"dotnet恢复"失败并显示"SSL对等证书或SSH远程密钥不正确" [英] "dotnet restore" fails with "SSL peer certificate or SSH remote key was not OK"

问题描述

我刚刚按照以下步骤操作: https://www.microsoft.com/net/core#ubuntu

这就是dotnet restore

的输出

log  : Restoring packages for /home/test/project.json...
error: Unable to load the service index for source https://api.nuget.org/v3/index.json.
error:   An error occurred while sending the request.
error:   SSL peer certificate or SSH remote key was not OK

我已将相关证书添加到受信任的证书中，以使curl工作，但dotnet restore仍然存在错误.

我试图挖掘核心资源，以找出Nuget如何在没有运气的情况下检查SSL证书. 我尝试过的版本:

• 1.0.0-preview1-002702
• 1.0.0-preview2-003100

我已经使用.curlrc配置了curl:

cacert=/etc/ssl/certs/ca-certificates.crt

它具有固定的curl -I https://api.nuget.org调用.

但是dotnet restore -v Debug仍然失败:

trace: Running restore with 8 concurrent jobs.
trace: Reading project file /home/user/test/project.json.
log  : Restoring packages for /home/user/test/project.json...
trace: Restoring packages for .NETCoreApp,Version=v1.0...
error: Unable to load the service index for source https://api.nuget.org/v3/index.json.
error:   An error occurred while sending the request.
error:   SSL peer certificate or SSH remote key was not OK
trace: System.AggregateException: One or more errors occurred. (Unable to load the service index for source https://api.nuget.org/v3/index.json.) ---> NuGet.Protocol.Core.Types.FatalProtocolException: Unable to load the service index for source https://api.nuget.org/v3/index.json. ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.Http.CurlException: SSL peer certificate or SSH remote key was not OK
trace:    at System.Net.Http.CurlHandler.ThrowIfCURLEError(CURLcode error)

因此dotnet核心使用libcurl，但显然并没有使用.curlrc.

2016年6月21日

也尝试使用mozroots更新证书数据库，但是它没有任何效果. (即使dotnet核心构建页面中提到它，它似乎与mono比与dotnetcore更相关).

深入研究corefx代码之后，System.Net.Http的Curl处理程序似乎并没有在所有情况下都设置正确的ssl选项(例如泰勒解决方案:

certmgr -ssl -m https://api.nuget.org

即使我键入'y', 'yes', '1', 'true'或其他命令，也不会添加最后一个证书.

mozroots --url https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt --sync --import

这可以做些什么:

Importing certificates into user store...
194 new root certificates were added to your trust store.
Import process completed.

我不认为dotnet核心使用libcurl nss构建(只是因为它们的开发页面介绍了openssl版本(它们是互斥的).顺便说一句，我尝试使用nss的libcurl构建，并且dotnet restore仍然失败.

恕我直言，这个问题与错误的证书注册无关，而更多地是因为没有正确禁用curl内置证书验证(因为证书验证是在System.Net.Http中完成的，并且必须提供给客户端代码)可以自定义此验证的功能.

为什么它在我的机器上而不是其他地方发生? 它必须与我的libcurl版本有关.

但是，目前所有这些只是假设.

编辑22/05/2016:

通过更彻底地查看代码，尤其是在比较master分支和RC2版本时，很明显SSL处理代码仍在改变很多.

所以我只需要抓取RC2代码并对其进行修改以反映master分支的作用:

easy.SetCurlOption(Interop.Http.CURLoption.CURLOPT_SSL_VERIFYHOST, 0);

但是，它并没有改变任何东西...但是预测是这样. 所以这里是我使用的代码:

easy.SetCurlOption(Interop.Http.CURLoption.CURLOPT_SSL_VERIFYPEER, 0);

，然后用禁用的ssl证书替换System.Net.Http.dll. 不安全，但暂时阻止我.

我没有将其添加为答案，因为它更像是黑客，而不是解决方案.

(一个真正的解决方法是完全禁用curl进行的证书检查，并始终在.Net内核中进行处理，但在master上的当前代码中，情况并非如此，更多地是两者的结合)./p>

对于根本原因，我认为我使用的是特定设置:

• libcurl的构建没有任何默认证书捆绑包路径. curlconfig --ca返回一个空字符串.而且它不会读取CURL_CA_BUNDLE环境变量或.curlrc文件.
• (dotnet-core的)System.Net.Http既未设置默认值，也未禁用证书验证.

