`az artifacts universal publish` Ubuntu 22.04 libssl error

[bweben]

Description

We upgraded our docker image to ubuntu 22.04 from 20.04. Now az artifacts universal publish fails due to a No usable version of libssl was found error. If we install the libssl version 1.1.* we end up with another error.

On the Ubuntu 20.04 docker image, all worked great.

Versions

• Docker image: ubuntu:22.04
• libssl: 3.0. / 1.1.
• Azure-Devops Extension: 0.25.0
• Azure-CLI: 2.36.0

Logs

Error with libssl 1.1.*

The SSL connection could not be established, see inner exception.
 ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
 ---> System.TypeInitializationException: The type initializer for 'SslMethods' threw an exception.
 ---> System.TypeInitializationException: The type initializer for 'Ssl' threw an exception.
 ---> System.TypeInitializationException: The type initializer for 'SslInitializer' threw an exception.
 ---> Interop+Crypto+OpenSslCryptographicException: error:0E076071:configuration file routines:module_run:unknown module name
   at Interop.SslInitializer..cctor()
   --- End of inner exception stack trace ---
   at Interop.Ssl..cctor()
   --- End of inner exception stack trace ---
   at Interop.Ssl.SslV2_3Method()
   at Interop.Ssl.SslMethods..cctor()
   --- End of inner exception stack trace ---
   at Interop.OpenSsl.AllocateSslContext(SslProtocols protocols, SafeX509Handle certHandle, SafeEvpPKeyHandle certKeyHandle, EncryptionPolicy policy, SslAuthenticationOptions sslAuthenticationOptions)
   at System.Net.Security.SafeDeleteSslContext..ctor(SafeFreeSslCredentials credential, SslAuthenticationOptions sslAuthenticationOptions)
   at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteContext& context, ArraySegment`1 inputBuffer, Byte[]& outputBuffer, SslAuthenticationOptions sslAuthenticationOptions)
   --- End of inner exception stack trace ---
   at System.Net.Security.SslStream.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
   at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.ProcessAuthentication(LazyAsyncResult lazyResult, CancellationToken cancellationToken)
   at System.Net.Security.SslStream.BeginAuthenticateAsClient(SslClientAuthenticationOptions sslClientAuthenticationOptions, CancellationToken cancellationToken, AsyncCallback asyncCallback, Object asyncState)
   at System.Net.Security.SslStream.<>c.<AuthenticateAsClientAsync>b__65_0(SslClientAuthenticationOptions arg1, CancellationToken arg2, AsyncCallback callback, Object state)
   at System.Threading.Tasks.TaskFactory`1.FromAsyncImpl[TArg1,TArg2](Func`5 beginMethod, Func`2 endFunction, Action`1 endAction, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions)
   at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2](Func`5 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions)
   at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2](Func`5 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, Object state)
   at System.Net.Security.SslStream.AuthenticateAsClientAsync(SslClientAuthenticationOptions sslClientAuthenticationOptions, CancellationToken cancellationToken)
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at Microsoft.VisualStudio.Services.Common.VssHttpRetryMessageHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
   at Microsoft.VisualStudio.Services.WebApi.VssHttpClientBase.SendAsync(HttpRequestMessage message, HttpCompletionOption completionOption, Object userState, CancellationToken cancellationToken)
   at Microsoft.VisualStudio.Services.WebApi.VssHttpClientBase.SendAsync[T](HttpRequestMessage message, Object userState, CancellationToken cancellationToken)
   at Microsoft.VisualStudio.Services.Location.Client.LocationHttpClient.GetConnectionDataAsync(ConnectOptions connectOptions, Int64 lastChangeId, CancellationToken cancellationToken, Object userState)
   at Microsoft.VisualStudio.Services.WebApi.Location.VssServerDataProvider.GetConnectionDataAsync(ConnectOptions connectOptions, Int32 lastChangeId, CancellationToken cancellationToken)
