Forum Discussion
Waiting for MCC container to become available
I'm experiencing this issue too. Unfortunately, we are also using transparent proxying. It's going to a load balancer and there are two real appliances behind that. The engineers who set them up are using independent certificates. At least, we'd need to offer the MCC deployment process two certificates. Is this possible?
Can we provide the Enterprise intermediates or Root CA instead?
I'm assuming this fatal error is clear confirmation that we are suffering from the decryption issue?
I've tried adding it to a bypass for decryption and authentication, as authentication is another frequent issue with transparent proxies. It didn't appear to improve things. So, I'm not sure if the implementation on the proxy is correct or something else is going on.
When I tried to re-run the MCC deploy script, it now complains that there isn't enough space because it's not smart enough to check for an unfinished deployment.
I tried feeding it a cert chain of our intermediates and root, but it didn't work. This would have been ideal. Usually works with things like Tomcat.
Trying the decryption bypass again using a different subnet notation within the Cisco SWA involved.
Failing that, I'm going to try a single file with both proxy certs in it. Failing that, I'll try just one and hope for the best.
I think the decryption bypass just worked. Unfortunately, the MCC deployment script crashed and burned thereafter...
[08/03/2025 18:41:40] Error validating WSL distribution for 'Ubuntu-24.04-Mcc' as 'domain\gMSA$': You cannot call a method on a null-valued expr
ession.
[08/03/2025 18:41:40] ErrorRecord: You cannot call a method on a null-valued expression.
At C:\Program Files\WindowsApps\Microsoft.DeliveryOptimization_1.0.24.0_neutral__8wekyb3d8bbwe\deliveryoptimization-cli\deploymcconwsl.ps1:362
char:5
+ ... $checkResult = (Get-Content $resultFilePath -Raw -ErrorAc ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : InvokeMethodOnNull
[08/03/2025 18:41:40] Task Name was: WSLDistroCheck_1986275692
[08/03/2025 18:41:40] Task State on error: Ready, Last Result:
[08/03/2025 18:41:41] Cleaning up temporary task directory: d:\mccwsl01\TempWslCheck_a5748d4d-40c6-4bde-b62a-8ea8fc9a0629
[08/03/2025 18:41:41] ==============================================================
[08/03/2025 18:41:41] TLS INFRASTRUCTURE SETUP RESULT DETAILS:
[08/03/2025 18:41:41] ==============================================================
[08/03/2025 18:41:41] WSLDistroFound: False
[08/03/2025 18:41:41] CertificatesDirectoryCreated: False
[08/03/2025 18:41:41] WSLSymlinkCreated: False
[08/03/2025 18:41:41] ConfigFileCreated: False
[08/03/2025 18:41:41] HasLocalAccountCredential: False
[08/03/2025 18:41:41] ErrorMessage: Error validating WSL distribution for 'Ubuntu-24.04-Mcc' as 'SFRS\gMSAMCC$': You cannot call a method on a nu
ll-valued expression.
[08/03/2025 18:41:41] ErrorDetails Count: 2
[08/03/2025 18:41:41] ErrorDetail[0]: ErrorRecord: You cannot call a method on a null-valued expression.
At C:\Program Files\WindowsApps\Microsoft.DeliveryOptimization_1.0.24.0_neutral__8wekyb3d8bbwe\deliveryoptimization-cli\deploymcconwsl.ps1:362
char:5
+ ... $checkResult = (Get-Content $resultFilePath -Raw -ErrorAc ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : InvokeMethodOnNull
[08/03/2025 18:41:41] ErrorDetail[1]: Task State on error: Ready, Last Result:
[08/03/2025 18:41:41] SUCCESS CALCULATION BREAKDOWN:
[08/03/2025 18:41:41]
[08/03/2025 18:41:41] Has Local Credentials = False
[08/03/2025 18:41:41] WSLDistroFound = False
[08/03/2025 18:41:41] CertificatesDirectoryCreated = False
[08/03/2025 18:41:41] WSLSymlinkCreated = False
[08/03/2025 18:41:41] ConfigFileCreated = False
[08/03/2025 18:41:41] FINAL SUCCESS RESULT: False
[08/03/2025 18:41:41] ==============================================================
[08/03/2025 18:41:41] TLS infrastructure setup failed: Error validating WSL distribution for 'Ubuntu-24.04-Mcc' as 'domain\gMSA$': You cannot ca
ll a method on a null-valued expression.
[08/03/2025 18:41:41] Detail: ErrorRecord: You cannot call a method on a null-valued expression.
