azureazure-devopsazure-web-app-servicemsdeploy

SSL Error using AzureRmWebAppDeployment@4 to deploy net6 ASP app to azure App service


I have problems deploying a net6 ASP project to newly created App Services (Code/Windows). I use

# Build the project
- task: DotNetCoreCLI@2
  displayName: 'Build project'
  inputs:
    command: 'build'
    projects: '${{ parameters.ProjectPath }}'
    arguments: '--configuration ${{ parameters.BuildConfiguration }}'

# Publish the asp project build files
- task: DotNetCoreCLI@2
  displayName: 'Publish project'
  inputs:
    command: "publish"
    publishWebProjects: false # would otherwise ignore the projects parameter and would try to find all web project in the repo
    projects: '${{ parameters.ProjectPath }}'
    arguments: '--configuration ${{ parameters.BuildConfiguration }} /p:WebPublishMethod=Package /p:PackageAsSingleFile=true /p:PackageLocation="$(Build.ArtifactStagingDirectory)"'

to build the project and

- task: AzureRmWebAppDeployment@4
  displayName: 'Azure App Service Deploy: ${{ parameters.WebAppName }}'
  inputs:
    azureSubscription: ${{ parameters.SubscriptionConnectionName }}
    WebAppName: ${{ parameters.WebAppName }}
    package: '$(Pipeline.Workspace)/${{ parameters.SiteName }}-${{ parameters.ArtifactName }}/*.zip'
    JSONFiles: |
      **/appsettings.json
      **/appsettings.Production.json

to deploy it to the App Service.

The deploy task is running on a self hosted Azure Agent (on a Azure VM).

And the task output the error Message

Error: The request was aborted: Could not create SSL/TLS secure channel.

I can deploy to the App Service via publish profiles with the Visual Studio, but am out of ideas what is going wrong. The same agent is also used to deploy (with the same task) to an older App Service without issue.

