Request is being made with a forbidden encryption in transit protocol or cipher. Check account SSL/TLS minimum allowed protocol setting
See original GitHub issueWhen start Cosmos db emulator last version 2.11.2.0, Win 10, build 20170, and navigate on explorer, got this:
Error while refreshing databases: {“code”:403,“body”:{“code”:“Forbidden”,“message”:“Request is being made with a forbidden encryption in transit protocol or cipher. Check account SSL/TLS minimum allowed protocol setting.\r\nActivityId: 2cae913d-fd4c-4875-bd49-cda0722b9081, Microsoft.Azure.Documents.Common/2.11.0”},“headers”:{“access-control-allow-credentials”:“true”,“access-control-allow-origin”:“”,“content-location”:“https://localhost:8081/offers",“content-type”:“application/json”,“date”:"Thu, 30 Jul 2020 05:16:11 GMT”,“server”:“Microsoft-HTTPAPI/2.0”,“status”:“403”,“x-ms-activity-id”:“2cae913d-fd4c-4875-bd49-cda0722b9081”,“x-ms-gatewayversion”:“version=2.11.0”,“x-ms-throttle-retry-count”:0,“x-ms-throttle-retry-wait-time-ms”:0},“activityId”:“2cae913d-fd4c-4875-bd49-cda0722b9081”}
Same happen from code running on docker over gateway (certificate exported correctly)
“Azure.Cosmos” Version=“4.0.0-preview3”,
code:
cosmosClient = new CosmosClient(connStrCustom,
new CosmosClientOptions()
{
ConnectionMode = ConnectionMode.Gateway
});
Exception:
DocDBTrace Information: 0 : Fail to reach global gateway https://192.168.100.3:8081/, Microsoft.Azure.Documents.DocumentClientException: Request is being made with a forbidden encryption in transit protocol or cipher. Check account SSL/TLS minimum allowed protocol setting.
ActivityId: 58019869-0800-41ed-bbb3-80c727c6bfb1, Microsoft.Azure.Documents.Common/2.11.0, Linux/10 cosmos-netstandard-sdk/3.4.1
at Azure.Cosmos.GatewayStoreClient.ParseResponseAsync(HttpResponseMessage responseMessage, JsonSerializerSettings serializerSettings, DocumentServiceRequest request)
at Microsoft.Azure.Cosmos.GatewayAccountReader.GetDatabaseAccountAsync(Uri serviceEndpoint)
at Microsoft.Azure.Cosmos.Routing.GlobalEndpointManager.GetDatabaseAccountFromAnyLocationsAsync(Uri defaultEndpoint, IList1 locations, Func
2 getDatabaseAccountFn)
DocDBTrace Error: 0 : Operation will NOT be retried. Current attempt 0, Status Code: Forbidden
DocDBTrace Warning: 0 : initializeTask failed System.AggregateException: One or more errors occurred. (Request is being made with a forbidden encryption in transit protocol or cipher. Check account SSL/TLS minimum allowed protocol setting.
ActivityId: 58019869-0800-41ed-bbb3-80c727c6bfb1, Microsoft.Azure.Documents.Common/2.11.0, Linux/10 cosmos-netstandard-sdk/3.4.1)
—> Microsoft.Azure.Documents.DocumentClientException: Request is being made with a forbidden encryption in transit protocol or cipher. Check account SSL/TLS minimum allowed protocol setting.
ActivityId: 58019869-0800-41ed-bbb3-80c727c6bfb1, Microsoft.Azure.Documents.Common/2.11.0, Linux/10 cosmos-netstandard-sdk/3.4.1
at Azure.Cosmos.GatewayStoreClient.ParseResponseAsync(HttpResponseMessage responseMessage, JsonSerializerSettings serializerSettings, DocumentServiceRequest request)
at Microsoft.Azure.Cosmos.GatewayAccountReader.GetDatabaseAccountAsync(Uri serviceEndpoint)
at Microsoft.Azure.Cosmos.Routing.GlobalEndpointManager.GetDatabaseAccountFromAnyLocationsAsync(Uri defaultEndpoint, IList1 locations, Func
2 getDatabaseAccountFn)
at Microsoft.Azure.Cosmos.GatewayAccountReader.InitializeReaderAsync()
at Microsoft.Azure.Cosmos.CosmosAccountServiceConfiguration.InitializeAsync()
at Microsoft.Azure.Cosmos.DocumentClient.InitializeGatewayConfigurationReaderAsync()
at Microsoft.Azure.Cosmos.DocumentClient.GetInitializationTaskAsync(IStoreClientFactory storeClientFactory)
at Microsoft.Azure.Cosmos.TaskHelper.<>c__DisplayClass0_0.<<InlineIfPossibleAsync>b__0>d.MoveNext()
— End of stack trace from previous location where exception was thrown —
at Microsoft.Azure.Documents.BackoffRetryUtility1.ExecuteRetryAsync(Func
1 callbackMethod, Func3 callShouldRetry, Func
1 inBackoffAlternateCallbackMethod, TimeSpan minBackoffForInBackoffCallback, CancellationToken cancellationToken, Action1 preRetryCallback) at Microsoft.Azure.Documents.ShouldRetryResult.ThrowIfDoneTrying(ExceptionDispatchInfo capturedException) at Microsoft.Azure.Documents.BackoffRetryUtility
1.ExecuteRetryAsync(Func1 callbackMethod, Func
3 callShouldRetry, Func1 inBackoffAlternateCallbackMethod, TimeSpan minBackoffForInBackoffCallback, CancellationToken cancellationToken, Action
1 preRetryCallback)
at Microsoft.Azure.Cosmos.DocumentClient.EnsureValidClientAsync()
— End of inner exception stack trace —
ty
Issue Analytics
- State:
- Created 3 years ago
- Comments:13 (5 by maintainers)
Top GitHub Comments
@adstep and others; I am using Cosmos emulator on Windows 10 Fast Ring and just ran into this. My IIS does not have the bindings and looking at the request messages it seems that the host is directly through HTTP.sys.
I was able to get this working by disabling TLS1.3 for the HTTP.SYS binding using
netsh
.netsh http show sslcert >> C:\temp\netsh.output.txt
0.0.0.0:8081
or whatever port you are usingnetsh http update sslcert ipport=0.0.0.0:8081 appid={00000000-0000-0000-0000-9134d4f81626} certhash=b35df09d20000000000019ad39c6170000000000 certstorename=My disabletls13=enable
The values for appid and certhash should come from the output file captured in step 1. The important part is the
disabletls13=enable
. You need all these bits for the command to work.https://docs.microsoft.com/en-us/azure/cosmos-db/local-emulator-release-notes
version 2.11.8 fixes an issue TLS 1.3…