   at Microsoft.VisualStudio.Services.WebApi.Location.VssServerDataProvider.ConnectAsync(ConnectOptions connectOptions, CancellationToken cancellationToken)
   at Microsoft.VisualStudio.Services.WebApi.Location.VssServerDataProvider.EnsureConnectedAsync(ConnectOptions optionsNeeded, CancellationToken cancellationToken)
   at Microsoft.VisualStudio.Services.WebApi.Location.VssServerDataProvider.GetInstanceIdAsync(CancellationToken cancellationToken)
   at Microsoft.VisualStudio.Services.WebApi.Location.LocationService.GetLocationDataAsync(Guid locationAreaIdentifier, CancellationToken cancellationToken)
   at Microsoft.VisualStudio.Services.WebApi.VssConnection.GetClientInstanceAsync(Type managedType, Guid serviceIdentifier, CancellationToken cancellationToken, VssHttpRequestSettings settings, DelegatingHandler[] handlers)
   at Microsoft.VisualStudio.Services.WebApi.VssConnection.GetClientServiceImplAsync(Type requestedType, Guid serviceIdentifier, Func`4 getInstanceAsync, CancellationToken cancellationToken)
   at Microsoft.VisualStudio.Services.WebApi.VssConnection.GetClientAsync[T](CancellationToken cancellationToken)
   at Microsoft.VisualStudio.Services.Content.Common.AsyncHttpRetryHelper`1.InvokeAsync(CancellationToken cancellationToken)
   at Microsoft.VisualStudio.Services.Content.Common.ExceptionExtensions.ReThrow(Exception ex)
   at Microsoft.VisualStudio.Services.Content.Common.AsyncHttpRetryHelper`1.InvokeAsync(CancellationToken cancellationToken)
   at ArtifactTool.DedupManifestArtifactClientProvider.GetDedupManifestArtifactClientAsync(String serviceUrl, String patVar, ILogger commandBaseLogger, IAppTraceSource tracer, String cacheDirectory, Boolean cacheWriteAllowed, CancellationToken cancellationToken) in D:\\a\\1\\s\\src\\ArtifactTool\\Providers\\DedupManifestArtifactClient\\DedupManifestArtifactClientProvider.cs:line 57
   at ArtifactTool.Commands.UPackPublishCommand.ExecuteAsync() in D:\\a\\1\\s\\src\\ArtifactTool\\Commands\\UPack\\UPackPublishCommand.cs:line 51
   at ArtifactTool.Commands.CommandBase.OnExecuteAsync() in D:\\a\\1\\s\\src\\ArtifactTool\\Commands\\CommandBase.cs:line 105
   at McMaster.Extensions.CommandLineUtils.Conventions.ExecuteMethodConvention.InvokeAsync(MethodInfo method, Object instance, Object[] arguments) in C:\\projects\\commandlineutils\\src\\CommandLineUtils\\Conventions\\ExecuteMethodConvention.cs:line 77
   at McMaster.Extensions.CommandLineUtils.Conventions.ExecuteMethodConvention.OnExecute(ConventionContext context) in C:\\projects\\commandlineutils\\src\\CommandLineUtils\\Conventions\\ExecuteMethodConvention.cs:line 62
   at McMaster.Extensions.CommandLineUtils.Conventions.ExecuteMethodConvention.<>c__DisplayClass0_0.<<Apply>b__0>d.MoveNext() in C:\\projects\\commandlineutils\\src\\CommandLineUtils\\Conventions\\ExecuteMethodConvention.cs:line 25
--- End of stack trace from previous location where exception was thrown ---
   at McMaster.Extensions.CommandLineUtils.CommandLineApplication.<>c__DisplayClass126_0.<OnExecute>b__0() in C:\\projects\\commandlineutils\\src\\CommandLineUtils\\CommandLineApplication.cs:line 505
   at McMaster.Extensions.CommandLineUtils.CommandLineApplication.Execute(String[] args) in C:\\projects\\commandlineutils\\src\\CommandLineUtils\\CommandLineApplication.cs:line 611
   at McMaster.Extensions.CommandLineUtils.CommandLineApplication.Execute[TApp](CommandLineContext context) in C:\\projects\\commandlineutils\\src\\CommandLineUtils\\CommandLineApplication.Execute.cs:line 57
   at McMaster.Extensions.CommandLineUtils.CommandLineApplication.ExecuteAsync[TApp](CommandLineContext context) in C:\\projects\\commandlineutils\\src\\CommandLineUtils\\CommandLineApplication.Execute.cs:line 145
   at McMaster.Extensions.CommandLineUtils.CommandLineApplication.ExecuteAsync[TApp](IConsole console, String[] args) in C:\\projects\\commandlineutils\\src\\CommandLineUtils\\CommandLineApplication.Execute.cs:line 130
   at McMaster.Extensions.CommandLineUtils.CommandLineApplication.ExecuteAsync[TApp](String[] args) in C:\\projects\\commandlineutils\\src\\CommandLineUtils\\CommandLineApplication.Execute.cs:line 112

