Immediate KeepAlive & ScheduledPublishing log errors after TLS1.2 update
Hi there, we turned TLS1, SSL2 and SSL3 off on our live hosting and immediately after started seeing the below two errors on overdrive. I have had a good search through the forums (this pops up a lot with varying degrees of not really sorted) and the bug tracker (often solved but for versions before the one we are using).
I understand why they are appearing and why so frequent, but what I can’t understand is how an internal service isn't able to connect under the same security layer.
This is a high traffic site with over 20,000 visitors per day and 4 peak times around the clock so I cant poke and prod at will, it all needs to be pre-agreed down time, plus am concerned the amount of extra file writes and log/cache growth could be a risk.
So I have 2 questions:
Has anyone found an actual permanent solution to this?
Is Umbraco using top down security choice by default (.net4.5+) or is there a fix needed for TLS1.2?
Every 5 minutes
2016-08-30 17:01:36,404 [67] ERROR Umbraco.Web.Scheduling.KeepAlive - [P3168/T65/D5] Failed (at "https://www.xxx.com/umbraco").
System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
at System.Net.Sockets.Socket.EndReceive(IAsyncResult asyncResult)
at System.Net.Sockets.NetworkStream.EndRead(IAsyncResult asyncResult)
--- End of inner exception stack trace ---
at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
at System.Net.PooledStream.EndWrite(IAsyncResult asyncResult)
at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Umbraco.Web.Scheduling.KeepAlive.
Every minute
2016-08-30 17:01:36,404 [67] ERROR Umbraco.Web.Scheduling.ScheduledPublishing - [P3168/T65/D5] Failed (at "https://www.xxx.com/umbraco").
System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
at System.Net.Sockets.Socket.EndReceive(IAsyncResult asyncResult)
at System.Net.Sockets.NetworkStream.EndRead(IAsyncResult asyncResult)
--- End of inner exception stack trace ---
at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
at System.Net.PooledStream.EndWrite(IAsyncResult asyncResult)
at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Umbraco.Web.Scheduling.ScheduledPublishing.
How its setup:
Umbraco 7.2.8
dedicated hosting Win 2012 R2
The entire site is under a permanent URL rewrite to https. It has been since go live (12 months ago) and this error has never occurred
before.
UmbracoUseSSL = true
ScheduledTask Base URL = www.xxx.com/umbraco/
.net frameworks fully up to date and patched (4.5+)
powershell scripts run automated jobs - had to update these ([Net.ServicePointManager]::SecurityProtocol =
[Net.SecurityProtocolType]::Tls12) to force TLS and confirmed working
Things I have tried:
Some mentions of server reboots not setting the OriginalRequestUrl
(makes it localhost) - confirmed URL is correct after app restarts
tried updating the URL rewrite rule to a different format, no change
tried moving the URL rewrite rule from web.config to /config/UrlRewriting.config, no change
We got the same after turning off TLS 1.0. I'm guessing some code in their is compiled with an earlier version of .NET than 4.5. This will cause it to use TLS 1.0.
We have TLS1.2 enabled on our server, but getting those 5-minute interval errors in Umbraco 8. Would that code work for Umbraco 8 maybe, and if so, where exactly does it go? In a class in AppStart or AppCode?
You have to make a composition something like below:
public class MyComponent : IComponent
{
public void Initialize()
{
System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;
}
}
Still having the 5-minute keepAlive errors, and have done all the following: 1) added code to ensure SecurityProtocolType =Tls12 (it's set in a component now, can see it's set correctly by showing that property in any view), 2) set useHttps = true in web.config, 3) sets ApplicationUrl in
I feel like those are all the steps I've seen to correct this issue so far (again, in Umbraco v8), so will maybe wait for more info if others are having the same issue.
