Closed bganapa closed 3 years ago
upvote - Experiencing same issue, SSL errors
The remote certificate is invalid because of errors in the certificate chain: NotTimeValid The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel
Same problem here. Simple test failing:
invoke-webrequest "https://www.powershellgallery.com/api/v2/"
invoke-webrequest : The underlying connection was closed: Could not establish trust relationship for the SSL/TLS
secure channel.
At line:1 char:1
+ invoke-webrequest "https://www.powershellgallery.com/api/v2/"
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
Website in chrome says the cert expired today. Which seems odd given this closed ticket from a few months ago https://github.com/PowerShell/PowerShellGallery/issues/157 where the cert had to be renewed. 3 months seems like a short cert life.
Website in chrome says the cert expired today. Which seems odd given this closed ticket from a few months ago https://github.com/PowerShell/PowerShellGallery/issues/157 where the cert had to be renewed. 3 months seems like a short cert life.
3 months is pretty standard if you're using something like Let's Encrypt or another free service for SSL certs
Would appreciate some help here. Our azure pipeline tasks are experiencing issues due to this
@SteveL-MSFT @SydneyhSmith @alerickson
install-module can not works now for 'Unable to resolve package sources'. I thinks it is the same as title
This is breaking our Production deployment in Azure DevOps with Power Platform Build Tools. Any expediency here would be super appreciated.
Website in chrome says the cert expired today. Which seems odd given this closed ticket from a few months ago #157 where the cert had to be renewed. 3 months seems like a short cert life.
3 months is pretty standard if you're using something like Let's Encrypt or another free service for SSL certs
This is true, but most people who use something like lets encrypt, also use modules that set scheduled tasks to renew the certs. The issue here could also potentially be server or domain related beyond just cert renewal issues.
And maybe Microsoft people please don't close this issue until the team adds some automation to rotate. We had exactly the same incident 3 months back.
@ashwinravi the same as us, we also blocked in Azure DevOps Pipeline with install-module "xx" in powershell script.
@ashwinravi the same as us, we also blocked in Azure DevOps Pipeline with install-module "xx" in powershell script.
This will happen due to SSL/TLS restrictions when connecting to repositories. Powershell by default (for security/encryption purposes), requires SSL secure connections to be able to download and install modules.
Why Microsoft does not have this reoccurring issues resolved at this point is beyond annoying, but not surprising.
Would appreciate some help here. Our azure pipeline tasks are experiencing issues due to this. FYI @davidjenni this is breaking PPBT tools in Azure Pipelines.
There's already a Sev2 incident filed on the PowershellGallery team. Please stand by as this is being addressed
our ADO pipelines are failing.. is any one working on this issue.. any update from Microsoft team?
before Microsoft updates SSL Certificates, I disable the SSL Check on my lab for this situation.
function Ignore-SSLCertificates { $Provider = New-Object Microsoft.CSharp.CSharpCodeProvider $Compiler = $Provider.CreateCompiler() $Params = New-Object System.CodeDom.Compiler.CompilerParameters $Params.GenerateExecutable = $false $Params.GenerateInMemory = $true $Params.IncludeDebugInformation = $false $Params.ReferencedAssemblies.Add("System.DLL") > $null $TASource=@' namespace Local.ToolkitExtensions.Net.CertificatePolicy { public class TrustAll : System.Net.ICertificatePolicy { public bool CheckValidationResult(System.Net.ServicePoint sp,System.Security.Cryptography.X509Certificates.X509Certificate cert, System.Net.WebRequest req, int problem) { return true; } } } '@ $TAResults=$Provider.CompileAssemblyFromSource($Params,$TASource) $TAAssembly=$TAResults.CompiledAssembly $TrustAll = $TAAssembly.CreateInstance("Local.ToolkitExtensions.Net.CertificatePolicy.TrustAll") [System.Net.ServicePointManager]::CertificatePolicy = $TrustAll }
Ignore-SSLCertificates
Wow, again......
before Microsoft updates SSL Certificates, I disable the SSL Check on my lab for this situation.
