I'm having a very weird issue:
I'm deploying to an azure web app via MSDeploy from an on-prem CI/CD pipeline with Bamboo.
I get:
27-Jun-2022 20:53:50 Verbose: Pre-authenticating to remote agent URL 'https://app-xxxxx-stg.scm.azurewebsites.net:443/msdeploy.axd?site=app-xxxxx-stg' as '$app-xxxxx-stg'.
27-Jun-2022 20:53:50 Error: Could not complete the request to remote agent URL 'https://app-xxxx-stg.scm.azurewebsites.net/msdeploy.axd?site=app-xxxxx-stg'.
27-Jun-2022 20:53:50 Error: The request was aborted: Could not create SSL/TLS secure channel.
27-Jun-2022 20:53:50 Error count: 1.
What is weird is that the same deployment script works just fine with other webapps that have been created in the past (the dev and tst environments) and also fails with the same error if I try to deploy to prod environment (also just created).
The environments are created via ARM template, so they are exactly the same.
I've read other similar issues, but my webapp is configured to allow only TLS 1.2 min. But as mentioned, all the web apps are configured the same way, and the deployments all start from the same machine.
What could be the issue? how can I solve this connection problem?
Thank you
Just to let everyone know: problem is solved by forcing net framework applications (like MS Deploy) to default to TLS1.2.
As per this article: https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client#bkmk_net
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions" = dword:00000001
"SchUseStrongCrypto" = dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions" = dword:00000001
"SchUseStrongCrypto" = dword:00000001
We'd a discussion on this on Microsoft Q&A thread. Just posting here to benefit the community. Self hosted agent connected to site using 1.0 or 1.1, we may encounter this error. Hence, for self hosted agent/custom agent for DevOps pipeline deployment ensure that the agent has >TLS1.2 installed.
Related
I am trying to deploy the Azure Web App in the Qa instance. I have created 3 different appsettings.json files with environment specific Client ID's in it
On the release pipeline for QA branch I am trying to use the test app service and set the settings like below
Release pipeline is all getting executed without any issues but when I try to access the application URL I get error like
Application ID is still pointing to the DEV one even though the appsettings.QA.json has different client ID of the Test App Registration where I set the reply URl and all correcctly.
I am not sure why my QA release pipeline is not using the ID's from the appsettings.QA.json. Can anyone please suggest me what is that I am missing here. Any help is greatly appreciated
Check how the application picks correct appsettings.json -file into use. As it picks Appsettings.Development.json in QA-environment, check how the environment is set in QA-environment App Service. Perhaps there is an environment-variable with the value "Development" in App Service configuration and that should be set to "QA"?
I'm following this article in order to deploy the web app on azure with private endpoint: https://azure.github.io/AppService/2021/03/01/deploying-to-network-secured-sites-2.html. My understanding is that the access to scm service is not required but is it the case? If I'm wrong, is there any other way to deploy in this case without using VM?
Unfortunately I keep getting the forbidden error:
An error occured during deployment. Status Code: 403,
I've tested it from a VM with access to scm and it works fine there but I need to make it work from the machine without the access to scm.
I'd like to add an offsite Windows VM to Azure Arc for health monitoring. The VM is hosted by Vultr and runs Windows Server 2016 Standard Build 14393.
However, installing AzureConnectedMachineAgent.msi on the target VM fails with error code 1603. Installation log also contains this error:
Start-Service : Service 'Guest Configuration Extension service
WixQuietExec64: (ExtensionService)' cannot be started due to the following error: Cannot start
WixQuietExec64: service ExtensionService on computer '.'.
WixQuietExec64: At C:\Program Files\AzureConnectedMachineAgent\ExtensionService\GC\Modules\Exte
WixQuietExec64: nsionService\ServiceHelper.psm1:367 char:5
Any suggestions on how to fix this?
You may Check if the user with which you are logged into the VM have
sufficient permissions to start a system service
If you find the following in the
%ProgramData%\AzureConnectedMachineAgent\Log\himds.log or in installation logs :
time="2021-02-11T08:39:38-08:00" level=error msg="Cannot open event source: Azure Hybrid Instance Metadata Service."
You can verify the permissions by collecting the following registry
key from an impacted server.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomS
Mitigation can be to grant the permission to write to the
SECURITY_SERVICE_RID S-1-5-6 which would grant the required
permissions to the himds service account.
https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids.
If the registry key does NOT exist on the impacted VM, then this
resolution will NOT apply as there will be a separate root cause such
as AV interference.
If the root cause is not found here ,then a procmon trace needs to be
taken to analyze the root cause for the msi not being able to start a
service.
( In case a procmon trace has to be analyzed , please open an MS
Support ticket)
To get support for Windows Agent and extensions in Azure, the Windows
Agent on the Windows VM must be later than or equal to version
2.7.41491.911. However the cause for the failure of agent installation is different in this case.
You may also want to check %programdata%\ext_mgr_logs\gc_ext_telemetry.txt log which must have had an entry something like this :
<GCLOG>........ Not starting Extension Service since machine is an Azure VM</GCLOG>
Cause:
This can happen while attempting to install the agent on an Azure VM.This is an unsupported production scenario.One Should not be installing this agent on an Azure VM as it conflicts with the Azure Guest Agent and interferes with Azure VM management.