Error with libssl 3.0.*

WARNING: Failed to parse structured output from Universal Packages tooling (ArtifactTool)\nWARNING: Exception: Expecting value: line 1 column 1 (char 0)\nWARNING: Log line: No usable version of libssl was found\nWARNING: Failed to parse structured output from Universal Packages tooling (ArtifactTool)\nWARNING: Exception: Expecting value: line 1 column 1 (char 0)\nWARNING: Log line: qemu: uncaught target signal 6 (Aborted) - core dumped

Az extension versions

[
  {
    "experimental": false,
    "extensionType": "whl",
    "name": "azure-devops",
    "path": "/root/.azure/cliextensions/azure-devops",
    "preview": false,
    "version": "0.25.0"
  },
  {
    "experimental": false,
    "extensionType": "whl",
    "name": "azure-iot",
    "path": "/root/.azure/cliextensions/azure-iot",
    "preview": false,
    "version": "0.14.0"
  },
  {
    "experimental": false,
    "extensionType": "whl",
    "name": "ml",
    "path": "/root/.azure/cliextensions/ml",
    "preview": true,
    "version": "2.3.1"
  }
]

Azure cli version

azure-cli                         2.36.0
core                              2.36.0
telemetry                          1.0.6

Extensions:
azure-devops                      0.25.0
azure-iot                         0.14.0
ml                                 2.3.1

Dependencies:
msal                              1.17.0
azure-mgmt-resource               20.0.0

Python location '/opt/miniconda/bin/python'
Extensions directory '/root/.azure/cliextensions'

Python (Linux) 3.8.11 (default, Aug  3 2021, 15:09:35)
[GCC 7.5.0]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

OS version

cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04 (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

Update: Manual reproduction

docker run -it ubuntu:22.04
# inside docker
apt update && apt install curl
curl -sL https://aka.ms/InstallAzureCLIDeb | bash
export DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1
az login
mkdir test && cd test && echo "hello world" >> world.txt
az artifacts universal publish --organization <organization> --project="<project>" --scope project --feed <feed> --name my-first-package --version 0.0.1 --description "Welcome to Universal Packages" --path .

[ghost]

Thank you for your feedback. This has been routed to the support team for assistance.

[yonzhan]

route to CXP team

[SatishBoddu-MSFT]

Hello @bweben We are routing this to Service Teams Attention for further action!

[wvmcastro]

I am having exactly the same issue as well

[ismailhkose]

I am also getting this libssl related error when I try any az command on Ubuntu 22.04. It can't run any az command at all.

[meierale]

Iast 're-routing' of this issue was over 2 weeks ago... any updates on whether this is being tracked / analyzed? @SatishBoddu-MSFT? @yonzhan

[dreh23]

Same Problem for me

---> Interop+Crypto+OpenSslCryptographicException: error:0E076071:configuration file routines:module_run:unknown module name

[bweben]

Is there any possibility to get this working even without a new az version? This is quite a high priority issue for us. Or are there any other Microsoft support options available for the Azure CLI? I am sorry if this is the wrong channel to ask but if anyone has any answer to my questions I would be happy to hear them.

