. Still not working.
What can I do?
I found the solution.
Dynamics 365 v9.0 enforces TLS 1.2. To enforce TLS 1.2 in the application you have to call the following before making requests:
System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
Alternatively you can switch to .Net 4.6 or above. In these versions TLS 1.2 is the default.
Currently I need to implement socks client. According RFC, Socks protocol has two main commands: CONNECT and BIND. CONNECT is used to forward an outbound connection from socks' client to desired Server. BIND is used to forward an inbound connection from desired Server to socks' client.
My client work as follows:
Firstly It makes connection to socks Server, let us call it a "client connection".
After that it issues commands.
I have some misunderstanding with a "client connection" utilisation. Hence, I have the following questions:
A "client connection" could be used only for one CONNECTION command, is that right ? So for each desired communication I need to create a new "client connection" and after that issue command CONNECT.
For BINDing, firstly, i need to issue CONNECT and after issue command BIND. These commands must be issued in a one "client connection", am I right ?
How many inbound connections socks server could receive on BIND socket ? Only one ?
How traffic flows in case of BIND is used ? We have a "client connection" to socks server. For the "client connection" socks server has one connection to desired server and one incoming connection from desired server. Hence, socks server could receive data from two connections. How this traffic is mixed to the "client connection"?
Yes.
No. BIND is separate from CONNECT. It is for when you want to listen, so you tell the server to listen on your behalf and tell him what port you're listening on.
Pass.
There is only one connection between the client and the SOCKS server. Everything arriving from the client is sent to the 'desired server'. Everything arriving from the 'desired server' is sent to the client. There is nothing to mix. You wouldn't want the client's sends to be sent back to him, would you?
I'm working on an ASP.NET MVC website, it has been installed on three different servers (the same code version), it works on two of the servers i.e the user can login, but on one server after the user has submitted their username and password, the following server error is displayed in the browser:
Security Exception
System.Security.SecurityException: Token not found
The event viewer for the environment the error is occuring on shows the following two error messages at the point where th euser attempts to login:
Could not init pool.
System.Net.Sockets.SocketException (0x80004005):
A connection attempt failed because the connected party did not properly
respond after a period of time, or established connection failed because
connected host has failed to respond (server ip address)
And this error:
Error: System.Security.SecurityException: Token not found
Which is the server error displayed in the browser. This has in the past been resolved by deleting an authentication cookie, but that doesn't work for this error.
I have tried setting the trust level in the web.config to full which didn't work. I have tried restarting IIS.
Has anyone else come accross a similar problem? Could this problem be caused because a service of some kind isn't running? Any suggestions will be appreciated.
Most of the time these are connectivity timeouts due to different IP protocols (IPV4/IPV6) between the two server/computers trying to communicate or extra authentication rules setup on one of the computers for outgoing or incoming connectivity.
Ways to troubleshoot the issue:
Review IIS logs
Review EventLogs
Try adjusting TCP/IP parameters in the registry to increase the time allowed to connect
http://msdn.microsoft.com/en-us/library/aa560610(d=printer,v=bts.20).aspx
Even though the above article references Windows 2003, I've discovered it applies to some 2008 environments.
I was getting 0x80004005 & The requested name is valid, but no data of the requested type was found. My complete error
Check You have proper internet connection are there on your machine or not. And you are able to ping the remote server or not. I solved by checking both.
We were getting this error when one of a third party API hosted on of our server(Azure) was not able to communicate with one of our web services on a different machine(iNetU). Options were to open ports so that these machines could talk or to move the web service to the machine hosting the third party API.