Patch download failures

[PleaseStopAsking]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request

Module Version

• 4.0.2

Affected Resource(s)

• ArcGIS_InstallPatch

Configuration Files

{
    ...
    "ConfigData": {
        "Version": "10.9.1",
        "ServerRole": "GeneralPurposeServer",
        "PortalContext": "arcgis",
        "ServerContext": "arcgis",
        "DownloadPatches": true,
        "Server": {
            "Installer": {
                "PatchesDir": "C:\\ArcGISPatches",
                "PatchInstallOrder": [
                    "ArcGIS-1091-S-sp-Patch.msp",
                    "ArcGIS-1091-S-SEC2022U2-Patch.msp"
                ],
                ...
            }
        },
        "Portal": {
            "Installer": {
                "PatchesDir": "C:\\ArcGISPatches",
                "PatchInstallOrder": [
                    "ArcGIS-1091-PFA-SEC2022U2-PatchB.msp",
                    "ArcGIS-1091-PFA-QCS-Patch.msp"
                ],
                ...
            },
           ...
        },
        "DataStore": {
            "Installer": {
                "PatchesDir": "C:\\ArcGISPatches",
                "PatchInstallOrder": [
                    "ArcGIS-1091-DS-Log4j-Patch.msp"
                ],
                ...
            },
            ...
        }
    }
}

Expected Behavior

The patches should have been downloaded and installed.

Actual Behavior

Invoke-ArcGISConfiguration fails with...

2/9/2023 7:04:03 PM: [redacted]: LCM:  [ Start  Resource ]  [[ArcGIS_InstallPatch]DataStoreInstallPatch]
2/9/2023 7:04:03 PM: [redacted]: LCM:  [ Start  Test     ]  [[ArcGIS_InstallPatch]DataStoreInstallPatch]
2/9/2023 7:04:03 PM: [redacted]:                            [[ArcGIS_InstallPatch]DataStoreInstallPatch] Installed Version 10.9.28388
2/9/2023 7:04:03 PM: [redacted]: LCM:  [ End    Test     ]  [[ArcGIS_InstallPatch]DataStoreInstallPatch]  in 0.2930 seconds.
2/9/2023 7:04:04 PM: [redacted]: LCM:  [ End    Set      ]
2/9/2023 7:04:04 PM: Operation 'Invoke CimMethod' complete.
Trace-DSCJob : 2/9/2023 7:04:04 PM: Exception calling "DownloadString" with "1" argument(s): "The underlying connection was closed: An unexpected error occurred on a receive."
At C:\Program Files\WindowsPowerShell\Modules\ArcGIS\4.0.2\ArcGIS.psm1:261 char:5
+     Trace-DSCJob -Job $Job -JobName $ConfigurationName -DebugMode $De ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Trace-DSCJob

Trace-DSCJob : 2/9/2023 7:04:04 PM: Cannot bind argument to parameter 'InputObject' because it is null.
At C:\Program Files\WindowsPowerShell\Modules\ArcGIS\4.0.2\ArcGIS.psm1:261 char:5
+     Trace-DSCJob -Job $Job -JobName $ConfigurationName -DebugMode $De ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Trace-DSCJob

Trace-DSCJob : 2/9/2023 7:04:04 PM: The PowerShell DSC resource '[ArcGIS_InstallPatch]DataStoreInstallPatch' with SourceInfo 'C:\Program Files\WindowsPowerShell\Modules\ArcGIS\4.0.2\Configurations-OnPrem\ArcGISInstall.ps1::384::25::ArcGIS_InstallPatch' threw one or more non-terminating errors while running the
Test-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
At C:\Program Files\WindowsPowerShell\Modules\ArcGIS\4.0.2\ArcGIS.psm1:261 char:5
+     Trace-DSCJob -Job $Job -JobName $ConfigurationName -DebugMode $De ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Trace-DSCJob

Trace-DSCJob : 2/9/2023 7:04:04 PM: The SendConfigurationApply function did not succeed.
At C:\Program Files\WindowsPowerShell\Modules\ArcGIS\4.0.2\ArcGIS.psm1:261 char:5
+     Trace-DSCJob -Job $Job -JobName $ConfigurationName -DebugMode $De ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Trace-DSCJob

Important Factoids

Tracing the failure within the ArcGIS_InstallPatch resource shows the failures occurs on line #331. https://github.com/Esri/arcgis-powershell-dsc/blob/ebd5e9a6e896b3326e2d06be14255bc235036948/Modules/ArcGIS/DSCResources/ArcGIS_InstallPatch/ArcGIS_InstallPatch.psm1#L331

Adding [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Tls12' before the client creation solves the issue. This also needs to be done for the client on line #164. https://github.com/Esri/arcgis-powershell-dsc/blob/ebd5e9a6e896b3326e2d06be14255bc235036948/Modules/ArcGIS/DSCResources/ArcGIS_InstallPatch/ArcGIS_InstallPatch.psm1#L164

References

[FeralCatColonist]

on a side note, is the [ConfigData.Credentials.AGOCredential] parameter required if utilizing the automatic patch download? Or is that just for grabbing the setup.exe files?

[PleaseStopAsking]

@FeralCatColonist It is not.

[cameronkroeker]

Hi @PleaseStopAsking,

I have not been able to reproduce this issue. Do you know which setting in the OS causes this? Is it related to when .Net Framework v4 isn't set to use strong cryptography?

Thanks, Cameron K.

[PleaseStopAsking]

@cameronkroeker We have not been able to isolate the exact underlying cause at this time unfortunately. We can reproduce this using the standard Windows Server 2016 AMI in AWS as well as the standard Windows Server 2016 image in Azure. No further changes are made to these boxes before attempting to configure ArcGIS Enterprise with patches.

[PleaseStopAsking]

@cameronkroeker We are in the middle of a new test deployment today and can report back if the relevant registry key (HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto) is set or not.

[PleaseStopAsking]

@cameronkroeker We just confirmed across both AWS and Azure once more that using the vanilla Windows Server 2016 Datacenter images in each CSP respectively does not have that registry key set.

We are not able to move forward with starting a new ArcGIS Enterprise configuration at this time so we unfortunately cannot confirm if setting the key before starting Invoke-ArcGISConfiguration will solve the issue. We may be able to confirm this in a few weeks however.

[cameronkroeker]

Thanks @PleaseStopAsking. I also observed the same issue on Windows Server 2016. I've confirmed that another workaround is to apply the following registry change:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

Also note that without this registry change, installing modules from PSGallery (via the Install-Module command) will also fail.

Thanks, Cameron K.

[FeralCatColonist]

I ran into this issue as well on Windows Server 2022 Standard on a machine where I had previously installed successfully. The above registry changes worked for me.