Getting the SSL connection could not be established, see inner exception while calling Connect-AzAccount in Microsoft Hosted agent via Azure pipeline

[NeilZiyan]

#12026 Description

We are getting below error intermittently while running Azure PowerShell task in Microsoft Hosted agent via Azure pipeline

Issue can only be reproduced in Azure pipeline currently. The OS version is Windows_latest or Linux
You may find detailed os environment at
https://github.com/actions/virtual-environments/blob/master/images/win/Windows2019-Readme.md
and
https://github.com/actions/virtual-environments/blob/master/images/linux/Ubuntu1804-README.md

Previously, it's possible to reproduce the issue in generic powershell task with below script but it's not possible now. Currently, still getting the issue intermittently with Azure PowerShell task.

$servicePrincipalId = ""
$servicePrincipalKey = ""
$tenantId = ""
$azureSubscriptionId = ""

$securePassword = ConvertTo-SecureString $servicePrincipalKey -AsPlainText -Force
$psCredential = New-Object System.Management.Automation.PSCredential ($servicePrincipalId, $securePassword)

Write-Verbose "Connect-AzAccount Started" -Verbose
$azureAccount = Connect-AzAccount -ServicePrincipal -Tenant $tenantId -Credential $psCredential -Environment AzureCloud
$azureAccount
Write-Verbose "Connect-AzAccount Completed" -Verbose

Steps to reproduce

Since the error returned before our own script, below configuration of Azure PowerShell task is good enough. 
![image](https://user-images.githubusercontent.com/46100345/85834426-ebc1ac00-b7c5-11ea-97f0-d4600276a9a5.png)

Environment data

Module versions

az_3.8.0/Az.Accounts/1.8.1/

Debug output

Since the line failed is still within build-in script of Azure PowerShell task, it's not possible to add debugpreference
2020-06-24T12:15:10.0417204Z ##[command]Import-Module -Name /usr/share/az_3.8.0/Az.Accounts/1.8.1/Az.Accounts.psd1 -Global
2020-06-24T12:15:10.4162733Z ##[command]Clear-AzContext -Scope Process
2020-06-24T12:15:11.3283361Z ##[command]Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue
2020-06-24T12:15:11.9323163Z ##[command]Connect-AzAccount -ServicePrincipal -Tenant *** -Credential System.Management.Automation.PSCredential -Environment AzureCloud @processScope
2020-06-24T12:15:29.3785853Z Exception is : An error occurred while sending the request.
2020-06-24T12:15:29.5508541Z [91mOperationStopped: [0m/home/vsts/work/_tasks/AzurePowerShell_72a1931b-effb-4d2e-8fd8-f8472a07cb62/4.168.2/InitializeAz.ps1:91
2020-06-24T12:15:29.5509671Z [96mLine |
2020-06-24T12:15:29.5510362Z [96m 91 | [0m [96mthrow (New-Object System.Exception("There was an error with t [0m …
2020-06-24T12:15:29.5511438Z [96m | [91m ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2020-06-24T12:15:29.5512227Z [91m [96m | [91mThere was an error with the service principal used for the
2020-06-24T12:15:29.5512876Z [96m | [91mdeployment.
2020-06-24T12:15:29.5513342Z [0m
2020-06-24T12:15:29.5638014Z ##[debug]Exit code 1 received from tool '/usr/bin/pwsh'
2020-06-24T12:15:29.5645783Z ##[debug]STDIO streams have closed for tool '/usr/bin/pwsh'
2020-06-24T12:15:29.5660119Z ##[debug]task result: Failed

## Error output

<!-- Please run Resolve-AzError and paste the output in the below code block -->

Again, it's in Azure PowerShell task, not possible to add this flag.

In the latest version of Azure Powershell task, it seems the actual error is covered. In version 4.* Azure PowerShell task, we see below error. 
2020-04-30T21:42:13.2641704Z ##[command]Connect-AzAccount -ServicePrincipal -Tenant *** -Credential System.Management.Automation.PSCredential -Environment AzureCloud @processScope
2020-04-30T21:42:24.4607635Z ##[error]An error occurred while sending the request.
2020-04-30T21:42:24.4621509Z ##[debug]Processed: ##vso[task.logissue type=error]An error occurred while sending the request.
2020-04-30T21:42:24.4998910Z ##[error]Make sure the machine is using TLS 1.2 protocol or higher. Check https://aka.ms/enableTlsv2 for more information on how to enable TLS in your machine.
2020-04-30T21:42:24.5000844Z ##[debug]Processed: ##vso[task.logissue type=error]Make sure the machine is using TLS 1.2 protocol or higher. Check https://aka.ms/enableTlsv2 for more information on how to enable TLS in your machine.

[dingmeng-xue]

Hi @NeilZiyan , this issue seems related to your environment. Could you try below code?

Invoke-RestMethod -Uri https://www.bing.com

[NeilZiyan]

Hi @NeilZiyan , this issue seems related to your environment. Could you try below code?

Invoke-RestMethod -Uri https://www.bing.com

It's Microsoft Hosted agent which is managed by Azure DevOps product team. In other word, the environment is controlled by Azure DevOps product team. Actually, I am the support engineer of Azure DevOps and our product team request me to file this issue to your product team to investigate further. Could you ping me on Teams to have a quick call? My name is Neil Zhuang.

[dingmeng-xue]

@NeilZiyan , this error is too general. Azure PowerShell uses rest client to establish HTTPs communication. If it has problem, all Azure PowerShell cmdlet should have problem.

We need more debug track to narrow down the problem. Please collect more log. BTW, please take care the agent and check if this issue only occurs on specific agents.

[dingmeng-xue]

@NeilZiyan , I'm closing this issue now. Please contact us if you have further information from customer environment.

[Roshan-Kumar-Microsoft]

@dingmeng-xue Can you please check for this request ID and that time stamp what is happening during establishing connection ? This issue is not happening frequently and it will generally happen 1 out 20 times. This is not specific to hosted agent User in past also able to reproduce on his box sometimes. Please let me know if you need more details ?

[kainwei]

When I used Azure App Function and Runbook met this error and I used : Invoke-WebRequest command in Powershell.
Add -SkipCertificateCheck after Invoke-WebRequest worked for me.
like:

Invoke-WebRequest  -SkipCertificateCheck -Uri "https://xxx.xxx.xxx/xxx"

Reference:
https://stackoverflow.com/questions/11696944/powershell-v3-invoke-webrequest-https-error
(Amar Helloween's answer)
Hope it can help someone who use invoke-WebRequest in Azure.
I have to say Microsoft has the worst product I had ever seen. I orchestrated it first in win10's powershell and met this damn error in Azure function apps and runbook that is different from their own powershell in win10. Spend me several hours to sovle it as usall! Why Microsoft can not build their same product same in different platform?