SSL Error calling REST API

Our TeamCity Server is accessed via HTTPS.  The commurcial certificate for HTTPS has been uploaded to the server.

Browser access and the agent work fine.  However, I have a PowerShell build step that tries to call the TeamCity REST API which is failing with the exception “The request was aborted: Could not create SSL/TLS secure channel”.

The parameters that I pass to the powershell script are:

-CommitId %build.vcs.number%
-TeamCityUrl %teamcity.serverUrl% 
-TeamCityBuildTypeId %system.teamcity.buildType.id% 
-TeamCityUsername %system.teamcity.auth.userId% 
-TeamCityPassword %system.teamcity.auth.password%
 

The powershell code that throws the exception is:

    $Credentials = "$($TeamCityUsername):$($TeamCityPassword)"
   $AuthString = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("$Credentials"))
   $Url = "$($TeamCityUrl)/app/rest/buildTypes/id:$($TeamCityBuildTypeId)/builds/status:SUCCESS" 
   $Content = Invoke-WebRequest "$Url" -Headers @{"Authorization" = "Basic $AuthString"}
 

Any suggestions on what I can try to get past this exception?

0
3 comments

Hi Scott, 

The request was aborted: Could not create SSL/TLS secure channel exception comes from the Powershell script, not TeamCity. Powershell can report such errors when it faces error 401, which is most likely what happens. 

Most likely, in your case, something goes wrong with base64 encoding. The encoding logic seems correct to me, but I don't know how you set the values of $TeamCityUsername and $TeamCityPassword. Maybe there's a trailing newline character somewhere in those strings. You can try obtaining the resulting base64 and testing it manually via something like curl. E.g., curl --header "Authorization: <Base64_string>" <server_url>/app/rest/server.

This would be a typical pitfall when doing a similar task in Bash. In the below example, the second echo command removes the trailing newline character

That said, I suggest avoiding the Basic Auth altogether. We recommend using the Bearer token with an Access Token when working with the REST API. See this article for more details.

0

Thanks for the response Mikhail.

I have solved the problem and will post it here in case someone else hits the problem.

The problem is that PowerShell defaults to using TLS1.0.  To get it to use TLS 1.2 you need to add the following line before calling Invoke-WebRequest

    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 

0

Thank you for letting us know, Scott!

This is interesting. I wasn't even thinking about this. I thought that older TLS versions were deactivated by default in modern Windows versions, but apparently, I was wrong. 

0

Please sign in to leave a comment.