“dotnet 恢复"因“SSL 对等证书或 SSH 远程密钥不正常"而失败 [英] "dotnet restore" fails with "SSL peer certificate or SSH remote key was not OK"
问题描述
我刚刚按照这里的程序进行了操作:https://www.microsoft.com/net/core#ubuntu
I've just followed the procedure here: https://www.microsoft.com/net/core#ubuntu
这就是 dotnet restore
log : Restoring packages for /home/test/project.json...
error: Unable to load the service index for source https://api.nuget.org/v3/index.json.
error: An error occurred while sending the request.
error: SSL peer certificate or SSH remote key was not OK
我已将相关证书添加到受信任的证书中,以使 curl 工作,但 dotnet restore 的错误仍然存在.
I've added the relevant certificates to the trusted ones in order to make curl work but the error remains for dotnet restore.
我试图挖掘核心源代码以了解 Nuget 如何检查 SSL 证书却没有运气.我尝试过的版本:
I've tried to dig in the core source to find out how Nuget checks the SSL certificates without luck. Versions I've tried:
- 1.0.0-preview1-002702
- 1.0.0-preview2-003100
我已经使用 .curlrc 配置了 curl:
I've configured curl using the .curlrc :
cacert=/etc/ssl/certs/ca-certificates.crt
它已修复 curl -I https://api.nuget.org 调用.
但是 dotnet restore -v Debug 仍然失败:
trace: Running restore with 8 concurrent jobs.
trace: Reading project file /home/user/test/project.json.
log : Restoring packages for /home/user/test/project.json...
trace: Restoring packages for .NETCoreApp,Version=v1.0...
error: Unable to load the service index for source https://api.nuget.org/v3/index.json.
error: An error occurred while sending the request.
error: SSL peer certificate or SSH remote key was not OK
trace: System.AggregateException: One or more errors occurred. (Unable to load the service index for source https://api.nuget.org/v3/index.json.) ---> NuGet.Protocol.Core.Types.FatalProtocolException: Unable to load the service index for source https://api.nuget.org/v3/index.json. ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.Http.CurlException: SSL peer certificate or SSH remote key was not OK
trace: at System.Net.Http.CurlHandler.ThrowIfCURLEError(CURLcode error)
所以 dotnet core 使用 libcurl 但显然没有使用 .curlrc.
So dotnet core uses libcurl but it doesn't use the .curlrc obviously.
21/06/2016
也尝试使用 mozroots 更新证书数据库,但没有任何效果.(即使 dotnet core 构建页面提到它,似乎与 mono 的关系比与 dotnetcore 更相关).
Tried to update the certificates database with mozroots also but it failed to have any effect. (Seems to be more related to mono than to dotnetcore even if dotnet core building page mention it).
在深入研究 corefx 代码后,System.Net.Http 的 Curl 处理程序似乎并未在所有情况下都设置正确的 ssl 选项(如 简单卷曲 SSL 示例).
After digging into corefx code, Curl handler of System.Net.Http doesn't seem to set the right ssl options in all cases (like in Simple Curl SSL sample).
我已经尝试过 Tyler 解决方案:
I've tried Tyler solutions:
certmgr -ssl -m https://api.nuget.org
即使我输入 'y'、'yes'、'1'、'true' 或其他任何内容,这也不会添加最后一个证书.
This isn't adding the last certificate even if I type 'y', 'yes', '1', 'true' or whatever.
mozroots --url https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt --sync --import
这会做一些事情:
Importing certificates into user store...
194 new root certificates were added to your trust store.
Import process completed.
我不相信 dotnet 核心使用 libcurl nss 构建(只是因为他们的 开发页面 讲述了 openssl 版本(它们是互斥的).顺便说一下,我尝试使用 libcurl 的 nss 构建,但 dotnet restore 仍然失败.
I'm not convinced that dotnet core used the libcurl nss build (just because their development page tells about openssl version (and they're mutually exclusive). By the way, I've tried to use nss build of libcurl and dotnet restore still fails.
恕我直言,问题与错误的证书注册无关,而更多是因为 curl 内置证书验证未正确禁用(因为证书验证是在 System.Net.Http 中完成的,并且必须提供给客户端代码自定义此验证的能力).
IMHO, the problem is not related to bad certificates registration but more on the fact that curl builtin certificate validation is not properly disabled (because the certificate validation is done in System.Net.Http and that is mandatory to offer to client code the ability to customize this validation).
为什么它发生在我的机器上而不是其他地方?它必须与我的 libcurl 版本有关.
Why is it happening on my machine and not elsewhere ? It must be related to my version of libcurl.
然而,所有这些都只是暂时的假设.
However all of these are just assumptions for the moment.
