Could not create SSL/TLS secure channel - Queues , Transaction, Assets

Issue Overview

During an automation, when the Robot requests an asset, queue item or does other Orchestrator dependent operation, an error is thrown saying that an SSL/TLS secure channel could not be created.

Could not create SSL/TLS secure channel.

Root Cause

Communication between Orchestrator and the Robot is done through HTTPS messages. A requirement for this is that the Robot machine can establish a secure connection to Orchestrator using what is called Transport Layer Security. An HTTPS message is just a normal HTTP message of SSL/TLS.

There can be multiple root causes, but it always comes down to a security misconfiguration on the Robot Machine or the Orchestrator server. UiPath does not specify a specific SSL/TLS protocol but rather relies on system settings. This means the issue is usually with system wide settings.

Diagnosing the Issue

1. Check the event viewer for any error messages under the system log. See the section “Get System Event Viewer log” this can give an indication of what the error is.

2. Make sure that both the Orchestrator and Robot Server are up to date with security patches. To check what security updates a machine has, run the following commands:

a. Open a command prompt as an administrator

b. Run the following command: wmic qfe list brief /format:htable > "%USERPROFILE%\hotfix.html"

c. Open a Folder Explorer window and navigate to the following location: %USERPROFILE%. This will take you to the location of the file that was generated by the previous command.

d. Open the file hotfix.html

e. Check what the latest KB patch that you have is. Compare this to the list of Microsoft’s latest updates:

Windows Server:https://www.catalog.update.microsoft.com/Search.aspx?q=windows+server+cumulative+update

Windows 10: https://www.catalog.update.microsoft.com/Search.aspx?q=windows%2010%20cumulative%20update

f. Perform this check on both the Robot Machine and Orchestrator

3. If you are not on the latest security patch, please update to the latest on both Orchestrator and the Robot Machines.

4. If using an Application Load Balancer, make sure it is up to date as well.

5. If the issue is still not resolved, go to the section “Comparing Cipher Suites and custom configurations”

Get System Event Viewer Log

1. Open “run” and type “eventvwr”

2. In the Event Viewer Application, go to the “Windows Logs”.

3. Select “System”

4. In the Action’s menu select “Filter Current Log…”

5. In the filter menu select Schannel and click OK.

6. After filtering, select “Save Filtered Log File As…” from the action’s menu.

7. Save the file for future reference

8. Check to see if the error is a known issue (usually googling the error will help determine this).

9. Check to see if the event viewer contains the following message

An error logged in the System Event Log for SCHANNEL event 36887 with alert code 20 and the description, "A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.​"

10. If the above error message occurred, please reference this Microsoft support issue: https://support.microsoft.com/en-in/help/4528489/transport-layer-security-tls-connections-might-fail-or-timeout-when-co

a. This error means that either the Orchestrator instance, a load balancer or a Robot machine needs to be updated.

11. If needed open a ticket with UiPath. Please note that in most cases the solution for this issue is updating, so please make sure to try that first.

Comparing Cipher Suites

NOTE: At this point it is important to bring in your security expert. If this step is reached, your organization is probably using a custom configuration and one of the components in the deployment is misconfigured (i.e. Orchestrator, the load balancer or the Robot Machine).

1. To view the cipher suites being used in an F5 load balancer please see this BIG-IP support article: https://support.f5.com/csp/article/K54125331

a. Unless your organization is using a customized configuration, it should match what is specified by BIG-IP.

2. For other Load Balancer, please refer to their documentation.

3. To view the cipher suites on a windows machine, do the following:

a. Open a powershell window

b. Run the following command: Get-TlsCipherSuite

c. This will list out the cipher suites in order of preference.

d. Compare this list to the list of Windows cipher suites. https://docs.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel

4. If Cipher Suite Order or the contents do not match the defaults specified by Microsoft or the provider of the load balancer, please contact your Security admin. Most likely, the cipher suites are out of date, or your organization is using a custom configuration that has not been properly deployed to all the components in your deployment. They will need to perform and update or fix whatever is misconfigured.