Bug 21298 - HTTPS fails confusingly without manual certs installation
Summary: HTTPS fails confusingly without manual certs installation
Status: NEW
Alias: None
Product: Class Libraries
Classification: Mono
Component: System (show other bugs)
Version: master
Hardware: PC Linux
: --- normal
Target Milestone: Untriaged
Assignee: Martin Baulig
URL:
Depends on:
Blocks:
 
Reported: 2014-07-14 03:50 UTC by ilya.cherkasov
Modified: 2017-04-04 13:16 UTC (History)
5 users (show)

See Also:
Tags:
Is this bug a regression?: ---
Last known good build:


Attachments

Description ilya.cherkasov 2014-07-14 03:50:56 UTC
When I try to compile Monodevelpo with default profile it fails with following error:

/home/bkmz/my/monodevelop/main/Main.sln (default targets) ->
(Build target) ->
/home/bkmz/my/monodevelop/main/src/addins/AspNet/MonoDevelop.AspNet.csproj (default targets) ->
(BeforeBuild target) ->

        /home/bkmz/my/monodevelop/main/src/addins/AspNet/MonoDevelop.AspNet.csproj: error : Command 'mono ../../../external/nuget-binary/NuGet.exe restore -SolutionDirectory ../../..' exited with code: 1.

         691 Warning(s)
         1 Error(s)

running specified command prints that:

bkmz@bkmz-R440:~/my/monodevelop/main/src/addins/AspNet[master]$ mono ../../../external/nuget-binary/NuGet.exe restore -SolutionDirectory ../../..
WARNING: Error: SendFailure (Error writing headers)
WARNING: Error: SendFailure (Error writing headers)
WARNING: Error: SendFailure (Error writing headers)
Unable to find version '4.0.30506' of package 'Microsoft.AspNet.Mvc'.
Unable to find version '2.0.30506' of package 'Microsoft.AspNet.WebPages'.
Unable to find version '2.0.30506' of package 'Microsoft.AspNet.Razor'.
bkmz@bkmz-R440:~/my/monodevelop/main/src/addins/AspNet[master]$ 

so, i assume the trouble is in proxy server.

placing NuGet.exe.config in externals/nuget-binary and running the same command produces error: 

An exception was thrown by the type initializer for System.Net.ServicePointManager or
An exception was thrown by the type initializer for NuGet.ProxyCache

Depends on something.

Nuget.exe.config is like 

<configuration>
    <config>
        <add key="http_proxy" value="http://proxy.blabla.com:9876" />
    </config>
</configuration

Please fix that issue if possible :-D
Comment 1 ilya.cherkasov 2014-07-14 03:51:50 UTC
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 14.04 LTS
Release:        14.04
Codename:       trusty
Comment 2 Mikayla Hutchinson [MSFT] 2014-07-14 11:46:08 UTC
This isn't an issue in MD, it's an issue in Mono or NuGet.

Try running this command in the "csharp" shell:

new System.Net.WebClient().DownloadFile ("http://packages.nuget.org/api/v1/package/Microsoft.AspNet.Mvc/4.0.30506", "Microsoft.AspNet.Mvc.4.0.30506.nupkg"

And see if you get any error.
Comment 3 ilya.cherkasov 2014-07-15 06:34:21 UTC
That worked out well:

bkmz@bkmz-R440:~/my/test_nuget_get/test_nuget_get/bin/Debug$ ls
test_nuget_get.exe  test_nuget_get.exe.mdb
bkmz@bkmz-R440:~/my/test_nuget_get/test_nuget_get/bin/Debug$ ./test_nuget_get.exe 
done
bkmz@bkmz-R440:~/my/test_nuget_get/test_nuget_get/bin/Debug$ ls
Microsoft.AspNet.Mvc.4.0.30506.nupkg  test_nuget_get.exe  test_nuget_get.exe.mdb
bkmz@bkmz-R440:~/my/test_nuget_get/test_nuget_get/bin/Debug$ 

given code:

using System;

namespace test_nuget_get
{
	class MainClass
	{
		public static void Main (string[] args)
		{
			new System.Net.WebClient ().DownloadFile
			("http://packages.nuget.org/api/v1/package/Microsoft.AspNet.Mvc/4.0.30506",
				"Microsoft.AspNet.Mvc.4.0.30506.nupkg");