编辑 22/05/2016:
通过更彻底地查看代码,特别是在比较 master 分支和 RC2 版本时,很明显 SSL 处理代码仍然有很大的变化.
By looking at the code more thoroughly, especially when comparing master branch and the RC2 release, it's clear that SSL handling code is still changing a lot.
所以我只是抓取 RC2 代码并对其进行修改以反映 master 分支的作用:
So I just grab the RC2 code and modify it to reflect what master branch does:
easy.SetCurlOption(Interop.Http.CURLoption.CURLOPT_SSL_VERIFYHOST, 0);
然而,它并没有改变任何东西......但预测它是.所以这里是我使用的代码:
However, it didn't change anything... But forecasted it was. so here the code I used:
easy.SetCurlOption(Interop.Http.CURLoption.CURLOPT_SSL_VERIFYPEER, 0);
然后将 System.Net.Http.dll 替换为禁用 ssl 证书检查.不安全,但暂时解除对我的阻止.
and then replace System.Net.Http.dll with the ssl certificates check disabled. Not safe but unblocking me for the moment.
我没有将其添加为答案,因为它更像是破解而不是修复.
I didn't add that as an answer because it's more a hack than a fix.
(真正的解决方法是完全禁用 curl 完成的证书检查,并始终在 .Net 核心中处理它,但在 master 上的当前代码中,情况仍然不是这样,它更像是两者的混合).
(a real fix would be to disable completely certificates checks done by curl and always handle it in .Net core but in the current code on master, it's still not the case, it's more a kind of mix of both).
对于根本原因,我认为我处于特定设置中:
For the root cause, I think that I'm on a specific setup :
- libcurl 在没有任何默认证书包路径的情况下构建.
curlconfig --ca返回一个空字符串.它不会读取CURL_CA_BUNDLE环境变量或.curlrc文件. - System.Net.Http(dotnet-core)既不设置ca默认值也不禁用证书验证.
- libcurl built without any default certificate bundle path.
curlconfig --careturn an empty string. And it doesn't read theCURL_CA_BUNDLEenvironment variable or.curlrcfile. - System.Net.Http (of dotnet-core) does neither setup a ca default nor disable the certificate validation.
推荐答案
打开 SSL 缺少捆绑证书
根本原因是缺少openssl的配置.
如果您运行以下命令(或类似命令):
Open SSL missing bundle certificates
The root cause is a missing configuration of openssl.
If you run the following command (or a similar one):
openssl verify /usr/share/ca-certificates/nuget.crt
您会收到以下结果:
/usr/share/ca-certificates/nuget.crt: C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, OU = Microsoft IT, CN = Microsoft IT SSL SHA2
error 2 at 1 depth lookup:unable to get issuer certificate
140075910137504:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
140075910137504:error:0B06F009:x509 certificate routines:X509_load_cert_file:PEM lib:by_file.c:162:
这是因为 openssl(dotnet/libcurl 最终依赖于它来进行 ssl 检查)不知道在哪里可以找到 ca 包.我在 /etc/ssl/openssl.cnf 中没有看到任何相关参数,所以即使是
It's because openssl (on which dotnet / libcurl ultimately relies to do the ssl checks) did not know where to find the ca bundle. I didn't seen any related parameter in /etc/ssl/openssl.cnf so even
export OPENSSL_CONF=/etc/ssl/openssl.cnf
对 openssl 验证失败无济于事.
won't help on the openssl verification failure.
但是,以下解决了这两个问题(openssl 和 nuget)
export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
现在 openssl 的输出:
zsh/2 906 [1] # openssl verify /usr/share/ca-certificates/nuget.crt
/usr/share/ca-certificates/nuget.crt: OK
对于dotnet restore:
zsh 904 # dotnet restore
log : Restoring packages for /home/user/test/project.json...
info : GET https://api.nuget.org/v3-flatcontainer/microsoft.netcore.dotnethostresolver/index.json
info : OK https://api.nuget.org/v3-flatcontainer/microsoft.netcore.dotnethostresolver/index.json 412ms
info : GET https://api.nuget.org/v3-flatcontainer/microsoft.netcore.dotnethost/index.json
info : OK https://api.nuget.org/v3-flatcontainer/microsoft.netcore.dotnethost/index.json 409ms
info : Committing restore...
log : Lock file has not changed. Skipping lock file write. Path: /home/user/test/project.lock.json
log : /home/user/test/project.json
log : Restore completed in 4412ms.
NuGet Config files used:
/home/user/.nuget/NuGet/NuGet.Config
Feeds used:
https://api.nuget.org/v3/index.json
特别感谢 Tyler 帮助我保持解决此问题的动力.
Special thanks to Tyler who help me to keep the motivation to fix this.
这篇关于“dotnet 恢复"因“SSL 对等证书或 SSH 远程密钥不正常"而失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