Here is more debug output of the task

2022-08-29T06:58:36.9268188Z ##[debug]Evaluating condition for step: 'Azure App Service Deploy: <web-app-name>'
2022-08-29T06:58:36.9271015Z ##[debug]Evaluating: SucceededNode()
2022-08-29T06:58:36.9271936Z ##[debug]Evaluating SucceededNode:
2022-08-29T06:58:36.9273450Z ##[debug]=> True
2022-08-29T06:58:36.9274425Z ##[debug]Result: True
2022-08-29T06:58:36.9275585Z ##[section]Starting: Azure App Service Deploy: <web-app-name>
2022-08-29T06:58:36.9487953Z ==============================================================================
2022-08-29T06:58:36.9488451Z Task         : Azure App Service deploy
2022-08-29T06:58:36.9489776Z Description  : Deploy to Azure App Service a web, mobile, or API app using Docker, Java, .NET, .NET Core, Node.js, PHP, Python, or Ruby
2022-08-29T06:58:36.9490336Z Version      : 4.209.0
2022-08-29T06:58:36.9490876Z Author       : Microsoft Corporation
2022-08-29T06:58:36.9491317Z Help         : https://aka.ms/azureappservicetroubleshooting
2022-08-29T06:58:36.9491850Z ==============================================================================
...
2022-08-29T06:58:53.9440557Z ##[debug]Constructed msDeploy comamnd line arguments
2022-08-29T06:58:53.9695944Z ##[debug]Unsupported installed version: 0 found for MSDeploy. version should be at least 3 or above
2022-08-29T06:58:53.9697127Z ##[debug]System.DefaultWorkingDirectory=C:\agent\_work\6\s
2022-08-29T06:58:53.9702761Z ##[debug]the argument string is:
2022-08-29T06:58:53.9705491Z ##[debug] -verb:sync -source:package="'C:\agent\_work\6\s\temp_web_package_07978929917578559.zip'" -dest:auto,ComputerName="'https://<web-app-name>.scm.azurewebsites.net:443/msdeploy.axd?site=<web-app-name>'",UserName="'$<web-app-name>'",Password="'***'",AuthType="'Basic'" -setParam:name="'IIS Web Application Name'",value="'<web-app-name>'" -enableRule:AppOffline -retryAttempts:6 -retryInterval:10000 -enableRule:DoNotDeleteRule -userAgent:VSTS_8cba2559-f093-44dd-97ca-eab9368422fd_build_407_0
2022-08-29T06:58:53.9709265Z ##[debug]converting the argument string into an array of arguments
2022-08-29T06:58:53.9710317Z ##[debug]the array of arguments is:
2022-08-29T06:58:53.9711711Z ##[debug]arg#0: -verb:sync
2022-08-29T06:58:53.9713334Z ##[debug]arg#1: -source:package='C:\agent\_work\6\s\temp_web_package_07978929917578559.zip'
2022-08-29T06:58:53.9715273Z ##[debug]arg#2: -dest:auto,ComputerName='https://<web-app-name>.scm.azurewebsites.net:443/msdeploy.axd?site=<web-app-name>',UserName='$<web-app-name>',Password='***',AuthType='Basic'
2022-08-29T06:58:53.9717577Z ##[debug]arg#3: -setParam:name='IIS Web Application Name',value='<web-app-name>'
2022-08-29T06:58:53.9718612Z ##[debug]arg#4: -enableRule:AppOffline
2022-08-29T06:58:53.9719669Z ##[debug]arg#5: -retryAttempts:6
2022-08-29T06:58:53.9720427Z ##[debug]arg#6: -retryInterval:10000
2022-08-29T06:58:53.9721771Z ##[debug]arg#7: -enableRule:DoNotDeleteRule
2022-08-29T06:58:53.9722766Z ##[debug]arg#8: -userAgent:VSTS_8cba2559-f093-44dd-97ca-eab9368422fd_build_407_0
2022-08-29T06:58:53.9724003Z ##[debug]which 'msdeploy'
2022-08-29T06:58:53.9725442Z ##[debug]found: 'C:\agent\_work\_tasks\AzureRmWebAppDeployment_497d490f-eea7-4f2b-ab94-48d9c1acdcb1\4.209.0\node_modules\azure-pipelines-tasks-webdeployment-common\MSDeploy3.6\MSDeploy3.6\msdeploy.exe'
2022-08-29T06:58:53.9729462Z ##[debug]C:\agent\_work\_tasks\AzureRmWebAppDeployment_497d490f-eea7-4f2b-ab94-48d9c1acdcb1\4.209.0\node_modules\azure-pipelines-tasks-webdeployment-common\MSDeploy3.6\MSDeploy3.6\msdeploy.exe arg: ["-verb:sync","-source:package='C:\\agent\\_work\\6\\s\\temp_web_package_07978929917578559.zip'","-dest:auto,ComputerName='https://<web-app-name>.scm.azurewebsites.net:443/msdeploy.axd?site=<web-app-name>',UserName='$<web-app-name>',Password='***',AuthType='Basic'","-setParam:name='IIS Web Application Name',value='<web-app-name>'","-enableRule:AppOffline","-retryAttempts:6","-retryInterval:10000","-enableRule:DoNotDeleteRule","-userAgent:VSTS_8cba2559-f093-44dd-97ca-eab9368422fd_build_407_0"]
2022-08-29T06:58:53.9734022Z ##[debug]C:\agent\_work\_tasks\AzureRmWebAppDeployment_497d490f-eea7-4f2b-ab94-48d9c1acdcb1\4.209.0\node_modules\azure-pipelines-tasks-webdeployment-common\MSDeploy3.6\MSDeploy3.6\msdeploy.exe arg: ["-verb:sync","-source:package='C:\\agent\\_work\\6\\s\\temp_web_package_07978929917578559.zip'","-dest:auto,ComputerName='https://<web-app-name>.scm.azurewebsites.net:443/msdeploy.axd?site=<web-app-name>',UserName='$<web-app-name>',Password='***',AuthType='Basic'","-setParam:name='IIS Web Application Name',value='<web-app-name>'","-enableRule:AppOffline","-retryAttempts:6","-retryInterval:10000","-enableRule:DoNotDeleteRule","-userAgent:VSTS_8cba2559-f093-44dd-97ca-eab9368422fd_build_407_0"]
