This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.
If you checked out our WAC 2208 Public Preview of SDN extensions, you may be presented with a notification like the below when attempting to load Virtual Networks and/or Logical Networks:
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
Why is this Happening?
This will only take place on Windows Admin Center (WAC), Public Preview 2208. All older versions of WAC builds are not impacted. Additionally, we are looking to automate this change and may remove this article or edit by stating it is no longer relevant.
The connection between the Network Controller client and Windows Admin Center gateway must be authenticated. The WAC certificate thumbprint is only needed to be provided to NC (through ClientCertificateThumbprint parameter in Install-NetworkController cmdlet) when certs is used as client auth mechanism. Management clients also need to trust the certificate being returned by the Network Controller REST endpoint.
For certificates which are self-signed, either the certificate or the certificate's issuer needs to be in the client’s Trusted Root. Windows Admin Center for SDN executes SDN cmdlets on the gateway instead of the cluster nodes. Thus, there is a requirement for the NC REST certificate’s issuer to be trusted on the gateway. More details about Network Controller security are available here: Network Controller Security | Microsoft Docs.
Domain CA signed certificates pose no problem if the certificate returned by the NC REST Endpoint is verifiable on the WAC gateway node.
The workaround script shared below will read the certificate from the HTTS response from the NC REST endpoint. The certificate will then be added in the trusted root store. You may choose a local machine or a local user (same user whose credentials are being used to run WAC).
Workaround Steps
Prior to running the below scripts, we must collect the Rest URI for Network Controller. Open Windows Admin Center, select "SDN Infrastructure", then "Network Controller" at the top, and find your Rest URI as shown below:
Now that we have the Rest URI, log into the WAC gateway (I.e., where Windows Admin Center is installed) and open an elevated PowerShell prompt to run the below steps:
- $connectionuri = 'insert the NC URI here'
- Example: $connectionuri = 'https://SDN.TAILWINDTRADERS.COM')
- Install-Script -Name import-networkcontrollerrestcertificate
- Accept all prompts to install from PowerShell Gallery
- Import-NetworkControllerRestCertificate.ps1 -connectionUri $connectionuri
Import-NetworkControllerRestCertificate will search for and add the certificate associated with the Network Controller REST URI to the Trusted Root directory of the WAC gateway.
Below is a video showing the process for ensuring the certificate is on the WAC gateway machine: