Azure DevOps Powershell script Could not create SSL/TLS secure channel

There are few workarounds which are working.

  1. Workaround 1

    1. Use Azure Powershell Task Version 5
    2. Select "Azure Resource Manager Connection"
    3. Change ASM Module commands to Az commands
  2. Workaround 2

    1. Use Azure Powershell Task Version 3
    2. Classic Connection
    3. Downgrade Azure Powershell Version to 4.2.1
  3. Workaround 3 (for private agents)

    1. Create a self-signed cert in your CurrentUser\My store. you can find details on creating a self-signed cert here: https://learn.microsoft.com/en-us/azure/cloud-services/cloud-services-certs-create
    2. Export the public key for the cert as a DER-encoded CER file (you can use mmc or any other cert tool for this)
    3. Upload the .Cer file as a management certificate through the portal: https://learn.microsoft.com/en-us/previous-versions/azure/azure-api-management-certs
    4. Authenticate using Set-AzureSubscription:
     PS C:\> Clear-AzureProfile
     PS C:\> $cert = Get-Item Cert:\CurrentUser\My\
     PS C:\ > Set-AzureSubscription -SubscriptionName "" -SubscriptionId  -Certificate $cert
     PS C:\> Select-AzureSubscription -SubscriptionId 
     
  4. Workaround 4

    1. Add below script to each Azure Powershell task

        $p = (Get-Variable Endpoint -ValueOnly).Auth.Parameters.certificate
        $bytes = [convert]::FromBase64String($p)
        [IO.File]::WriteAllBytes("C:\cert.pfx",$bytes)
        Import-PfxCertificate -FilePath C:\cert.pfx -CertStoreLocation cert:\CurrentUser\My
        .
        .
        actual script
        .
        .
        #remove certificate from store
        $thumb = (Get-PfxData -FilePath "C:\cert.pfx").EndEntityCertificates.Thumbprint
        Remove-Item -Path cert:\CurrentUser\My\$thumb -recurse -Force
      

We had the same issue. It only manifested on windows-2019 agents, not vs2017-win2016. So you could fix it by changing the agent type, but a better fix is to use a specific Powershell version of 5.1.1 instead of latest. It seems that latest recently increased to 5.3.0 which causes this error.


This appears to be an issue with the Microsoft build agents, but adding the following code to the beginning of each Azure Powershell task seems to have resolved this for us until they can figure that out.

$pcert = (Get-Variable Endpoint -ValueOnly).Auth.Parameters.certificate
$bytes = [convert]::FromBase64String($pcert) 
[IO.File]::WriteAllBytes("C:\cert.pfx",$bytes) 
$null = Import-PfxCertificate -FilePath C:\cert.pfx -CertStoreLocation cert:\CurrentUser\My