Download from github.com returns WebException The request was aborted: Could not create SSL/TLS secure channel.

[hmorrised]

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: Puppet 5.5.6 Client / Puppetserver 2.8.1 (from pc1-1.1.0)
• Module version: 3.1.0
• OS: Client running on Windows Server 2016

How to reproduce (e.g Puppet code you use)

download_file { $installer:
  url                   => 'https://github.com/git-for-windows/git/releases/download/v2.19.1.windows.1/Git-2.19.1-64-bit.exe',
  destination_directory => 'c:\\'
}

What are you seeing

When I run Puppet agent manually I see the following error:

Notice: /Stage[main]/Git::Install::Windows/Download_file[Git-2.19.1-64-bit.exe]/File[download-Git-2.19.1-64-bit.exe.ps1]/ensure: defined content as '{md5}4a913e51b88e77f9750f702cdc6c02c7'
Notice: /Stage[main]/Git::Install::Windows/Download_file[Git-2.19.1-64-bit.exe]/Exec[download-Git-2.19.1-64-bit.exe]/returns: System.Net.WebException
Notice: /Stage[main]/Git::Install::Windows/Download_file[Git-2.19.1-64-bit.exe]/Exec[download-Git-2.19.1-64-bit.exe]/returns: The request was aborted: Could not create SSL/TLS secure channel.
Notice: /Stage[main]/Git::Install::Windows/Download_file[Git-2.19.1-64-bit.exe]/Exec[download-Git-2.19.1-64-bit.exe]/returns:
Error: 'c:\\download-Git-2.19.1-64-bit.exe.ps1' returned 1 instead of one of [0]
Error: /Stage[main]/Git::Install::Windows/Download_file[Git-2.19.1-64-bit.exe]/Exec[download-Git-2.19.1-64-bit.exe]/returns: change from 'notrun' to ['0'] failed: 'c:\\download-Git-2.19.1-64-bit.exe.ps1' returned 1 instead of one of [0]

What behaviour did you expect instead

I expected the Git executable to downloaded to C:\Git-2.19.1-64-bit.exe

Output log

See above.

Any additional information you'd like to impart

A potential fix is to add the following into the try block in the download PowerShell script:

[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11"

For example, in the case of the PowerShell script generated by the above Puppet code:

try {
  [Net.ServicePointManager]::SecurityProtocol = "tls12, tls11"
  $webclient.DownloadFile('https://github.com/git-for-windows/git/releases/download/v2.19.1.windows.1/Git-2.19.1-64-bit.exe', 'c:\\Git-2.19.1-64-bit.exe')
}

When I run the PowerShell script manually in ISA the download completes successfully.

There may be issues around setting the security protocol like this both outside of Windows Server 2016 and for remote URLs that only support tls1.0 or ssl3 (which would be Very Bad but folk might expect download_file to still work).

[hdep]

Hi, is there any work on this issue ? Can I help with something ?

[KZachariassen]

This is pretty blocking for us, could we give this issue some focus?

[fatmanmclone90]

blocking us as well. Can I do anything in my powershell profile to work around the issue?

[lucasdiedrich]

+1

[bgrossman]

Affecting us too

[dhoppe]

@hjohnst6 Unfortunately the docs of this module are not complete, but you could provide the protocols as string to the parameter security_protocol:

• https://github.com/voxpupuli/puppet-download_file/blob/master/manifests/init.pp#L74
• https://github.com/voxpupuli/puppet-download_file/blob/master/templates/download.ps1.erb#L3

[DYKenoby]

Add
[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"
to
download.ps1.erb helped on puppetserver helped for me.