2022-08-29T06:58:53.9737060Z ##[debug]exec tool: C:\agent\_work\_tasks\AzureRmWebAppDeployment_497d490f-eea7-4f2b-ab94-48d9c1acdcb1\4.209.0\node_modules\azure-pipelines-tasks-webdeployment-common\MSDeploy3.6\MSDeploy3.6\msdeploy.exe
2022-08-29T06:58:53.9738352Z ##[debug]exec tool: C:\agent\_work\_tasks\AzureRmWebAppDeployment_497d490f-eea7-4f2b-ab94-48d9c1acdcb1\4.209.0\node_modules\azure-pipelines-tasks-webdeployment-common\MSDeploy3.6\MSDeploy3.6\msdeploy.exe
2022-08-29T06:58:53.9739322Z ##[debug]arguments:
2022-08-29T06:58:53.9740006Z ##[debug]arguments:
2022-08-29T06:58:53.9740678Z ##[debug]   -verb:sync
2022-08-29T06:58:53.9741379Z ##[debug]   -verb:sync
2022-08-29T06:58:53.9742204Z ##[debug]   -source:package='C:\agent\_work\6\s\temp_web_package_07978929917578559.zip'
2022-08-29T06:58:53.9743119Z ##[debug]   -source:package='C:\agent\_work\6\s\temp_web_package_07978929917578559.zip'
2022-08-29T06:58:53.9744959Z ##[debug]   -dest:auto,ComputerName='https://<web-app-name>.scm.azurewebsites.net:443/msdeploy.axd?site=<web-app-name>',UserName='$<web-app-name>',Password='***',AuthType='Basic'
2022-08-29T06:58:53.9747056Z ##[debug]   -dest:auto,ComputerName='https://<web-app-name>.scm.azurewebsites.net:443/msdeploy.axd?site=<web-app-name>',UserName='$<web-app-name>',Password='***',AuthType='Basic'
2022-08-29T06:58:53.9749279Z ##[debug]   -setParam:name='IIS Web Application Name',value='<web-app-name>'
2022-08-29T06:58:53.9750909Z ##[debug]   -setParam:name='IIS Web Application Name',value='<web-app-name>'
2022-08-29T06:58:53.9752248Z ##[debug]   -enableRule:AppOffline
2022-08-29T06:58:53.9753313Z ##[debug]   -enableRule:AppOffline
2022-08-29T06:58:53.9754028Z ##[debug]   -retryAttempts:6
2022-08-29T06:58:53.9754723Z ##[debug]   -retryAttempts:6
2022-08-29T06:58:53.9755432Z ##[debug]   -retryInterval:10000
2022-08-29T06:58:53.9756145Z ##[debug]   -retryInterval:10000
2022-08-29T06:58:53.9756864Z ##[debug]   -enableRule:DoNotDeleteRule
2022-08-29T06:58:53.9757602Z ##[debug]   -enableRule:DoNotDeleteRule
2022-08-29T06:58:53.9758413Z ##[debug]   -userAgent:VSTS_8cba2559-f093-44dd-97ca-eab9368422fd_build_407_0
2022-08-29T06:58:53.9759274Z ##[debug]   -userAgent:VSTS_8cba2559-f093-44dd-97ca-eab9368422fd_build_407_0
2022-08-29T06:58:53.9762063Z [command]"C:\agent\_work\_tasks\AzureRmWebAppDeployment_497d490f-eea7-4f2b-ab94-48d9c1acdcb1\4.209.0\node_modules\azure-pipelines-tasks-webdeployment-common\MSDeploy3.6\MSDeploy3.6\msdeploy.exe" -verb:sync -source:package='C:\agent\_work\6\s\temp_web_package_07978929917578559.zip' -dest:auto,ComputerName='https://<web-app-name>.scm.azurewebsites.net:443/msdeploy.axd?site=<web-app-name>',UserName='$<web-app-name>',Password='***',AuthType='Basic' -setParam:name='IIS Web Application Name',value='<web-app-name>' -enableRule:AppOffline -retryAttempts:6 -retryInterval:10000 -enableRule:DoNotDeleteRule -userAgent:VSTS_8cba2559-f093-44dd-97ca-eab9368422fd_build_407_0
2022-08-29T06:58:54.3765154Z Info: Using ID '910feaf0-3047-457f-a972-6d9e37b399f5' for connections to the remote server.
2022-08-29T06:58:54.4771138Z ##[debug]Exit code 4294967295 received from tool 'C:\agent\_work\_tasks\AzureRmWebAppDeployment_497d490f-eea7-4f2b-ab94-48d9c1acdcb1\4.209.0\node_modules\azure-pipelines-tasks-webdeployment-common\MSDeploy3.6\MSDeploy3.6\msdeploy.exe'
2022-08-29T06:58:54.4773207Z ##[debug]Exit code 4294967295 received from tool 'C:\agent\_work\_tasks\AzureRmWebAppDeployment_497d490f-eea7-4f2b-ab94-48d9c1acdcb1\4.209.0\node_modules\azure-pipelines-tasks-webdeployment-common\MSDeploy3.6\MSDeploy3.6\msdeploy.exe'
2022-08-29T06:58:54.4776306Z ##[debug]STDIO streams have closed for tool 'C:\agent\_work\_tasks\AzureRmWebAppDeployment_497d490f-eea7-4f2b-ab94-48d9c1acdcb1\4.209.0\node_modules\azure-pipelines-tasks-webdeployment-common\MSDeploy3.6\MSDeploy3.6\msdeploy.exe'
2022-08-29T06:58:54.4777999Z ##[debug]STDIO streams have closed for tool 'C:\agent\_work\_tasks\AzureRmWebAppDeployment_497d490f-eea7-4f2b-ab94-48d9c1acdcb1\4.209.0\node_modules\azure-pipelines-tasks-webdeployment-common\MSDeploy3.6\MSDeploy3.6\msdeploy.exe'
2022-08-29T06:58:54.4779606Z ##[debug]System.DefaultWorkingDirectory=C:\agent\_work\6\s
2022-08-29T06:58:54.4796284Z ##[debug]Deployment Failed with Error: Error: Error: Could not complete the request to remote agent URL 'https://<web-app-name>.scm.azurewebsites.net/msdeploy.axd?site=<web-app-name>'.
Error: The request was aborted: Could not create SSL/TLS secure channel.
Error count: 1.

