TeamCity Plugin SSL Error on Ubuntu 22.04 LTS

peter.wyss · 29 January 2023 21:23

I updated a TeamCity Linux build agent from Ubuntu 20.04 LTS to 22.04 LTS. After that the Octopus plugin stopped working for example when trying to push packages:

System.Exception: Unable to connect to the Octopus Deploy server. See the inner exception for details.
System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
System.TypeInitializationException: The type initializer for 'SslMethods' threw an exception.
System.TypeInitializationException: The type initializer for 'Ssl' threw an exception.
System.TypeInitializationException: The type initializer for 'SslInitializer' threw an exception.
Interop+Crypto+OpenSslCryptographicException: error:0E076071:configuration file routines:module_run:unknown module name

In another thread I found I could set the environment variable DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER=0 which solves the error. This however is a workaround.

Will there be a real fix to this problem?

paraic.oceallaigh · 30 January 2023 00:21

Hi Peter,
Welcome to the Octopus forum!

Sorry to see you run into that dotnet issue:

github.com/dotnet/runtime

Interop+Crypto+OpenSslCryptographicException: error:0E076071:configuration file routines:MODULE_RUN:unknown module name

opened 12:22AM - 01 Nov 18 UTC

closed 11:35PM - 31 Jan 20 UTC

JustArchi

bug area-System.Security

Hello. Since a few days I'm getting rather weird situation of internal OpenSS…L failures on my machine. In particular, this is the exception that I'm encountering since a few days: ``` System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> System.TypeInitializationException: The type initializer for 'SslMethods' threw an exception. ---> System.TypeInitializationException: The type initializer for 'Ssl' threw an exception. ---> System.TypeInitializationException: The type initializer for 'SslInitializer' threw an exception. ---> Interop+Crypto+OpenSslCryptographicException: error:0E076071:configuration file routines:MODULE_RUN:unknown module name at Interop.SslInitializer..cctor() --- End of inner exception stack trace --- at Interop.SslInitializer.Initialize() at Interop.Ssl..cctor() --- End of inner exception stack trace --- at Interop.Ssl.SslV2_3Method() at Interop.Ssl.SslMethods..cctor() --- End of inner exception stack trace --- at Interop.OpenSsl.AllocateSslContext(SslProtocols protocols, SafeX509Handle certHandle, SafeEvpPKeyHandle certKeyHandle, EncryptionPolicy policy, SslAuthenticationOptions sslAuthenticationOptions) at System.Net.Security.SafeDeleteSslContext..ctor(SafeFreeSslCredentials credential, SslAuthenticationOptions sslAuthenticationOptions) at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteContext& context, SecurityBuffer inputBuffer, SecurityBuffer outputBuffer, SslAuthenticationOptions sslAuthenticationOptions) --- End of inner exception stack trace --- at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception) at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult) at System.Net.Security.SslStream.BeginAuthenticateAsClient(SslClientAuthenticationOptions sslClientAuthenticationOptions, CancellationToken cancellationToken, AsyncCallback asyncCallback, Object asyncState) at System.Net.Security.SslStream.<>c.<AuthenticateAsClientAsync>b__47_0(SslClientAuthenticationOptions arg1, CancellationToken arg2, AsyncCallback callback, Object state) at System.Threading.Tasks.TaskFactory`1.FromAsyncImpl[TArg1,TArg2](Func`5 beginMethod, Func`2 endFunction, Action`1 endAction, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions) at System.Net.Security.SslStream.AuthenticateAsClientAsync(SslClientAuthenticationOptions sslClientAuthenticationOptions, CancellationToken cancellationToken) at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken) --- End of inner exception stack trace --- at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.CreateConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.WaitForCreatedConnectionAsync(ValueTask`1 creationTask) at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken) at System.Net.Http.DecompressionHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts) at ArchiSteamFarm.WebBrowser.InternalRequest(Uri requestUri, HttpMethod httpMethod, IReadOnlyCollection`1 data, String referer, HttpCompletionOption httpCompletionOption, Byte maxRedirections) ``` I've tried to solve this issue through various ways. Using `CLR_OPENSSL_VERSION_OVERRIDE=1.1` I'm getting a different one: ``` Cannot get required symbol CRYPTO_add_lock from libssl Aborted ``` Using `DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER=0` fixed the problem I was having. CURL and OpenSSL work fine on my machine, I can make all usual https requests and my .NET Core app also has no issues doing them with curl handler. I've managed to reproduce this on **two different machines**, both running Debian 10 (testing) x64, second machine being clean VM install. I suspect that this problem might be caused by some Debian libraries update, in particular `libssl1.1` package (even though I see no reason why it'd break 1.0.2 usage, but it's the only library that dotnet depends on that got updated recently). For reference: ``` +++-=================-============-============-=============================================== ii libssl1.0.2:amd64 1.0.2o-1 amd64 Secure Sockets Layer toolkit - shared libraries ii libssl1.1:amd64 1.1.1-2 amd64 Secure Sockets Layer toolkit - shared libraries ``` I realize that Debian 10 is not supported as of yet, but this looks like some general libssl compatibility issue that you might be interested in looking into. You should have no problem trying to reproduce this issue on clean Debian Testing install, but if you'd need any further help from me, please let me know. For completion, this was reproduced on two different SDK versions, latest stable and latest master: ``` .NET Core SDK (reflecting any global.json): Version: 2.1.403 Commit: 04e15494b6 Runtime Environment: OS Name: debian OS Version: OS Platform: Linux RID: debian-x64 Base Path: /usr/share/dotnet/sdk/2.1.403/ Host (useful for support): Version: 2.1.5 Commit: 290303f510 .NET Core SDKs installed: 2.1.403 [/usr/share/dotnet/sdk] .NET Core runtimes installed: Microsoft.AspNetCore.All 2.1.5 [/usr/share/dotnet/shared/Microsoft.AspNetCore.All] Microsoft.AspNetCore.App 2.1.5 [/usr/share/dotnet/shared/Microsoft.AspNetCore.App] Microsoft.NETCore.App 2.1.5 [/usr/share/dotnet/shared/Microsoft.NETCore.App] To install additional .NET Core runtimes or SDKs: https://aka.ms/dotnet-download ``` ``` .NET Core SDK (reflecting any global.json): Version: 3.0.100-alpha1-009708 Commit: ce09d64d8a Runtime Environment: OS Name: debian OS Version: OS Platform: Linux RID: debian-x64 Base Path: /opt/dotnet-test/sdk/3.0.100-alpha1-009708/ Host (useful for support): Version: 3.0.0-preview1-27029-03 Commit: 631e219c26 .NET Core SDKs installed: 3.0.100-alpha1-009708 [/opt/dotnet-test/sdk] .NET Core runtimes installed: Microsoft.AspNetCore.All 3.0.0-alpha1-10062 [/opt/dotnet-test/shared/Microsoft.AspNetCore.All] Microsoft.AspNetCore.App 3.0.0-alpha1-10062 [/opt/dotnet-test/shared/Microsoft.AspNetCore.App] Microsoft.NETCore.App 3.0.0-preview1-27029-03 [/opt/dotnet-test/shared/Microsoft.NETCore.App] To install additional .NET Core runtimes or SDKs: https://aka.ms/dotnet-download ``` Thank you for looking into my issue.

