Skip to main content

Installing the Windows agent with PowerShell fails with the error "Could not create SSL/TLS secure channel" in Puppet Enterprise

Jordi Garcia
  • Updated

When you try to install an agent on a Windows node using PE package management with PowerShell, it fails with a Could not create SSL/TLS secure channel error.

Error messages

When you run the following in PowerShell

[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}; $webClient = New-Object System.Net.WebClient; $webClient.DownloadFile('https://<MASTER HOSTNAME>:8140/packages/current/install.ps1', 'install.ps1'); .\install.ps1

the installer fails on a Windows node with the following error:

Exception calling "DownloadFile" with "2" argument(s): "The request was aborted:
Could not create SSL/TLS secure
channel."
At line:1 char:121
+ [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}; $webCl ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : WebException

.\install.ps1 : The term '.\install.ps1' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:276
+ ... install.ps1'); .\install.ps1 -v
+ ~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (.\install.ps1:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

Installation failed because TLSv1 is disabled on the Windows node.

TLSv1, TLSv1.1, and TLSv1.2 are supported in PE. If you're not sure what protocols you’re using in PE, you can check.

Version and installation information

PE version: All supported

OS: Windows

Solution

To resolve the issue, make sure that TLSv1.2 is enabled as the default protocol on the Windows node. By default, Windows uses SSLv3 and TLS. TLS might be disabled on your Windows node for security reasons.

  1. Confirm the version of TLS that Windows is using by default. To output a list of protocols, run the following from PowerShell:

    [Net.ServicePointManager]::SecurityProtocol

  2. If PowerShell isn’t using TLSv1.2, configure it to use it by default by running:

    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

After completing these steps, you should be able to install the agent.

Did this solve your problem?
4 out of 6 found this helpful

How can we improve this article?

0 comments

Please sign in to leave a comment.

Related articles