[zicjin]

Same Problem for my ubuntu 22.04

No usable version of libssl was found
./config.sh：行 86: 1414825 已放弃               （核心已转储） ./bin/Agent.Listener configure "$@"

[meierale]

Come on - I know this is an open source project of Microsoft / Azure.. but no activity whatsoever in over a month? Are you serious?

[kysucix]

The workaround for now is the following:

• Install an older version of libssl: wget http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1l-1ubuntu1.6_amd64.deb && sudo dpkg -i libssl1.1_1.1.1l-1ubuntu1.6_amd64.deb && rm libssl1.1_1.1.1l-1ubuntu1.6_amd64.deb
• Edit etc/ssl/openssl.cnf: sed -i 's/openssl_conf = openssl_init/#openssl_conf = openssl_init/g' /etc/ssl/openssl.cnf

See https://github.com/microsoft/azure-pipelines-agent/issues/3834#issuecomment-1173182107

[meierale]

Hi @kysucix Thanks for the workaround... this is maybe a temporary solution, but libssl1 / openssl1 have serious CVEs! (https://security-tracker.debian.org/tracker/CVE-2022-1292 for example) I really hope libssl3 is soon going to work!

[kysucix]

Hi, the vulnerability is fixed in latest version of libssl, see https://ubuntu.com/security/CVE-2022-1292

[kysucix]

@yonzhan Do you have an update for a proper fix to this issue?

[ghost]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @v-anvashist, @V-hmusukula.