解决方案

打开SSL丢失的捆绑包证书

根本原因是缺少的 openssl 配置.
如果您运行以下命令(或类似命令):

openssl verify /usr/share/ca-certificates/nuget.crt

，您收到以下结果:

/usr/share/ca-certificates/nuget.crt: C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, OU = Microsoft IT, CN = Microsoft IT SSL SHA2
error 2 at 1 depth lookup:unable to get issuer certificate
140075910137504:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
140075910137504:error:0B06F009:x509 certificate routines:X509_load_cert_file:PEM lib:by_file.c:162:

这是因为openssl(dotnet/libcurl最终依赖于它进行ssl检查)不知道在哪里可以找到ca bundle.我没有在/etc/ssl/openssl.cnf中看到任何相关参数，所以甚至

export OPENSSL_CONF=/etc/ssl/openssl.cnf

对opensl验证失败没有帮助.

但是，以下内容解决了两个问题(openssl和nuget)

export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt

现在输出openssl:

zsh/2 906 [1] # openssl verify /usr/share/ca-certificates/nuget.crt
/usr/share/ca-certificates/nuget.crt: OK

和dotnet restore:

zsh 904 # dotnet restore
log  : Restoring packages for /home/user/test/project.json...
info :   GET https://api.nuget.org/v3-flatcontainer/microsoft.netcore.dotnethostresolver/index.json
info :   OK https://api.nuget.org/v3-flatcontainer/microsoft.netcore.dotnethostresolver/index.json 412ms
info :   GET https://api.nuget.org/v3-flatcontainer/microsoft.netcore.dotnethost/index.json
info :   OK https://api.nuget.org/v3-flatcontainer/microsoft.netcore.dotnethost/index.json 409ms
info : Committing restore...
log  : Lock file has not changed. Skipping lock file write. Path: /home/user/test/project.lock.json
log  : /home/user/test/project.json
log  : Restore completed in 4412ms.

NuGet Config files used:
    /home/user/.nuget/NuGet/NuGet.Config

Feeds used:
    https://api.nuget.org/v3/index.json

特别感谢泰勒，他们帮助我保持了解决这一问题的动力.

I've just followed the procedure here: https://www.microsoft.com/net/core#ubuntu

and that's the output of dotnet restore

log  : Restoring packages for /home/test/project.json...
error: Unable to load the service index for source https://api.nuget.org/v3/index.json.
error:   An error occurred while sending the request.
error:   SSL peer certificate or SSH remote key was not OK

I've added the relevant certificates to the trusted ones in order to make curl work but the error remains for dotnet restore.

I've tried to dig in the core source to find out how Nuget checks the SSL certificates without luck. Versions I've tried:

• 1.0.0-preview1-002702
• 1.0.0-preview2-003100

I've configured curl using the .curlrc :

cacert=/etc/ssl/certs/ca-certificates.crt

It has fixed curl -I https://api.nuget.org invocation.

However dotnet restore -v Debug still fails:

trace: Running restore with 8 concurrent jobs.
trace: Reading project file /home/user/test/project.json.
log  : Restoring packages for /home/user/test/project.json...
trace: Restoring packages for .NETCoreApp,Version=v1.0...
error: Unable to load the service index for source https://api.nuget.org/v3/index.json.
error:   An error occurred while sending the request.
error:   SSL peer certificate or SSH remote key was not OK
trace: System.AggregateException: One or more errors occurred. (Unable to load the service index for source https://api.nuget.org/v3/index.json.) ---> NuGet.Protocol.Core.Types.FatalProtocolException: Unable to load the service index for source https://api.nuget.org/v3/index.json. ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.Http.CurlException: SSL peer certificate or SSH remote key was not OK
trace:    at System.Net.Http.CurlHandler.ThrowIfCURLEError(CURLcode error)

So dotnet core uses libcurl but it doesn't use the .curlrc obviously.

EDIT: 21/06/2016

Tried to update the certificates database with mozroots also but it failed to have any effect. (Seems to be more related to mono than to dotnetcore even if dotnet core building page mention it).