			Console.WriteLine ("done");
		}
	}
}

nuget issue, then?
Comment 4 ilya.cherkasov 2014-07-15 06:35:00 UTC
That worked out well:

bkmz@bkmz-R440:~/my/test_nuget_get/test_nuget_get/bin/Debug$ ls
test_nuget_get.exe  test_nuget_get.exe.mdb
bkmz@bkmz-R440:~/my/test_nuget_get/test_nuget_get/bin/Debug$ ./test_nuget_get.exe 
done
bkmz@bkmz-R440:~/my/test_nuget_get/test_nuget_get/bin/Debug$ ls
Microsoft.AspNet.Mvc.4.0.30506.nupkg  test_nuget_get.exe  test_nuget_get.exe.mdb
bkmz@bkmz-R440:~/my/test_nuget_get/test_nuget_get/bin/Debug$ 

given code:

using System;

namespace test_nuget_get
{
	class MainClass
	{
		public static void Main (string[] args)
		{
			new System.Net.WebClient ().DownloadFile
			("http://packages.nuget.org/api/v1/package/Microsoft.AspNet.Mvc/4.0.30506",
				"Microsoft.AspNet.Mvc.4.0.30506.nupkg");

			Console.WriteLine ("done");
		}
	}
}

nuget issue, then?
Comment 5 Mikayla Hutchinson [MSFT] 2014-07-15 13:29:29 UTC
Sorry, meant https, not http:

csharp -e 'new System.Net.WebClient ().DownloadFile("https://packages.nuget.org/api/v1/package/Microsoft.AspNet.Mvc/4.0.30506", "Microsoft.AspNet.Mvc.4.0.30506.nupkg");'
Comment 6 ilya.cherkasov 2014-07-16 02:59:48 UTC
Hmm, okay:

bkmz@bkmz-R440:/tmp$ csharp -e 'new System.Net.WebClient
> ().DownloadFile("https://packages.nuget.org/api/v1/package/Microsoft.AspNet.Mvc/4.0.30506",
> "Microsoft.AspNet.Mvc.4.0.30506.nupkg");'
System.Net.WebException: Error: SendFailure (Error writing headers) ---> System.Net.WebException: Error writing headers ---> System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: Invalid certificate received from server. Error code: 0xffffffff800b010a
  at Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.RemoteValidation (Mono.Security.Protocol.Tls.ClientContext context, AlertDescription description) [0x00000] in <filename unknown>:0 
  at Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.validateCertificates (Mono.Security.X509.X509CertificateCollection certificates) [0x00000] in <filename unknown>:0 
  at Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.ProcessAsTls1 () [0x00000] in <filename unknown>:0 
  at Mono.Security.Protocol.Tls.Handshake.HandshakeMessage.Process () [0x00000] in <filename unknown>:0 
  at (wrapper remoting-invoke-with-check) Mono.Security.Protocol.Tls.Handshake.HandshakeMessage:Process ()
  at Mono.Security.Protocol.Tls.ClientRecordProtocol.ProcessHandshakeMessage (Mono.Security.Protocol.Tls.TlsStream handMsg) [0x00000] in <filename unknown>:0 
  at Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 
  --- End of inner exception stack trace ---
  at Mono.Security.Protocol.Tls.SslClientStream.EndNegotiateHandshake (IAsyncResult result) [0x00000] in <filename unknown>:0 
  at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 
  --- End of inner exception stack trace ---
  --- End of inner exception stack trace ---
  at System.Net.HttpWebRequest.EndGetResponse (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 
  at System.Net.HttpWebRequest.GetResponse () [0x00000] in <filename unknown>:0 
  at System.Net.WebClient.GetWebResponse (System.Net.WebRequest request) [0x00000] in <filename unknown>:0 
  at System.Net.WebClient.DownloadFileCore (System.Uri address, System.String fileName, System.Object userToken) [0x00000] in <filename unknown>:0 
  at System.Net.WebClient.DownloadFile (System.Uri address, System.String fileName) [0x00000] in <filename unknown>:0
Comment 7 Mikayla Hutchinson [MSFT] 2014-07-16 11:17:46 UTC
Yeah, as I suspected your issue is that https doesn't work. You probably need to import the root certs.

