When attempting to install or update PowerShell Modules, NuGet or NuGet packages in PowerShell 5. You receive one or more of the following errors
WARNING: Unable to resolve package source 'https://www.powershellgallery.com/api/v2/'.
The underlying connection was closed: An unexpected error occurred on a receive.
WARNING: Unable to download the list of available providers. Check your internet connection.
Equally, you may receive the same error when attempting to run a WGET or an Invoke-WebRequest command e.g.
You are unable to install/update the software component or make an outbound internet connection.
This issue may be especially prevalent on IIS installations serving HTTPS websites.
Conventional troubleshooting is fairly well documented on-line
- Ensure that you are actually able to open a https webpage in a web browser
- Ensure that your DNS is working correctly.
- Check to see whether wget can connect to a non-https site e.g.
- Check to see whether or not you need to use a Proxy server. If so, you must configure PowerShell to use your Proxy Server before you proceed. This may require you to to configure PowerShell with your Proxy Server credentials.
$webclient.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
A less obvious issue to explore related to the default operating system security configuration for using SSL.
By default, Windows Server and Windows client will allow SSL3, TLS 1.0, TLS 1.1 and TLS 1.2. The .net Framework is also configured to allow these protocols, and, by default, any outbound request for a SSL site will attempt to use SSL3/TLS 1.0 as its default protocol.
In secure environments, where system administrators have enabled recommended best practice on Windows systems to disable the use of SSL1, 2,3 and TLS 1.0. PowerShell is not currently clever enough to internally compare its configuration to that of the operating system. consequently, when attempting to make an outbound https request in such an environment. PowerShell will attempt to use one of the older protocols which has been disabled by the operating system’s networking stack. Instead of re-attempting the request using a higher protocol. PowerShell will fail the request with one of the error messages listed at the beginning of the article.
As NuGet and Update-Module both attempt to make connections to Microsoft servers using HTTPS, they too will fail.
Encountering this issue on a SSL enabled IIS install will be more common, as it is more likely that system administrators will have applied best practice and disabled legacy encryption protocols on these servers. their public facing, high visibility should demand such a response.
To fix the issue there are two options:
- Reconfigure and reboot the system to re-enable client use of TLS 1.0 (and possibly SSL3) via
DisabledByDefault = 0
Enabled = ffffffff (hex)
- Alternatively, you must set-up each PowerShell environment so that the script itself knows not to use the legacy protocol versions. This is achieved via the following code which restricted PowerShell to only using TLS 1.1 and TLS 1.2.
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Tls11,Tls12'