Issue Details

---

# Description We upgraded our docker image to ubuntu 22.04 from 20.04. Now `az artifacts universal publish` fails due to a `No usable version of libssl was found` error. If we install the libssl version `1.1.*` we end up with another error. On the Ubuntu 20.04 docker image, all worked great. ## Versions - Docker image: ubuntu:22.04 - libssl: 3.0.* / 1.1.* - Azure-Devops Extension: 0.25.0 - Azure-CLI: 2.36.0 # Logs ## Error with libssl 1.1.* ``` The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> System.TypeInitializationException: The type initializer for 'SslMethods' threw an exception. ---> System.TypeInitializationException: The type initializer for 'Ssl' threw an exception. ---> System.TypeInitializationException: The type initializer for 'SslInitializer' threw an exception. ---> Interop+Crypto+OpenSslCryptographicException: error:0E076071:configuration file routines:module_run:unknown module name at Interop.SslInitializer..cctor() --- End of inner exception stack trace --- at Interop.Ssl..cctor() --- End of inner exception stack trace --- at Interop.Ssl.SslV2_3Method() at Interop.Ssl.SslMethods..cctor() --- End of inner exception stack trace --- at Interop.OpenSsl.AllocateSslContext(SslProtocols protocols, SafeX509Handle certHandle, SafeEvpPKeyHandle certKeyHandle, EncryptionPolicy policy, SslAuthenticationOptions sslAuthenticationOptions) at System.Net.Security.SafeDeleteSslContext..ctor(SafeFreeSslCredentials credential, SslAuthenticationOptions sslAuthenticationOptions) at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteContext& context, ArraySegment`1 inputBuffer, Byte[]& outputBuffer, SslAuthenticationOptions sslAuthenticationOptions) --- End of inner exception stack trace --- at System.Net.Security.SslStream.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception) at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.ProcessAuthentication(LazyAsyncResult lazyResult, CancellationToken cancellationToken) at System.Net.Security.SslStream.BeginAuthenticateAsClient(SslClientAuthenticationOptions sslClientAuthenticationOptions, CancellationToken cancellationToken, AsyncCallback asyncCallback, Object asyncState) at System.Net.Security.SslStream.<>c.b__65_0(SslClientAuthenticationOptions arg1, CancellationToken arg2, AsyncCallback callback, Object state) at System.Threading.Tasks.TaskFactory`1.FromAsyncImpl[TArg1,TArg2](Func`5 beginMethod, Func`2 endFunction, Action`1 endAction, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions) at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2](Func`5 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions) at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2](Func`5 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, Object state) at System.Net.Security.SslStream.AuthenticateAsClientAsync(SslClientAuthenticationOptions sslClientAuthenticationOptions, CancellationToken cancellationToken) at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken) --- End of inner exception stack trace --- at Microsoft.VisualStudio.Services.Common.VssHttpRetryMessageHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts) at Microsoft.VisualStudio.Services.WebApi.VssHttpClientBase.SendAsync(HttpRequestMessage message, HttpCompletionOption completionOption, Object userState, CancellationToken cancellationToken) at Microsoft.VisualStudio.Services.WebApi.VssHttpClientBase.SendAsync[T](HttpRequestMessage message, Object userState, CancellationToken cancellationToken) at Microsoft.VisualStudio.Services.Location.Client.LocationHttpClient.GetConnectionDataAsync(ConnectOptions connectOptions, Int64 lastChangeId, CancellationToken cancellationToken, Object userState) at Microsoft.VisualStudio.Services.WebApi.Location.VssServerDataProvider.GetConnectionDataAsync(ConnectOptions connectOptions, Int32 lastChangeId, CancellationToken cancellationToken) at Microsoft.VisualStudio.Services.WebApi.Location.VssServerDataProvider.ConnectAsync(ConnectOptions connectOptions, CancellationToken cancellationToken) at Microsoft.VisualStudio.Services.WebApi.Location.VssServerDataProvider.EnsureConnectedAsync(ConnectOptions optionsNeeded, CancellationToken cancellationToken) at Microsoft.VisualStudio.Services.WebApi.Location.VssServerDataProvider.GetInstanceIdAsync(CancellationToken cancellationToken) at Microsoft.VisualStudio.Services.WebApi.Location.LocationService.GetLocationDataAsync(Guid locationAreaIdentifier, CancellationToken cancellationToken) at Microsoft.VisualStudio.Services.WebApi.VssConnection.GetClientInstanceAsync(Type managedType, Guid serviceIdentifier, CancellationToken cancellationToken, VssHttpRequestSettings settings, DelegatingHandler[] handlers) at Microsoft.VisualStudio.Services.WebApi.VssConnection.GetClientServiceImplAsync(Type