After digging into corefx code, Curl handler of System.Net.Http doesn't seem to set the right ssl options in all cases (like in Simple Curl SSL sample).

I've tried Tyler solutions:

certmgr -ssl -m https://api.nuget.org

This isn't adding the last certificate even if I type 'y', 'yes', '1', 'true' or whatever.

mozroots --url https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt --sync --import

This does something:

Importing certificates into user store...
194 new root certificates were added to your trust store.
Import process completed.

I'm not convinced that dotnet core used the libcurl nss build (just because their development page tells about openssl version (and they're mutually exclusive). By the way, I've tried to use nss build of libcurl and dotnet restore still fails.

IMHO, the problem is not related to bad certificates registration but more on the fact that curl builtin certificate validation is not properly disabled (because the certificate validation is done in System.Net.Http and that is mandatory to offer to client code the ability to customize this validation).

Why is it happening on my machine and not elsewhere ? It must be related to my version of libcurl.

However all of these are just assumptions for the moment.

EDIT 22/05/2016:

By looking at the code more thoroughly, especially when comparing master branch and the RC2 release, it's clear that SSL handling code is still changing a lot.

So I just grab the RC2 code and modify it to reflect what master branch does:

easy.SetCurlOption(Interop.Http.CURLoption.CURLOPT_SSL_VERIFYHOST, 0);

However, it didn't change anything... But forecasted it was. so here the code I used:

easy.SetCurlOption(Interop.Http.CURLoption.CURLOPT_SSL_VERIFYPEER, 0);

and then replace System.Net.Http.dll with the ssl certificates check disabled. Not safe but unblocking me for the moment.

I didn't add that as an answer because it's more a hack than a fix.

(a real fix would be to disable completely certificates checks done by curl and always handle it in .Net core but in the current code on master, it's still not the case, it's more a kind of mix of both).

For the root cause, I think that I'm on a specific setup :

• libcurl built without any default certificate bundle path. curlconfig --ca return an empty string. And it doesn't read the CURL_CA_BUNDLE environment variable or .curlrc file.
• System.Net.Http (of dotnet-core) does neither setup a ca default nor disable the certificate validation.

解决方案

Open SSL missing bundle certificates

The root cause is a missing configuration of openssl.
If you run the following command (or a similar one):

openssl verify /usr/share/ca-certificates/nuget.crt

and you receive the following result:

/usr/share/ca-certificates/nuget.crt: C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, OU = Microsoft IT, CN = Microsoft IT SSL SHA2
error 2 at 1 depth lookup:unable to get issuer certificate
140075910137504:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
140075910137504:error:0B06F009:x509 certificate routines:X509_load_cert_file:PEM lib:by_file.c:162:

It's because openssl (on which dotnet / libcurl ultimately relies to do the ssl checks) did not know where to find the ca bundle. I didn't seen any related parameter in /etc/ssl/openssl.cnf so even

export OPENSSL_CONF=/etc/ssl/openssl.cnf

won't help on the openssl verification failure.

However, the following has fixed both problems (openssl and nuget)

export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt

Now the output for openssl:

zsh/2 906 [1] # openssl verify /usr/share/ca-certificates/nuget.crt
/usr/share/ca-certificates/nuget.crt: OK

and for dotnet restore:

zsh 904 # dotnet restore
log  : Restoring packages for /home/user/test/project.json...
info :   GET https://api.nuget.org/v3-flatcontainer/microsoft.netcore.dotnethostresolver/index.json
info :   OK https://api.nuget.org/v3-flatcontainer/microsoft.netcore.dotnethostresolver/index.json 412ms
info :   GET https://api.nuget.org/v3-flatcontainer/microsoft.netcore.dotnethost/index.json
info :   OK https://api.nuget.org/v3-flatcontainer/microsoft.netcore.dotnethost/index.json 409ms
info : Committing restore...
log  : Lock file has not changed. Skipping lock file write. Path: /home/user/test/project.lock.json
log  : /home/user/test/project.json
log  : Restore completed in 4412ms.

NuGet Config files used:
    /home/user/.nuget/NuGet/NuGet.Config

Feeds used:
    https://api.nuget.org/v3/index.json

Special thanks to Tyler who help me to keep the motivation to fix this.

这篇关于"dotnet恢复"失败并显示"SSL对等证书或SSH远程密钥不正确"的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！