The same agent is also used to deploy (with the same task) to an older App Service without issue. There is one difference in the debug output of the working and the not working deployment

# working
-userAgent:VSTS_8cba2559-f093-44dd-97ca-eab9368422fd_build_426_0
# not working
-userAgent:VSTS_8cba2559-f093-44dd-97ca-eab9368422fd_build_407_0

But I'm not sure what this controlles and how the value is controlled, because again it is running both times on the same VM.


Solution

  • Error: The request was aborted: Could not create SSL/TLS secure channel.

    The issue could be related to the TLS version on your VM where the Self-hosted agent located.

    By default, the .Net6 App Service will use TLS1.2. You can navigate to App Service -> TLS/SSL settings to check the settings.

    enter image description here

    Then you can navigate to Azure VM and check if TLS1.2 is enable. PowerShell script to check TLS 1.2

    If no, you can use the following script to enable TLS1.2.

    If (-Not (Test-Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319'))
    {
        New-Item 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null
    }
    New-ItemProperty -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Name 'SystemDefaultTlsVersions' -Value '1' -PropertyType 'DWord' -Force | Out-Null
    New-ItemProperty -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -PropertyType 'DWord' -Force | Out-Null
    
    If (-Not (Test-Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319'))
    {
        New-Item 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null
    }
    New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name 'SystemDefaultTlsVersions' -Value '1' -PropertyType 'DWord' -Force | Out-Null
    New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -PropertyType 'DWord' -Force | Out-Null
    
    If (-Not (Test-Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server'))
    {
        New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null
    }
    New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'Enabled' -Value '1' -PropertyType 'DWord' -Force | Out-Null
    New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'DisabledByDefault' -Value '0' -PropertyType 'DWord' -Force | Out-Null
    
    If (-Not (Test-Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client'))
    {
        New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null
    }
    New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'Enabled' -Value '1' -PropertyType 'DWord' -Force | Out-Null
    New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'DisabledByDefault' -Value '0' -PropertyType 'DWord' -Force | Out-Null
    
    Write-Host 'TLS 1.2 has been enabled. You must restart the Windows Server for the changes to take affect.' -ForegroundColor Cyan
    

    For more detailed info, you can refer to this doc: PowerShell script to enable TLS 1.2