requestedType, Guid serviceIdentifier, Func`4 getInstanceAsync, CancellationToken cancellationToken) at Microsoft.VisualStudio.Services.WebApi.VssConnection.GetClientAsync[T](CancellationToken cancellationToken) at Microsoft.VisualStudio.Services.Content.Common.AsyncHttpRetryHelper`1.InvokeAsync(CancellationToken cancellationToken) at Microsoft.VisualStudio.Services.Content.Common.ExceptionExtensions.ReThrow(Exception ex) at Microsoft.VisualStudio.Services.Content.Common.AsyncHttpRetryHelper`1.InvokeAsync(CancellationToken cancellationToken) at ArtifactTool.DedupManifestArtifactClientProvider.GetDedupManifestArtifactClientAsync(String serviceUrl, String patVar, ILogger commandBaseLogger, IAppTraceSource tracer, String cacheDirectory, Boolean cacheWriteAllowed, CancellationToken cancellationToken) in D:\\a\\1\\s\\src\\ArtifactTool\\Providers\\DedupManifestArtifactClient\\DedupManifestArtifactClientProvider.cs:line 57 at ArtifactTool.Commands.UPackPublishCommand.ExecuteAsync() in D:\\a\\1\\s\\src\\ArtifactTool\\Commands\\UPack\\UPackPublishCommand.cs:line 51 at ArtifactTool.Commands.CommandBase.OnExecuteAsync() in D:\\a\\1\\s\\src\\ArtifactTool\\Commands\\CommandBase.cs:line 105 at McMaster.Extensions.CommandLineUtils.Conventions.ExecuteMethodConvention.InvokeAsync(MethodInfo method, Object instance, Object[] arguments) in C:\\projects\\commandlineutils\\src\\CommandLineUtils\\Conventions\\ExecuteMethodConvention.cs:line 77 at McMaster.Extensions.CommandLineUtils.Conventions.ExecuteMethodConvention.OnExecute(ConventionContext context) in C:\\projects\\commandlineutils\\src\\CommandLineUtils\\Conventions\\ExecuteMethodConvention.cs:line 62 at McMaster.Extensions.CommandLineUtils.Conventions.ExecuteMethodConvention.<>c__DisplayClass0_0.<b__0>d.MoveNext() in C:\\projects\\commandlineutils\\src\\CommandLineUtils\\Conventions\\ExecuteMethodConvention.cs:line 25 --- End of stack trace from previous location where exception was thrown --- at McMaster.Extensions.CommandLineUtils.CommandLineApplication.<>c__DisplayClass126_0.b__0() in C:\\projects\\commandlineutils\\src\\CommandLineUtils\\CommandLineApplication.cs:line 505 at McMaster.Extensions.CommandLineUtils.CommandLineApplication.Execute(String[] args) in C:\\projects\\commandlineutils\\src\\CommandLineUtils\\CommandLineApplication.cs:line 611 at McMaster.Extensions.CommandLineUtils.CommandLineApplication.Execute[TApp](CommandLineContext context) in C:\\projects\\commandlineutils\\src\\CommandLineUtils\\CommandLineApplication.Execute.cs:line 57 at McMaster.Extensions.CommandLineUtils.CommandLineApplication.ExecuteAsync[TApp](CommandLineContext context) in C:\\projects\\commandlineutils\\src\\CommandLineUtils\\CommandLineApplication.Execute.cs:line 145 at McMaster.Extensions.CommandLineUtils.CommandLineApplication.ExecuteAsync[TApp](IConsole console, String[] args) in C:\\projects\\commandlineutils\\src\\CommandLineUtils\\CommandLineApplication.Execute.cs:line 130 at McMaster.Extensions.CommandLineUtils.CommandLineApplication.ExecuteAsync[TApp](String[] args) in C:\\projects\\commandlineutils\\src\\CommandLineUtils\\CommandLineApplication.Execute.cs:line 112 ``` ## Error with libssl 3.0.* ``` WARNING: Failed to parse structured output from Universal Packages tooling (ArtifactTool)\nWARNING: Exception: Expecting value: line 1 column 1 (char 0)\nWARNING: Log line: No usable version of libssl was found\nWARNING: Failed to parse structured output from Universal Packages tooling (ArtifactTool)\nWARNING: Exception: Expecting value: line 1 column 1 (char 0)\nWARNING: Log line: qemu: uncaught target signal 6 (Aborted) - core dumped ``` ## Az extension versions ``` [ { "experimental": false, "extensionType": "whl", "name": "azure-devops", "path": "/root/.azure/cliextensions/azure-devops", "preview": false, "version": "0.25.0" }, { "experimental": false, "extensionType": "whl", "name": "azure-iot", "path": "/root/.azure/cliextensions/azure-iot", "preview": false, "version": "0.14.0" }, { "experimental": false, "extensionType": "whl", "name": "ml", "path": "/root/.azure/cliextensions/ml", "preview": true, "version": "2.3.1" } ] ``` ## Azure cli version ``` azure-cli 2.36.0 core 2.36.0 telemetry 1.0.6 Extensions: azure-devops 0.25.0 azure-iot 0.14.0 ml 2.3.1 Dependencies: msal 1.17.0 azure-mgmt-resource 20.0.0 Python location '/opt/miniconda/bin/python' Extensions directory '/root/.azure/cliextensions' Python (Linux) 3.8.11 (default, Aug 3 2021, 15:09:35) [GCC 7.5.0] Legal docs and information: aka.ms/AzureCliLegal Your CLI is up-to-date. ``` ## OS version ``` cat /etc/os-release PRETTY_NAME="Ubuntu 22.04 LTS" NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04 (Jammy Jellyfish)" VERSION_CODENAME=jammy ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=jammy ```

