Facing issue with Azure Arc installation on Linux Server
Hello Team,
We are facing issue with the installation of Azure Arc on Linux servers especially the Ubuntu Servers.
Please note we are using proxy for Azure Arc deployment and configuration.
Using the same we are able to do the deployment on REHL servers but we are facing issue with Ubuntu servers only.
Below is the error -
W: Failed to fetch https://packages.microsoft.com/ubuntu/24.04/prod/dists/noble/InRelease Could not handshake: Error decoding the received TLS packet.
-
Lakshma Reddy Vattijonnala 830 Reputation points β’ Microsoft External Staff β’ Moderator
Hi @Omkar Chalke Thank you for reaching out to Microsoft Q&A. We are looking into the issue and we will get back to you shortly with an update
-
Lakshma Reddy Vattijonnala 830 Reputation points β’ Microsoft External Staff β’ Moderator
Hi @Omkar Chalke I have shared the information about your issue. Let me know if it was helpful or please feel free to comment if you need further assistance.
Sign in to comment
2 answers
-
Lakshma Reddy Vattijonnala 830 Reputation points β’ Microsoft External Staff β’ Moderator
From your description, the Azure Arc installation works successfully on RHEL with the same proxy, but fails on Ubuntu 24.04 with the error: Could not handshake: Error decoding the received TLS packet
This difference between RHEL and Ubuntu is expected in some environments:
- Ubuntu uses APT (GnuTLS) for package management
- RHEL uses different libraries (OpenSSL-based tooling)
Because of this, Ubuntu can be more sensitive to:
- Proxy configuration issues
- TLS inspection behavior
- Certificate trust problems
This strongly indicates that the issue is related to how APT (which uses GnuTLS on Ubuntu) handles HTTPS traffic through your proxy, rather than a problem with Azure Arc itself.
In particular, environments that use TLS inspection, strict cipher requirements, or incomplete proxy configuration can lead to this type of handshake failure. Azure Arc and the Microsoft package repositories require secure HTTPS communication using valid TLS certificates.
This document helps Azure Arc-enabled services and features Azure Arc network requirements - Azure Arc | Microsoft Learn
Please try the following steps to resolve the issue:
- Configure APT to Use the Proxy Explicitly
APT does not always honor environment variables, so itβs important to configure the proxy directly.
- sudo nano /etc/apt/apt.conf.d/95proxy
Add:
- Acquire::http::proxy "http://your-proxy-server:port/";
- Acquire::https::proxy "http://your-proxy-server:port/";
Then run:
- sudo apt update
- ``
- Ensure CA Certificates Are Up-to-Date
TLS connections require a valid trust chain. Updating certificates ensures the system can trust the repository:
- sudo apt update
- sudo apt install --reinstall ca-certificates
- sudo dpkg-reconfigure ca-certificates
- Check TLS Inspection on the Proxy (Important)
If your proxy performs TLS inspection, it can interfere with certificate validation and cause handshake failures.
Where possible, configure the proxy to bypass TLS inspection for Microsoft endpoints such as.
-
packages.microsoft.com -
*.microsoft.com
TLS inspection issues can cause failures when the client does not trust the inspection certificate or when certificate validation is altered.
This document explains common troubleshooting scenarios when deploying a Transport Layer Security (TLS) inspection policy Troubleshoot Transport Layer Security inspection errors - Global Secure Access | Microsoft Learn
- Configure Proxy for the Azure Arc Agent (After Installation)
Once the packages install successfully, configure the Azure Arc agent to use the proxy:
- sudo /opt/azcmagent/bin/azcmagent_proxy add "http://your-proxy-server:port"
Additionally, ensure your environment allows outbound HTTPS (TCP 443) to the required Azure endpoints, as documented in Azure Arc network requirements.
After applying the above steps:
- APT should successfully connect to
packages.microsoft.com - The TLS handshake error should be resolved
- Azure Arc installation should proceed normally on Ubuntu
If the issue resolved please feel free to click the 'Upvote' button and 'Accept as Answer'. This helps the community by allowing others with similar queries to easily find the solution.
-
Marcin Policht 92,630 Reputation points β’ MVP β’ Volunteer Moderator
Follow https://learn.microsoft.com/en-us/azure/azure-arc/servers/quick-onboard-linux
- Configure the Microsoft package repository on your machine. For example, for Ubuntu 24.04, perform the following steps:
- Download
packages-microsoft-prod.deb. This is the Debian package that configures your system to use the Microsoft package repository. - Install the package:
sudo dpkg -i packages-microsoft-prod.deb
- Download
- Install the Connected Machine agent using your package manager:
sudo apt update && sudo apt install azcmagent - You need to know the subscription ID for your Arc server Azure resource. You can check this in Azure portal by searching for Subscriptions, looking for the Subscription name and noting the Subscription ID. You can also view your subscription IDs by running the following Azure CLI command and note the one you'll use for your Arc servers:
az account show --query "{subscriptionId: id}" --output tsv - Onboard your Linux machine to Azure by using the
azcmagentconnect command, using the subscription ID you noted in the previous step. You also need to specify the Azure region and resource group in which to create the Arc-enabled server resource. If you need to create a new resource group, run this Azure CLI command:az group create --name <rg-name> --location <Azure-region>.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin
- Configure the Microsoft package repository on your machine. For example, for Ubuntu 24.04, perform the following steps: