Set-PAServer "underlying connection was closed" about posh-acme HOT 8 OPEN

I've pinpointed the exact line throwing that error inside Set-PAServer.

from posh-acme.

Hey @plrusek, thanks for reaching out. Unfortunately, I don't have an explanation for what the problem is. That line is about the most basic web request the module performs when initially querying the chosen ACME server. For the LE_STAGE environment, it's the equivalent of running the following:

Invoke-WebRequest -Uri https://acme-staging-v02.api.letsencrypt.org/directory -UserAgent "Posh-ACME/4.17.1 PowerShell/$($PSVersionTable.PSVersion)" -ErrorAction Stop -Verbose:$false

Can you try running that manually and see if the same error occurs? The error implies a problem with the underlying network connection on your end. Perhaps security software interfering with outbound connections?

from posh-acme.

Hello, sadly same error occurs with that line of code. It seems that Invoke-WebRequest in general has stopped working properly.
I've tried a lot of various suggestions and fixes online, like making sure both Tls12 and Tls13 are ticked in Internet Properties and
also tried setting [System.Net.ServicePointManager]::SecurityProtocol to Tls12 -bor Tls13 but all to no avail.
I also suspected my antivirus at some point, ESET Security Endpoint, as it has SSL/TLS protocol filtering and application filtering but the issue still persisted with these functions off.
So at this point, I think I'm suspecting something very wrong happening with PowerShell itself and maybe trying out something
like RestSharp and implementing this directly in C#. There doesn't seem to be much reason for this to stop working, especially
since it happened suddenly after years of working.

from posh-acme.

@plrusek you could try with https://certifytheweb.com to use something that's C# based but I presume you'll get the same result. It's unlikely powershell has just stopped working in general, so your networking (particularly your firewall or related software) is the most obvious suspect. Windows Firewall also needs to allow outgoing https.

You could try a different CA to see if it's specific to Let's Encrypt. e.g. If you wanted to test against Googles ACME API it would be:
Invoke-WebRequest -Uri https://dv.acme-v02.api.pki.goog/directory -UserAgent "Posh-ACME/4.17.1 PowerShell/$($PSVersionTable.PSVersion)" -ErrorAction Stop -Verbose:$false

from posh-acme.

So, this is very bizzare but both these commands work just fine on a freshly opened PowerShell console but as soon as I try to run them after and inside .ps1 scripts, it starts throwing the same error as always from then on until I open a new PowerShell console. I never managed to identify which lines of code in those scripts specifically cause this sadly. I swear it even seems to be random at times because sometimes it didn't manage to break.

On the other hand, I found out that the .NET equivalent class - HttpWebRequest - has none of these problems so I rewrote some parts of Set-PAServer to use that class instead of the troublesome cmdlet:

I'm really not sure why this cmdlet has been giving me this much trouble, but it wouldn't be the first one in my PowerShell escapades.

from posh-acme.

It sounds like something in or getting loaded by your scripts might be interfering with the web cmdlets default functionality. Suffice it to say that I don't plan on replacing all of the PowerShell native web calls with .NET classes.

from posh-acme.

Confirmed a similar behavior in my environment. Set-PAServer stops working after being called in the same PS session. Closing and reopening PowerShell temporarily resolves the issue. Fine for scripted usage, but annoying when writing scripts.

Windows Server 2022, build 20348.1787

from posh-acme.

@sivan-koren Can you run the same Invoke-WebRequest test as above and post the results? I'd also be curious what (if anything) is in the PowerShell profile for the user you're running as. There are 4 potential files that could exist with stuff being loaded. Here's an easy way to open all of them in notepad.

notepad $PROFILE.CurrentUserAllHosts
notepad $PROFILE.CurrentUserCurrentHost
notepad $PROFILE.AllUsersAllHosts
notepad $PROFILE.AllUsersCurrentHost

If notepad says the file doesn't exist, don't worry about it. That just means it hadn't previously been created which is normal.

Also, are you running any 3rd party security software or have a proxy server in place?

from posh-acme.