Author:	bweben
Assignees:	-
Labels:	`Service Attention`, `customer-reported`, `Artifacts`, `DevOps`, `Auto-Assign`
Milestone:	Backlog

[meierale]

Hi, the vulnerability is fixed in latest version of libssl, see https://ubuntu.com/security/CVE-2022-1292

Yes, we found a patched version that we can use. Still we think that installing libssl1 on an os that comes with libssl3 is an ugly hack. Unfortunately it seems to be the only way right now to get az artifacts working on ubuntu 22.04.

[quintindk]

The workaround for now is the following:

• Install an older version of libssl: wget http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1l-1ubuntu1.6_amd64.deb && sudo dpkg -i libssl1.1_1.1.1l-1ubuntu1.6_amd64.deb && rm libssl1.1_1.1.1l-1ubuntu1.6_amd64.deb
• Edit etc/ssl/openssl.cnf: sed -i 's/openssl_conf = openssl_init/#openssl_conf = openssl_init/g' /etc/ssl/openssl.cnf

See microsoft/azure-pipelines-agent#3834 (comment)

same same, az artifacts universal download also fails on ubuntu 22.04. workaround above works...

[lmoiseichuk]

Issue reproduced on Win11/WSL2/Ubuntu 22.04 Workaround with installing http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1l-1ubuntu1.6_amd64.deb and commenting line in /etc/ssl/openssl.cnf openssl_conf = openssl_init Works fine

[arludwig]

The link to the mentioned package did not work for me. I could however use http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1-1ubuntu2.1~18.04.20_amd64.deb to get it working. (Remember to edit the package name three (3) times in the command (wget, dpkg and rm))

[Quixotical]

This issue also seems to exist when running an azure pipeline agent locally

[murfidaz]

same here, i use ubuntu 22.04 and want to install azure pipeline agent, but get this error

[QuinnDamerell]

+1. Oddly I have the agent Azure Dev Ops agent working on some of my Ubuntu 22.04 VMs but not others. Is there a fix for this yet?

[rodrigovb96]

Any news on this topic? I don't think that downgrading the lib is a good option for me

[zmfdan]

I have the same issue, any updates?

[QuinnDamerell]

If you’re issue is with the ADO pipeline, they have updated the main bug being tracked here: https://github.com/microsoft/azure-pipelines-agent/issues/3834#issuecomment-1325638361

Good news, they have an update that will move to dotnet 6, so the issue will be resolved soon!

[zmfdan]

From an Ubuntu 22.04 docker container, I am getting the SSL error while running az artifacts universal download.

[gravufo]

This was opened back in April. How is it still not fixed? I feel like the workaround is unacceptable, because people will end up installing a package that will never ever get updated and will probably forget to readjust their openssl config.

What is the timeline for a real fix?

[emibcn]

@SatishBoddu-MSFT @yonzhan Is any update on this?

Looks like updating az cli .NET core to latest 2.1 version should work: https://dev.to/n3wt0n/no-usable-version-of-the-libssl-was-found-solved-2ffa

[gravufo]

@SatishBoddu-MSFT @yonzhan Is any update on this?

Looks like updating az cli .NET core to latest 2.1 version should work: https://dev.to/n3wt0n/no-usable-version-of-the-libssl-was-found-solved-2ffa

The post you linked talks about missing 1.0. In our case, it's complaining about missing 1.1, not 1.0. We need it to support 3.0.

[zmfdan]

Yes, we need support for OpenSSL 3.0.

[laurioma]

I agree, it's a pain to maintain the workaround suggested above.

[rodrigovb96]

any updates??

[dhildesheim]

Is there a timeline when /if the feature is planned?

[YarekTyshchenko]

This is very annoying, Thinking of a possible workaround using a docker container so as to not cripple your workstation

[dhildesheim]

Put this into your .bashrc. It works in some, but not all cases, you will have to try...

function az () {
    docker run -it -u $UID:$GID --entrypoint="" -v "$(pwd)":/build --workdir="/build" -v "${HOME}"/.azure:/.azure:rw -v "${HOME}"/.azure-devops:/.azure-devops:rw mcr.microsoft.com/azure-cli az "$@"
}
export -f az

PS 14.04.2023: The docker image is broken, too. It is already for a few weeks. Don't bother with this solution

[YarekTyshchenko]

Nice, I didn't know MS published the tool as a container. Thanks

[inversus]

This is also broken on the latest container 2.46.0.