function Ignore-SSLCertificates { $Provider = New-Object Microsoft.CSharp.CSharpCodeProvider $Compiler = $Provider.CreateCompiler() $Params = New-Object System.CodeDom.Compiler.CompilerParameters $Params.GenerateExecutable = $false $Params.GenerateInMemory = $true $Params.IncludeDebugInformation = $false $Params.ReferencedAssemblies.Add("System.DLL") > $null $TASource=@' namespace Local.ToolkitExtensions.Net.CertificatePolicy { public class TrustAll : System.Net.ICertificatePolicy { public bool CheckValidationResult(System.Net.ServicePoint sp,System.Security.Cryptography.X509Certificates.X509Certificate cert, System.Net.WebRequest req, int problem) { return true; } } } '@ $TAResults=$Provider.CompileAssemblyFromSource($Params,$TASource) $TAAssembly=$TAResults.CompiledAssembly $TrustAll = $TAAssembly.CreateInstance("Local.ToolkitExtensions.Net.CertificatePolicy.TrustAll") [System.Net.ServicePointManager]::CertificatePolicy = $TrustAll }
Ignore-SSLCertificates
This is a risky move as the SSL cert ensures that the connection made is secure and trusted. The connection of unsecure installations can be intercepted by man in the middle attacks and also if the user forgets to remove this ignore, it increases the likelyhood for this to be a potential.
We are working on a fix. I will update as soon as we have mitigated the issue.
before Microsoft updates SSL Certificates, I disable the SSL Check on my lab for this situation.
function Ignore-SSLCertificates { $Provider = New-Object Microsoft.CSharp.CSharpCodeProvider $Compiler = $Provider.CreateCompiler() $Params = New-Object System.CodeDom.Compiler.CompilerParameters $Params.GenerateExecutable = $false $Params.GenerateInMemory = $true $Params.IncludeDebugInformation = $false $Params.ReferencedAssemblies.Add("System.DLL") > $null $TASource=@' namespace Local.ToolkitExtensions.Net.CertificatePolicy { public class TrustAll : System.Net.ICertificatePolicy { public bool CheckValidationResult(System.Net.ServicePoint sp,System.Security.Cryptography.X509Certificates.X509Certificate cert, System.Net.WebRequest req, int problem) { return true; } } } '@ $TAResults=$Provider.CompileAssemblyFromSource($Params,$TASource) $TAAssembly=$TAResults.CompiledAssembly $TrustAll = $TAAssembly.CreateInstance("Local.ToolkitExtensions.Net.CertificatePolicy.TrustAll") [System.Net.ServicePointManager]::CertificatePolicy = $TrustAll }
Ignore-SSLCertificates
This is waaaaaay too long :o) Try this:
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};
UPDATE: PS gallery API is disabled, so the trick with ignoring server certificate won't help. Package installations will fail regardless.
Issue has been mitigated. Instances are coming up, so could be bit slow for the next few minutes.
It is working now but little slow..
Was this the same cause as the last time? Are there plans to automate the certificate process so this doesn't happen again in three months time?
I'm getting "The service is unavailable.". On a positive note, the cert is now showing as valid :o)
PowerShellGallery should be up now.
I received a report, from unavailable to very slow. Has anyone considered establishing a gallery mirror mechanism? just like #164
Hi All, I am experiencing this issue again. Can't access powershell gallary. Can we reopen this issue?
August 17th, 2021 20:45 UTC The PowerShell Gallery is having issues with latency. There is currently very low availability, with timeout errors when attempting to access the PSGallery.
Status: Investigating
August 17th, 2021 20:00 UTC The PowerShell Gallery is having issues allowing users to log in to accounts. Users are currently unable to log in due to a an error with the Azure active directory app registration. This issue is currently being investigated and new registrations are being created.
Status: Investigating https://github.com/PowerShell/PowerShellGallery/blob/master/psgallery_status.md
August 17th, 2021 20:45 UTC The PowerShell Gallery is having issues with latency. There is currently very low availability, with timeout errors when attempting to access the PSGallery.
Status: Investigating
August 17th, 2021 20:00 UTC The PowerShell Gallery is having issues allowing users to log in to accounts. Users are currently unable to log in due to a an error with the Azure active directory app registration. This issue is currently being investigated and new registrations are being created.
Status: Investigating https://github.com/PowerShell/PowerShellGallery/blob/master/psgallery_status.md
Oh, OK my bad :)
Hi All, I am experiencing this issue again. Can't access powershell gallary. Can we reopen this issue?
A new issue has been created for this one: https://github.com/PowerShell/PowerShellGallery/issues/185
Hi all, there should not be any cert issues, so if anyone is encountering that, please open a new issue so we can investigate. The issue causing the outage today was regarding an App Registration resource and that issue is fully resolved now.
PS C:\Users\abc> Register-PSRepository -Name PSGallery -SourceLocation https://www.powershellgallery.com/api/v2 Get-PSGalleryApiAvailability : PowerShell Gallery is currently unavailable. Please try again later. At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:4095 char:9
+ CategoryInfo : InvalidOperation: (:) [Get-PSGalleryApiAvailability], InvalidOperationException
+ FullyQualifiedErrorId : PowerShellGalleryUnavailable,Get-PSGalleryApiAvailability
It seems the the cert has expired and we cannot install any modules now, potentially breaking CI