Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Request is being made with a forbidden encryption in transit protocol or cipher. Check account SSL/TLS minimum allowed protocol setting

See original GitHub issue

When start Cosmos db emulator last version 2.11.2.0, Win 10, build 20170, and navigate on explorer, got this:

Error while refreshing databases: {“code”:403,“body”:{“code”:“Forbidden”,“message”:“Request is being made with a forbidden encryption in transit protocol or cipher. Check account SSL/TLS minimum allowed protocol setting.\r\nActivityId: 2cae913d-fd4c-4875-bd49-cda0722b9081, Microsoft.Azure.Documents.Common/2.11.0”},“headers”:{“access-control-allow-credentials”:“true”,“access-control-allow-origin”:“”,“content-location”:“https://localhost:8081/offers",“content-type”:“application/json”,“date”:"Thu, 30 Jul 2020 05:16:11 GMT”,“server”:“Microsoft-HTTPAPI/2.0”,“status”:“403”,“x-ms-activity-id”:“2cae913d-fd4c-4875-bd49-cda0722b9081”,“x-ms-gatewayversion”:“version=2.11.0”,“x-ms-throttle-retry-count”:0,“x-ms-throttle-retry-wait-time-ms”:0},“activityId”:“2cae913d-fd4c-4875-bd49-cda0722b9081”}

Same happen from code running on docker over gateway (certificate exported correctly) “Azure.Cosmos” Version=“4.0.0-preview3”, code:
cosmosClient = new CosmosClient(connStrCustom, new CosmosClientOptions() { ConnectionMode = ConnectionMode.Gateway });

Exception:

DocDBTrace Information: 0 : Fail to reach global gateway https://192.168.100.3:8081/, Microsoft.Azure.Documents.DocumentClientException: Request is being made with a forbidden encryption in transit protocol or cipher. Check account SSL/TLS minimum allowed protocol setting. ActivityId: 58019869-0800-41ed-bbb3-80c727c6bfb1, Microsoft.Azure.Documents.Common/2.11.0, Linux/10 cosmos-netstandard-sdk/3.4.1 at Azure.Cosmos.GatewayStoreClient.ParseResponseAsync(HttpResponseMessage responseMessage, JsonSerializerSettings serializerSettings, DocumentServiceRequest request) at Microsoft.Azure.Cosmos.GatewayAccountReader.GetDatabaseAccountAsync(Uri serviceEndpoint) at Microsoft.Azure.Cosmos.Routing.GlobalEndpointManager.GetDatabaseAccountFromAnyLocationsAsync(Uri defaultEndpoint, IList1 locations, Func2 getDatabaseAccountFn) DocDBTrace Error: 0 : Operation will NOT be retried. Current attempt 0, Status Code: Forbidden DocDBTrace Warning: 0 : initializeTask failed System.AggregateException: One or more errors occurred. (Request is being made with a forbidden encryption in transit protocol or cipher. Check account SSL/TLS minimum allowed protocol setting. ActivityId: 58019869-0800-41ed-bbb3-80c727c6bfb1, Microsoft.Azure.Documents.Common/2.11.0, Linux/10 cosmos-netstandard-sdk/3.4.1) —> Microsoft.Azure.Documents.DocumentClientException: Request is being made with a forbidden encryption in transit protocol or cipher. Check account SSL/TLS minimum allowed protocol setting. ActivityId: 58019869-0800-41ed-bbb3-80c727c6bfb1, Microsoft.Azure.Documents.Common/2.11.0, Linux/10 cosmos-netstandard-sdk/3.4.1 at Azure.Cosmos.GatewayStoreClient.ParseResponseAsync(HttpResponseMessage responseMessage, JsonSerializerSettings serializerSettings, DocumentServiceRequest request) at Microsoft.Azure.Cosmos.GatewayAccountReader.GetDatabaseAccountAsync(Uri serviceEndpoint) at Microsoft.Azure.Cosmos.Routing.GlobalEndpointManager.GetDatabaseAccountFromAnyLocationsAsync(Uri defaultEndpoint, IList1 locations, Func2 getDatabaseAccountFn) at Microsoft.Azure.Cosmos.GatewayAccountReader.InitializeReaderAsync() at Microsoft.Azure.Cosmos.CosmosAccountServiceConfiguration.InitializeAsync() at Microsoft.Azure.Cosmos.DocumentClient.InitializeGatewayConfigurationReaderAsync() at Microsoft.Azure.Cosmos.DocumentClient.GetInitializationTaskAsync(IStoreClientFactory storeClientFactory) at Microsoft.Azure.Cosmos.TaskHelper.<>c__DisplayClass0_0.<<InlineIfPossibleAsync>b__0>d.MoveNext() — End of stack trace from previous location where exception was thrown — at Microsoft.Azure.Documents.BackoffRetryUtility1.ExecuteRetryAsync(Func1 callbackMethod, Func3 callShouldRetry, Func1 inBackoffAlternateCallbackMethod, TimeSpan minBackoffForInBackoffCallback, CancellationToken cancellationToken, Action1 preRetryCallback) at Microsoft.Azure.Documents.ShouldRetryResult.ThrowIfDoneTrying(ExceptionDispatchInfo capturedException) at Microsoft.Azure.Documents.BackoffRetryUtility1.ExecuteRetryAsync(Func1 callbackMethod, Func3 callShouldRetry, Func1 inBackoffAlternateCallbackMethod, TimeSpan minBackoffForInBackoffCallback, CancellationToken cancellationToken, Action1 preRetryCallback) at Microsoft.Azure.Cosmos.DocumentClient.EnsureValidClientAsync() — End of inner exception stack trace —

ty

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:13 (5 by maintainers)

github_iconTop GitHub Comments

4reactions
richardhauercommented, Oct 10, 2020

@adstep and others; I am using Cosmos emulator on Windows 10 Fast Ring and just ran into this. My IIS does not have the bindings and looking at the request messages it seems that the host is directly through HTTP.sys.

I was able to get this working by disabling TLS1.3 for the HTTP.SYS binding using netsh.

  1. Get the current settings required from cmd: netsh http show sslcert >> C:\temp\netsh.output.txt
  2. Search the output file for 0.0.0.0:8081 or whatever port you are using
  3. Set the flags from cmd: netsh http update sslcert ipport=0.0.0.0:8081 appid={00000000-0000-0000-0000-9134d4f81626} certhash=b35df09d20000000000019ad39c6170000000000 certstorename=My disabletls13=enable

The values for appid and certhash should come from the output file captured in step 1. The important part is the disabletls13=enable. You need all these bits for the command to work.

1reaction
wwvladacommented, Nov 10, 2020
Read more comments on GitHub >

github_iconTop Results From Across the Web

Troubleshoot issues when using the Azure Cosmos DB ...
Check account SSL /TLS minimum allowed protocol setting. ... Request is being made with a forbidden encryption in transit protocol or cipher.
Read more >
How to import data into cosmos db emulator
I tried just now and got the error "Request is being made with a forbidden encryption in transit protocol or cipher. I tried...
Read more >
Enforce a minimum required version of Transport Layer ...
Configure a storage account to require a minimum version of Transport Layer Security (TLS) for clients making requests against Azure ...
Read more >
Enforce TLS 1.2 or later for Amazon S3 buckets
It's a best practice to use modern encryption protocols for data in transit. To enforce the use of TLS version 1.2 or later...
Read more >
Ensure ELBs do not allow insecure SSL protocols or ciphers
Using older SSL protocols or ciphers that are no longer considered secure could result in the connection between load balancer and server being...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Change Feed Processor: Add support for manual checkpoint

Next page

Binskim fails on native dependencies