runtime: .NET Core 3.0 + OpenSSL 1.1: remote certificate is invalid according to the validation procedure
I’m trying the openssl1.1 support in .NET Core 3.0 and the sdk is unable to contact nuget.org:
Processing post-creation actions...
Running 'dotnet restore' on /root/console/console.csproj...
Restoring packages for /root/console/console.csproj...
/root/dotnet/sdk/3.0.100-alpha1-009456/NuGet.targets(114,5): error : Unable to load the service index for source https://api.nuget.org/v3/index.json. [/root/console/console.csproj]
/root/dotnet/sdk/3.0.100-alpha1-009456/NuGet.targets(114,5): error : The SSL connection could not be established, see inner exception. [/root/console/console.csproj]
/root/dotnet/sdk/3.0.100-alpha1-009456/NuGet.targets(114,5): error : The remote certificate is invalid according to the validation procedure. [/root/console/console.csproj]
Restore failed.
Post action failed.
Description: Restore NuGet packages required by this project.
Steps to reproduce
run a fedora:28 container:
$ docker run -ti fedora:28 /bin/bash
Inside the container, first install .NET Core:
dnf install libicu
curl -o dotnet.tar.gz https://dotnetcli.blob.core.windows.net/dotnet/Sdk/master/dotnet-sdk-latest-linux-x64.tar.gzcurl -o dotnet.tar.gz https://dotnetcli.blob.core.windows.net/dotnet/Sdk/master/dotnet-sdk-latest-linux-x64.tar.gz
mkdir dotnet
cd dotnet
tar xvf ../dotnet.tar.gz
export PATH=`pwd`:$PATH
cd ..
Then try to create a project:
mkdir console
cd console
dotnet new console
The restore fails with the above error message.
Additinal info
Using a pre-compiled application inspecting the certificate chain shows this:
Chain Information
Chain revocation flag: ExcludeRoot
Chain revocation mode: Online
Chain verification flag: NoFlag
Chain verification time: 09/11/2018 15:52:44
Chain status length: 2
Chain application policy count: 1
Chain certificate policy count: 0
Chain Element Information
Number of chain elements: 3
Chain elements synchronized? False
Element issuer name: CN=Microsoft IT TLS CA 1, OU=Microsoft IT, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Element certificate valid until: 02/23/2020 01:19:59
Element certificate is valid: False
Element error status length: 0
Element information:
Number of element extensions: 10
Element issuer name: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Element certificate valid until: 05/20/2024 12:51:28
Element certificate is valid: False
Element error status length: 0
Element information:
Number of element extensions: 8
Element issuer name: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Element certificate valid until: 05/12/2025 23:59:00
Element certificate is valid: False
Element error status length: 2
Element information:
Number of element extensions: 3
The ChainelementStatus[] for the last certificate contains: ExplicitDistrust and UntrustedRoot.
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Comments: 29 (26 by maintainers)
Apologies in advance for possibly not helpful advice:
If you enable the debug repositories on SLES (via Yast, for example), you should be able to
debuginfo-install openssl(or, better yet,debuginfo-install $name-and-version-of-openssl-package) to pull down the exact matching sources used to compile the binary. Hopefully that makes it easier to debug this than looking at the disassembly.if anyone facing this problem on Linux (with
openssl 1.1), this fix (https://github.com/NuGet/Home/issues/8169#issuecomment-497591809) worked for meAh. On Fedora 28, this worked fine for me with .NET Core 2.1 (OpenSSL 1.0) and I only had trouble when running .NET Core 3.0 (OpenSSL 1.1).
@bartonjs is the fix to change from
PEM_read_bio_X509_AUXtoPEM_read_bio_X509? I gave it a try and it is working fine: all tests passed and I can now access nuget.org.Fedora packages are depending on compat-openssl10