Over the past weekend I’ve had multiple users of my scripts upgrade their Rubrik clusters to 4.1.1 and find the scripts suddenly stop working with the below error:
“System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.”
Standard troubleshooting practice is always “What changed?” and the cause is Rubrik 4.1.1 requiring TLS 1.2 on all REST API calls, and versions 4 and 5 PowerShell not using TLS 1.2 by default on Invoke-RestMethod. If you already upgraded your scripts to PowerShell 6 then you won’t see this issue as TLS 1.2 support is native.
Thankfully the fix is simple, you don’t have to use PowerShell 6 to fix it, and this applies to any vendor forcing TLS 1.2 not just Rubrik. Just add the below line to your script before the first Invoke-RestMethod to force PowerShell to use TLS 1.2:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
I will be adding it to my PowerShell 5 scripts as part of the certificate exception at the start:
##################################
# Adding certificate exception and TLS 1.2 to prevent API errors
##################################
add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
public bool CheckValidationResult(
ServicePoint srvPoint, X509Certificate certificate,
WebRequest request, int certificateProblem) {
return true;
}
}
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'
However, if you are going to edit your existing scripts anyway then you could take this opportunity to move to PowerShell 6 and not even require TLS 1.2 to be forced, as it’s enabled by default. To upgrade your Rubrik scripts to PowerShell 6 first remove the “# Adding certificate exception…” section as seen above, as untrusted certs are handled differently. Then, on each Invoke-RestMethod add a new parameter called “-SkipCertificateCheck”, like the below:
$RubrikSessionResponse = Invoke-RestMethod -Uri $RubrikSessionURL -Headers $Header -Method POST -ContentType $Type -SkipCertificateCheck
Now your scripts will run perfectly in PowerShell 6. I will work on adding the first solution to my previous scripts over the next couple of weeks. I don’t want to change them all right now as people are still upgrading, but I will do it within the month or sooner if I see more and more people coming forward. Whichever method you choose to solve this issue let me know if you have any questions or problems and happy scripting,
Joshua