I've got the following code running now (thanks for the tips on Compositions, which are new to me). Have verified that it runs by examining the log viewer after Umbraco starts, but still getting the KeepAlive errors every 5 minutes, so may explore whether there's something happening between Umbraco and SQL Server maybe, or an SSL certificate issue.
using Umbraco.Core;
using Umbraco.Core.Composing;
using Umbraco.Core.Logging;
namespace intranet.App_Start
{
[RuntimeLevel(MinLevel = RuntimeLevel.Run)]
public class InstallComposer : IUserComposer
{
public void Compose(Composition composition)
{
composition.Components().Append<TLSFix>();
}
}
public class TLSFix : IComponent
{
public void Initialize()
{
// Force TLS1.2 as SecurityProtocol
System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;
Current.Logger.Info<TLSFix>("SecurityProtocol been set to {protocol}", System.Net.ServicePointManager.SecurityProtocol);
}
public void Terminate()
{
}
}
}
Immediate KeepAlive & ScheduledPublishing log errors after TLS1.2 update
Hi there, we turned TLS1, SSL2 and SSL3 off on our live hosting and immediately after started seeing the below two errors on overdrive. I have had a good search through the forums (this pops up a lot with varying degrees of not really sorted) and the bug tracker (often solved but for versions before the one we are using).
I understand why they are appearing and why so frequent, but what I can’t understand is how an internal service isn't able to connect under the same security layer.
This is a high traffic site with over 20,000 visitors per day and 4 peak times around the clock so I cant poke and prod at will, it all needs to be pre-agreed down time, plus am concerned the amount of extra file writes and log/cache growth could be a risk.
So I have 2 questions:
Has anyone found an actual permanent solution to this?
Is Umbraco using top down security choice by default (.net4.5+) or is there a fix needed for TLS1.2?
Every 5 minutes 2016-08-30 17:01:36,404 [67] ERROR Umbraco.Web.Scheduling.KeepAlive - [P3168/T65/D5] Failed (at "https://www.xxx.com/umbraco"). System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host at System.Net.Sockets.Socket.EndReceive(IAsyncResult asyncResult) at System.Net.Sockets.NetworkStream.EndRead(IAsyncResult asyncResult) --- End of inner exception stack trace --- at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult) at System.Net.PooledStream.EndWrite(IAsyncResult asyncResult) at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar) --- End of inner exception stack trace --- at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar) --- End of inner exception stack trace --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Umbraco.Web.Scheduling.KeepAlive.
Every minute 2016-08-30 17:01:36,404 [67] ERROR Umbraco.Web.Scheduling.ScheduledPublishing - [P3168/T65/D5] Failed (at "https://www.xxx.com/umbraco"). System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host at System.Net.Sockets.Socket.EndReceive(IAsyncResult asyncResult) at System.Net.Sockets.NetworkStream.EndRead(IAsyncResult asyncResult) --- End of inner exception stack trace --- at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult) at System.Net.PooledStream.EndWrite(IAsyncResult asyncResult) at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar) --- End of inner exception stack trace --- at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context) at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar) --- End of inner exception stack trace --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Umbraco.Web.Scheduling.ScheduledPublishing.
How its setup:
Things I have tried:
(makes it localhost) - confirmed URL is correct after app restarts
References:
Any help or advice would be massively appreciated
cheers, mike
We got the same after turning off TLS 1.0. I'm guessing some code in their is compiled with an earlier version of .NET than 4.5. This will cause it to use TLS 1.0.
We have the same issue. Can anyone help on this?
Do you know what version of .NET you're using? If you can upgrade to 4.6.2 you should be sorted.
I was able to fix this by forcing the site to use TLS1.2 by:
We have TLS1.2 enabled on our server, but getting those 5-minute interval errors in Umbraco 8. Would that code work for Umbraco 8 maybe, and if so, where exactly does it go? In a class in AppStart or AppCode?
You have to make a composition something like below:
I think it is also covered more exhaustively at https://our.umbraco.com/documentation/Implementation/Composing/
Still having the 5-minute keepAlive errors, and have done all the following: 1) added code to ensure SecurityProtocolType =Tls12 (it's set in a component now, can see it's set correctly by showing that property in any view), 2) set useHttps = true in web.config, 3) sets ApplicationUrl in
I feel like those are all the steps I've seen to correct this issue so far (again, in Umbraco v8), so will maybe wait for more info if others are having the same issue.
Hi Eric.
Just a wild guess. Did you append your component?
I've got the following code running now (thanks for the tips on Compositions, which are new to me). Have verified that it runs by examining the log viewer after Umbraco starts, but still getting the KeepAlive errors every 5 minutes, so may explore whether there's something happening between Umbraco and SQL Server maybe, or an SSL certificate issue.
is working on a reply...