search

microsoft / update-server-server-sync

Sample implementation of the "Windows Update Services: Server-Server" protocol.
MIT License
48 stars 19 forks source link

SSL error on Linux #1

Closed paususe closed 4 years ago

paususe commented 4 years ago

upsync works fine on Windows but it fails on Linux.

I have tried with Ubuntu 18.04, openSUSE Leap 15.1 and others. I have tried with .NET Core 2.2 and 3.0. It always fails with:

$ dotnet run -p src/sync-tool/upsync-tool.csproj pre-fetch --master --destination master.zip Creating compressed metadata store master.zip Fetching categories ... Acquiring new access token... Unhandled Exception: System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority 'sws.update.microsoft.com'. ---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure. at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception) at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest) --- End of stack trace from previous location where exception was thrown --- at System.Net.Security.SslState.ThrowIfExceptional() at System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult) at System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result) at System.Net.Security.SslStream.EndAuthenticateAsClient(IAsyncResult asyncResult) at System.Net.Security.SslStream.<>c.b47_1(IAsyncResult iar) at System.Threading.Tasks.TaskFactory1.FromAsyncCoreLogic(IAsyncResult iar, Func2 endFunction, Action1 endAction, Task1 promise, Boolean requiresSynchronization) --- End of stack trace from previous location where exception was thrown --- at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken) --- End of inner exception stack trace --- at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken) at System.Threading.Tasks.ValueTask1.get_Result() at System.Net.Http.HttpConnectionPool.CreateConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Threading.Tasks.ValueTask1.get_Result() at System.Net.Http.HttpConnectionPool.WaitForCreatedConnectionAsync(ValueTask1 creationTask) at System.Threading.Tasks.ValueTask1.get_Result() at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken) at System.Net.Http.AuthenticationHelper.SendWithAuthAsync(HttpRequestMessage request, Uri authUri, ICredentials credentials, Boolean preAuthenticate, Boolean isProxyAuth, Boolean doRequestAuth, HttpConnectionPool pool, CancellationToken cancellationToken) at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Net.Http.DecompressionHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Net.Http.HttpClient.FinishSendAsyncUnbuffered(Task1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts) at System.ServiceModel.Channels.HttpChannelFactory1.HttpClientRequestChannel.HttpClientChannelAsyncRequest.SendRequestAsync(Message message, TimeoutHelper timeoutHelper) --- End of inner exception stack trace --- at System.Runtime.AsyncResult.End[TAsyncResult](IAsyncResult result) at System.ServiceModel.Channels.ServiceChannel.SendAsyncResult.End(SendAsyncResult result) at System.ServiceModel.Channels.ServiceChannel.EndCall(String action, Object[] outs, IAsyncResult result) at System.ServiceModel.Channels.ServiceChannelProxy.TaskCreator.<>cDisplayClass1_0.b0(IAsyncResult asyncResult) --- End of stack trace from previous location where exception was thrown --- at Microsoft.UpdateServices.Client.ClientAuthenticator.GetAuthenticationInfo() in /home/pagarcia/dev/wsus/update-server-server-sync/src/library/Client/ClientAuthenticator.cs:line 181 at Microsoft.UpdateServices.Client.ClientAuthenticator.Authenticate() in /home/pagarcia/dev/wsus/update-server-server-sync/src/library/Client/ClientAuthenticator.cs:line 155 at Microsoft.UpdateServices.Client.ClientAuthenticator.Authenticate(ServiceAccessToken cachedAccessToken) in /home/pagarcia/dev/wsus/update-server-server-sync/src/library/Client/ClientAuthenticator.cs:line 107 at Microsoft.UpdateServices.Client.UpstreamServerClient.RefreshAccessToken(String accountName, Nullable`1 accountGuid) in /home/pagarcia/dev/wsus/update-server-server-sync/src/library/Client/UpstreamServerClient.cs:line 95 at Microsoft.UpdateServices.Client.UpstreamServerClient.GetCategories(IMetadataSink destination) in /home/pagarcia/dev/wsus/update-server-server-sync/src/library/Client/UpstreamServerClient.cs:line 140 at Microsoft.UpdateServices.Tools.UpdateRepo.MetadataSync.FetchUpdates(QueryFilter queryToRun, CompressedMetadataStore destinationResult) in /home/pagarcia/dev/wsus/update-server-server-sync/src/sync-tool/MetadataFetch.cs:line 167 at Microsoft.UpdateServices.Tools.UpdateRepo.MetadataSync.FetchCategories(FetchCategoriesOptions options) in /home/pagarcia/dev/wsus/update-server-server-sync/src/sync-tool/MetadataFetch.cs:line 98 at Microsoft.UpdateServices.Tools.UpdateRepo.Program.<>c.

b0_2(FetchCategoriesOptions opts) in /home/pagarcia/dev/wsus/update-server-server-sync/src/sync-tool/Program.cs:line 28 at CommandLine.ParserResultExtensions.WithParsed[T](ParserResult1 result, Action1 action) at Microsoft.UpdateServices.Tools.UpdateRepo.Program.Main(String[] args) in /home/pagarcia/dev/wsus/update-server-server-sync/src/sync-tool/Program.cs:line 15

I have tried all the workarounds described in the .NET Core GitHub issue tracker but none of them work for me :-?

paususe commented 4 years ago

I figured it out.

A few Microsoft root certificates were missing, so I downloaded authrootstl.cab, extracted it and copied all the PEM certificates to /usr/share/pki/trust/anchors/.

virusdefender commented 3 years ago

Another way is use openssl s_client -connect sws.update.microsoft.com:443 -showcerts

then save the cert content of Microsoft Update Secure Server CA 2.1 and trust it