You must understand that this is a major issue and it is not fixed after almost a year. We are considering moving to an alternative artifact platform capable of storing the build and universal artifacts so that developers and testers may download them without hitting this problem.

I'd like to ask you MS Devs to please fix it, with as much urgency as possible.

[lorenzo-biava]

Any chance this will get fixed? Looks a bit weird that such a mainstream distro is not supported, even more than one year after its release.

@yonzhan / @SatishBoddu-MSFT this ticket got moved around a few times but has never actually been worked on, right? can you please reconsider it?

[torbjoernk]

@lorenzo-biava @yonzhan @SatishBoddu-MSFT

Also the related issue on the extension itself is rather stale: https://github.com/Azure/azure-cli-extensions/issues/5979

[zioalex]

HI dear Microsoft, can you please fix this issue?

The libssl version changed the new working commands are: wget http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1f-1ubuntu2_amd64.deb && sudo dpkg -i libssl1.1_1.1.1f-1ubuntu2_amd64.deb && rm libssl1.1_1.1.1f-1ubuntu2_amd64.deb

sudo sed -i 's/openssl_conf = openssl_init/#openssl_conf = openssl_init/g' /etc/ssl/openssl.cnf

[Azkel]

Hey guys,

Did a quick investigation, and this is issues within the ArtifactTool.exe .NET application that is downloaded while running az artifacts universal download or az artifacts universal publish. Tldr this app uses EOL version of .NET (Core 3.1), which is no longer supported. Additionally,

Unfortunately as this is Microsoft closed-source tool, instead of relying on Github team to fix it here, this needs to be raised on Developer Community. There is a slight chance that updating that tool to latest supported LTS version of .NET may resolve this issue - there is ticket open for it already. I think the best approach would be to make some noise there, so perhaps someone from development team of that tool would spend some effort to make it working with current Linux stack.

I already noticed that Microsoft has a pretty nasty tendency there to close tickets related to this tool with "not enough information" or "workaround provided. install libssl 1.x", so keep in mind that we really need to escalate it properly.

[emibcn]

Thanks @Azkel ! Great investigation! Thank you also for the last advice ;)

[aguirrem]

May 2023, I am glad I found this thread but also sad that this issue is still present. Is there any work being done to fix this problem?

[adrian-patt]

May 2023, commenting for exposure.

Experiencing the same issue, would love a better solution than using an outdated vulnerable ssl library.

HI dear Microsoft, can you please fix this issue?

The libssl version changed the new working commands are: wget http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1f-1ubuntu2_amd64.deb && sudo dpkg -i libssl1.1_1.1.1f-1ubuntu2_amd64.deb && rm libssl1.1_1.1.1f-1ubuntu2_amd64.deb

sed -i 's/openssl_conf = openssl_init/#openssl_conf = openssl_init/g' /etc/ssl/openssl.cnf

This fix worked for me.

[jaapcrezee]

Please fix this m$....

[jaapcrezee]

Another workaround:

function az () {
    docker run -it -u $UID:$GID --entrypoint="" -v "$(pwd)":/build --workdir="/build" -v "${HOME}"/.azure:/.azure:rw -v "${HOME}"/.azure-devops:/.azure-devops:rw mcr.microsoft.com/azure-cli az "$@"
} 

[rodrigovb96]

@jaapcrezee Are you sure this work with this image? For me it seems to have the same issue.

[jaapcrezee]

@rodrigovb96 I use version 2.45.0 Maybe you can try that one instead of the latest.

[kysucix]

It looks like latest azure-cli doesn't need the workaround anymore.

Can someone else confirm as well?

[asad26]

I can also confirm that the latest version v2.50.0 of Azure CLI doesn't need any workaround (at least I tested on Ubuntu Jammy).