This is a known Mono behaviour on Linux - http://mono-project.com/FAQ:_Security#Secure_Socket_Layer_.28SSL.29_.2F_Transport_Layer_Security_.28TLS.29

IMO Mono should attempt to use the default stores of the common distros (maybe configurable via machine.config?) and only use mozroots as a fallback. I'm not sure if there is already a bug for this so I'mm move this one over.
Comment 8 ilya.cherkasov 2014-07-17 06:53:51 UTC
well, certmgr.exe did NOT help

but mozroots --ask-add (or --import and `yes` to everything) helped:

bkmz@bkmz-R440:~/my/monodevelop/main/src/addins/AspNet[master]$ mono ../../../external/nuget-binary/NuGet.exe restore -SolutionDirectory ../../..                                                            
Installing 'Microsoft.AspNet.Mvc 4.0.30506.0'.
Installing 'Microsoft.AspNet.WebPages 2.0.30506.0'.
Installing 'Microsoft.AspNet.Razor 2.0.30506.0'.
Successfully installed 'Microsoft.AspNet.Mvc 4.0.30506.0'.
Successfully installed 'Microsoft.AspNet.Razor 2.0.30506.0'.
Successfully installed 'Microsoft.AspNet.WebPages 2.0.30506.0'.

Thanks for the help!

I don't know what to do with the bug - please decide by yourself, should it be closed or left as new.
Comment 9 ilya.cherkasov 2014-07-18 02:24:25 UTC
mozroots --import --sync is the command
Comment 10 Matthias Mailänder 2015-01-25 11:38:55 UTC
You need to run

mozroots --import --machine --sync
certmgr -ssl -m https://go.microsoft.com
certmgr -ssl -m https://nugetgallery.blob.core.windows.net
certmgr -ssl -m https://nuget.org

to get it to work so I just automatized it in the %post section at

https://build.opensuse.org/package/view_file/Mono:Factory/nuget/nuget.spec?expand=1

However with Mono 3.12.0 you managed to break this again. I believe it has something to do with http://www.mono-project.com/docs/about-mono/releases/3.12.0/#cert-sync which was added to resolve this problem.

The update to 3.12 https://build.opensuse.org/request/show/282640 breaks nuget entirely. Not even mozroots or certmgr will be able to resolve the SSL problem. The cryptic error message is back WARNUNG: Error: SendFailure (Error writing headers) and I can't download any nuget packages forcing me to downgrade to Mono 3.10 to get productive again.
Comment 11 Sorin Sbarnea 2015-07-24 05:48:50 UTC
I faced this bug with latest mono (4.0.2) and that was my first mono experience, clearly not the best and the fact that this was not solved for years makes me think that mono is clearly not a good bet. 

Let me rephrase it: default installations of mono cannot communicate with HTTP, which means that the included nuget is also useless.

$ which -a nuget
/cygdrive/c/ProgramData/chocolatey/bin/nuget
/cygdrive/c/Program Files (x86)/Mono/bin/nuget

Administrator@tocco ~
$ /cygdrive/c/ProgramData/chocolatey/bin/nuget install xxx
Unable to find package 'xxx'.

Administrator@tocco ~
$ "/cygdrive/c/Program Files (x86)/Mono/bin/nuget" install xxx
WARNING: Error: SendFailure (Error writing headers)
WARNING: An error occurred while loading packages from 'https://www.nuget.org/api/v2/': Error: SendFailure (Error writing headers)
Unable to find package 'xxx'.

Also the problem is even worse because even if I put mono at the end of the path, it will execute the mono version of nuget instead of the other one, probably because of the nuget shell script with no extension, I guess. Anyway, the workaround is clear: getting rid of mono.

PS. I do not want to have to tune the certificates myself to make it work.

Note You need to log in before you can comment on or make changes to this bug.