Bug 58033 - mkbundle --list-targets System.Net.WebException: Error: TrustFailure
Summary: mkbundle --list-targets System.Net.WebException: Error: TrustFailure
Status: RESOLVED ANSWERED
Alias: None
Product: Tools
Classification: Mono
Component: other ()
Version: unspecified
Hardware: PC Linux
: --- normal
Target Milestone: ---
Assignee: Bugzilla
URL:
Depends on:
Blocks:
 
Reported: 2017-07-09 01:42 UTC by Hin-Tak Leung
Modified: 2017-07-10 23:15 UTC (History)
2 users (show)

Tags:
Is this bug a regression?: ---
Last known good build:

Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report on GitHub or Developer Community with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:
Status:
RESOLVED ANSWERED

Description Hin-Tak Leung 2017-07-09 01:42:20 UTC
This is probably the same as bug 44668, but I am on 4.8.0, which is a lot newer:

$ mono --version
Mono JIT compiler version 4.8.0 (Stable 4.8.0.520/8f6d0f6 Fri Jun 30 22:14:25 BST 2017)
Copyright (C) 2002-2014 Novell, Inc, Xamarin Inc and Contributors. www.mono-project.com
	TLS:           __thread
	SIGSEGV:       altstack
	Notifications: epoll
	Architecture:  amd64
	Disabled:      none
	Misc:          softdebug 
	LLVM:          supported, not enabled.
	GC:            sgen

anyway, the actual message is:

$ mkbundle --list-targets
Available targets locally:
	default	- Current System Mono