At C:\Program Files\WindowsApps\Microsoft.DeliveryOptimization_1.0.24.0_neutral__8wekyb3d8bbwe\deliveryoptimization-cli\deploymcconwsl.ps1:362
char:5
+ ... $checkResult = (Get-Content $resultFilePath -Raw -ErrorAc ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : InvokeMethodOnNull
[08/03/2025 18:41:41] Detail: Task State on error: Ready, Last Result:
[08/03/2025 18:41:41] Unable to successfully validate that MCC was installed, retrying
[08/03/2025 18:41:41] Unable to successfully validate that MCC was installed, retrying (# of retries remaining: 5)
[08/03/2025 18:41:41] Unable to successfully validate that MCC was installed, retrying (# of retries remaining: 4)
[08/03/2025 18:41:41] Unable to successfully validate that MCC was installed, retrying (# of retries remaining: 3)
[08/03/2025 18:41:41] Unable to successfully validate that MCC was installed, retrying (# of retries remaining: 2)
[08/03/2025 18:41:41] Unable to successfully validate that MCC was installed, retrying (# of retries remaining: 1)
[08/03/2025 18:41:41] Setting LastCompletedInstallStep
[08/03/2025 18:41:41] Setting InvocationExitCode
[08/03/2025 18:41:41] Unregistered base Ubuntu image version: Ubuntu-24.04-Mcc after successful install of MCC
[08/03/2025 18:41:41] Setting InvocationEndTime
[08/03/2025 18:41:41] Setting InvocationState
[08/03/2025 18:41:41] Installer return code 500
I did notice that after see the VHDX, querying wsl for its list of distributions returned null. What's happening now??? Should I deploy Ubuntu distro myself??? The instructions said to use the "no distro" option.Two months later… I finally have my first functional MCC. Granted I have probably only spent 7 days of those two months on this. Seven ~12hr days.
The biggest problem was our transparent decrypting proxy. It took some time for me to finally figure out that it had a misconfiguration of sorts that was causing requests to all sites identified by Cisco’s feed as Office 365, to be identified as that and nothing else. So, dedicated identity profiles were ignored because that first match had already occurred. So, the dedicated decryption policy was never getting a chance.
Because of the transparent proxy/WCCP, we have our Enterprise PKI generate its decryption certificates. There are multiple individual appliances. So, to trust them, you just have to trust our chain.
Before I fixed the proxy policy - i figured out how to manually ingest the chain into WSL. That got me past the “waiting for container” stage. It then stalls on the Docker image downloads. This was because “Azure IoT Edge” doesn’t use the Ubuntu default system trust store. Although even after figuring out how to feed it our chain, it still wasn’t working. Unfortunately I simultaneously reconfigured the policies so that decryption was removed properly. So, when it finally kicked-in and downloaded the Docker images, I wasn’t sure of the true winning change. To get here I had attempted to reverse engineer what was happening so that I could find the root cause or point of failure. It was awful. Going through scripts, almost line-by-line. It was painstaking and painful. Maybe 40hrs. Didn’t even feel I achieved much because I simply sought ways to continue the deployment without losing the progress made so far. The deploy script was terrible at backing out. I always had to manually unregistered the distro because it left it behind and refused to use it.
This just got me the first milestone. HTTP/80 caching. The next milestone was also tough but limited to just stealing 10hrs from my life. HTTPS… I combined it with the development of a wrapper script because we need operations colleagues to be able to recreate these when requested. The instructions do not state what EKU’s should be used, etc. So, I guess assume the obvious, I.e. Server Auth. They should state this though. If you’re using ADCS, you need a template that accepts the supplied subject, unless you make the request as the machine. AD won’t let, even domain admins, get a certificate in the DNS name of a machine under the “build Subject from AD” default.
Next the import script failed with absolutely no explanation. I was left questioning if I had done something wrong. A horrible feeling. There is some weird stuff going on with the certificate folder structures. Certs inside certs inside Certificates??? So back to “decompiling” scripts. After some time doing that and not making progress, I decided to just run the importcert.sh manually and it just worked right away. So, I don’t know what was going wrong yet. I had so little energy left for this. So, I don’t know if I’ll ever go back to try to understand where it was getting blocked.
finally, don’t forget to run the commands for port forwarding and firewall port opening. Then that was it. HTTPS caching at last.
next challenge is doing this again to see how easy I can make it for less skilled colleagues to carry out. I think we need quite a few of these with various edge bandwidth issues.