If one wishes to use an Azure VM simply for testing purposes then
they can follow the below document for guidance
https://learn.microsoft.com/en-us/azure/azure-arc/servers/plan-evaluate-on-azure-virtual-machine
I have created the app service in existing internal app service environment. And then I’m trying to deploy the source code into above app service using Azure DevOps CI & CD pipelines. But, in the release pipeline I’m getting the below error message in Azure DevOps:
Error: Error Code: ERROR_DESTINATION_INVALID
More Information: Could not connect to the remote computer ("xx-xxxx-v1-api-dev.scm.xxx-int-nonp.xxxcloudapps.com"). Make sure that the remote computer name is correct and that you are able to connect to that computer. Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_DESTINATION_INVALID.
Error: The remote name could not be resolved: 'xx-xxxx-v1-api-dev.scm.xxx-int-nonp.xxxxcloudapps.com'
Error count: 1.
Note: I’m using self-hosted agent in the release pipeline. I have tried to access Kudu environment for the above service in the private virtual machine. But, the kudu not opening.
So, please suggest me how to fix the above issue.
Kindly set/add the following to the Application setting and see if it helps.
Name: WEBSITE_WEBDEPLOY_USE_SCM
Value: false
If I have understood your issue correctly (using private link).
For accessing the Kudu console, or Kudu REST API (deployment with Azure DevOps self-hosted agents for example), you must create two records in your Azure DNS private zone or your custom DNS server. Kindly check this document for more details. If you haven't added the records, kindly see if that works.
Name Type Value
mywebapp.privatelink.azurewebsites.net A PrivateEndpointIP
mywebapp.scm.privatelink.azurewebsites.net A PrivateEndpointIP
https://learn.microsoft.com/azure/app-service/networking/private-endpoint#dns
Ensure that the release pipeline is running in the right host. Because the endpoint is private for the SCM too, the DevOps Agent must be in a network with access with the endpoint, so mandatory to use self-hosted Devops Agent.
Kindly see this doc for more details:
https://learn.microsoft.com/azure/app-service/networking/private-endpoint#dns
If the issue still persists, kindly capture a network trace/HAR or client-side HTTP log/review the logs.
P.S. Kindly do not share any PII data on the public forum for your privacy.
I have created a new Azure DevOps project. Asp.Net core 2.1, Service Fabric deploy.
First deploy went fine. Without any changes subsequent releases are failing
warnings and error
2018-10-10T08:24:17.8368242Z ##[section]Starting: Deploy Service Fabric Application
2018-10-10T08:24:17.8375072Z ==============================================================================
2018-10-10T08:24:17.8375163Z Task : Service Fabric Application Deployment
2018-10-10T08:24:17.8375234Z Description : Deploy a Service Fabric application to a cluster.
2018-10-10T08:24:17.8375288Z Version : 1.7.22
2018-10-10T08:24:17.8375356Z Author : Microsoft Corporation
2018-10-10T08:24:17.8375410Z Help : [More Information](https://go.microsoft.com/fwlink/?LinkId=820528)
2018-10-10T08:24:17.8375479Z ==============================================================================
2018-10-10T08:24:20.0073284Z Searching for path: D:\a\r1\a\**\drop\projectartifacts\**\PublishProfiles\Cloud.xml
2018-10-10T08:24:20.2879096Z Found path: D:\a\r1\a\Drop\drop\projectartifacts\Application\Voting\PublishProfiles\Cloud.xml
2018-10-10T08:24:20.3657104Z Searching for path: D:\a\r1\a\**\drop\applicationpackage
2018-10-10T08:24:20.4618957Z Found path: D:\a\r1\a\Drop\drop\applicationpackage
2018-10-10T08:24:20.7317155Z Imported cluster client certificate with thumbprint '25826D862588CBFA3D2113D882255156F7233F44'.
2018-10-10T08:25:02.0637557Z ##[warning]Failed to contact Naming Service. Attempting to contact Failover Manager Service...
2018-10-10T08:25:42.0730582Z ##[warning]Failed to contact Failover Manager Service, Attempting to contact FMM...
2018-10-10T08:26:22.0962942Z ##[warning]No such host is known
2018-10-10T08:26:22.2408731Z Service fabric SDK version: 3.2.176.9494.
2018-10-10T08:26:22.4279087Z ##[error]No cluster endpoint is reachable, please check if there is connectivity/firewall/DNS issue.
2018-10-10T08:26:22.4687237Z ##[section]Finishing: Deploy Service Fabric Application
All other devops project releases are failing also for same reason.
Any help to debug appreciated
well, this clearly has nothing to do with the release if all the releases are failing. Something happened to your cluster or to your service endpoint
You would need to check if you can connect to the cluster endpoint manually with powershell, for example (connect-servicefabricluster or something along those lines).
misunderstanding of built in release task.
guess cluster was created by DevOps project create and not release task as I thought.