Unhandled Exception:
System.Net.WebException: Error: TrustFailure (Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED) ---> Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
  at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00054] in <f8255d9ef0594d18ae2c0d97286b9a80>:0 
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncProtocolRequest asyncRequest, Mono.Net.Security.AsyncOperationStatus status) [0x00033] in <f8255d9ef0594d18ae2c0d97286b9a80>:0 
  at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (Mono.Net.Security.AsyncOperationStatus status) [0x00086] in <f8255d9ef0594d18ae2c0d97286b9a80>:0 
  at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation () [0x0000d] in <f8255d9ef0594d18ae2c0d97286b9a80>:0 
  at Mono.Net.Security.AsyncProtocolRequest.StartOperation () [0x00000] in <f8255d9ef0594d18ae2c0d97286b9a80>:0 
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in <373b6e083d6e45e498c9082a8eebd27f>:0 
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessAuthentication (System.Net.LazyAsyncResult lazyResult) [0x00083] in <f8255d9ef0594d18ae2c0d97286b9a80>:0 
  at Mono.Net.Security.MobileAuthenticatedStream.AuthenticateAsClient (System.String targetHost, System.Security.Cryptography.X509Certificates.X509CertificateCollection clientCertificates, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Boolean checkCertificateRevocation) [0x0000c] in <f8255d9ef0594d18ae2c0d97286b9a80>:0 
  at Mono.Net.Security.Private.MonoSslStreamWrapper.AuthenticateAsClient (System.String targetHost, System.Security.Cryptography.X509Certificates.X509CertificateCollection clientCertificates, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Boolean checkCertificateRevocation) [0x00006] in <f8255d9ef0594d18ae2c0d97286b9a80>:0 
  at Mono.Net.Security.MonoTlsStream.CreateStream (System.Byte[] buffer) [0x0006a] in <f8255d9ef0594d18ae2c0d97286b9a80>:0 
   --- End of inner exception stack trace ---
  at System.Net.WebClient.DownloadDataInternal (System.Uri address, System.Net.WebRequest& request) [0x0008a] in <f8255d9ef0594d18ae2c0d97286b9a80>:0 
  at System.Net.WebClient.DownloadString (System.Uri address) [0x00027] in <f8255d9ef0594d18ae2c0d97286b9a80>:0 
  at (wrapper remoting-invoke-with-check) System.Net.WebClient:DownloadString (System.Uri)
  at MakeBundle.Main (System.String[] args) [0x00514] in <7f48080a3b114b079f18a57679809965>:0 
[ERROR] FATAL UNHANDLED EXCEPTION: System.Net.WebException: Error: TrustFailure (Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED) ---> Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
  at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00054] in <f8255d9ef0594d18ae2c0d97286b9a80>:0 
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncProtocolRequest asyncRequest, Mono.Net.Security.AsyncOperationStatus status) [0x00033] in <f8255d9ef0594d18ae2c0d97286b9a80>:0 
  at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (Mono.Net.Security.AsyncOperationStatus status) [0x00086] in <f8255d9ef0594d18ae2c0d97286b9a80>:0 
  at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation () [0x0000d] in <f8255d9ef0594d18ae2c0d97286b9a80>:0 
  at Mono.Net.Security.AsyncProtocolRequest.StartOperation () [0x00000] in <f8255d9ef0594d18ae2c0d97286b9a80>:0 
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in <373b6e083d6e45e498c9082a8eebd27f>:0 
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessAuthentication (System.Net.LazyAsyncResult lazyResult) [0x00083] in <f8255d9ef0594d18ae2c0d97286b9a80>:0 
  at Mono.Net.Security.MobileAuthenticatedStream.AuthenticateAsClient (System.String targetHost, System.Security.Cryptography.X509Certificates.X509CertificateCollection clientCertificates, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Boolean checkCertificateRevocation) [0x0000c] in <f8255d9ef0594d18ae2c0d97286b9a80>:0 
  at Mono.Net.Security.Private.MonoSslStreamWrapper.AuthenticateAsClient (System.String targetHost, System.Security.Cryptography.X509Certificates.X509CertificateCollection clientCertificates, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Boolean checkCertificateRevocation) [0x00006] in <f8255d9ef0594d18ae2c0d97286b9a80>:0 
  at Mono.Net.Security.MonoTlsStream.CreateStream (System.Byte[] buffer) [0x0006a] in <f8255d9ef0594d18ae2c0d97286b9a80>:0 
   --- End of inner exception stack trace ---
  at System.Net.WebClient.DownloadDataInternal (System.Uri address, System.Net.WebRequest& request) [0x0008a] in <f8255d9ef0594d18ae2c0d97286b9a80>:0 
  at System.Net.WebClient.DownloadString (System.Uri address) [0x00027] in <f8255d9ef0594d18ae2c0d97286b9a80>:0 
  at (wrapper remoting-invoke-with-check) System.Net.WebClient:DownloadString (System.Uri)
  at MakeBundle.Main (System.String[] args) [0x00514] in <7f48080a3b114b079f18a57679809965>:0 
$


This is somewhat different from Bug 44668 .

This is a new install; anyway, so there is no certificates, etc. It would be nice for the exception to be trapped and provide some instructions on what certificates to import, etc.
Comment 1 Hin-Tak Leung 2017-07-09 01:44:39 UTC
It is on fedora 26, btw. I have upgraded ahead of GA (fedora 26 is due next week).
Comment 2 Aleksey Kliger 2017-07-10 15:54:52 UTC
You don't say if you're compiling from source or installing from the mono-project.com package.  If you're installing packages from elsewhere - you may need to file a bug with the package maintainers to ensure that the package runs the mono cert-sync tool as part of postinstall.

If you're installing from source, you need to use the cert-sync tool yourself to import your system's root certificates into mono's certificate store. 
Please see http://www.mono-project.com/docs/about-mono/releases/4.8.0/#tls-12-support
and http://www.mono-project.com/docs/about-mono/releases/3.12.0/#cert-sync
for instructions.

In short it should be enough to do:
    cert-sync /etc/pki/tls/certs/ca-bundle.crt
(possibly with --user or using sudo)
Comment 3 Hin-Tak Leung 2017-07-10 23:15:58 UTC
Thanks - I compiled from source; or rather rebuilded from fedora's source rpm, with one or two additional but unrelated patches. I shall file a bug report at fedora, though I personally think "cert-sync --user" is perhaps better. (if the message actually asked me to do so, instead of the whole exception).