From our side I’m afraid the news isn’t helpful as we don’t have any direct fix for this issue. Unfortunately it looks like the dotnet folks have closed the issue on GH and don’t seem to be pursuing an actual fix.

We try hard not to make any changes to any OS as part of the Octopus install as that can be fraught with all kinds of potential problems. So trying to fix a dotnet/openssl issue would be well beyond our remit in this case.
The workaround in this case does seem reasonable which is why I guess Dotnet haven’t gone any further on this one.

Let us know if you need anything else.

Kind regards,
Paraic

peter.wyss · 30 January 2023 11:58

Hi Paraic,

what confuses me here is that when I download the Octopus CLI 9.1.3 and use that one, it works perfectly on that Linux machine. From what I saw this is the same version that the TeamCity plugin uses. The only difference seems to be that the one in the plugin is a DLL and the one that can be downloaded is an EXE.

So why does one work and the other doesn’t?

By the way, the CLI direct download link here is outdated: Download Octopus CLI - Octopus Deploy

finnian.dempsey · 30 January 2023 23:59

Hi @peter.wyss,

Just stepping in for Paraic while he’s offline. Thanks for pointing out the outdated CLI link, I’ll make sure to get that fixed up!

New versions of our CLI now use .NET 6 instead of .NET Core, which doesn’t have the same issues with libssl1.1 that .NET Core has, as mentioned in the issue.

Feel free to reach out if you have any further questions at all!

Best Regards,

peter.wyss · 31 January 2023 00:26

Hi @finnian.dempsey

you say that new versions of the CLI use .net 6. But I checked the version that is bundled with the TeamCity plugin and that seems to be 9.1.3. And when I call that bundled version from the bash I get the error. When I download the same version as a standalone application and run it from the bash it works. Was that one compiled with a newer .net even though they have the identical version number?

So if the .net version is the issue, it seems like the obvious solution would be to update the CLI bundled with the Octopus TeamCity plugin to a new version using .net 6, and the problem should be solved, right?

finnian.dempsey · 31 January 2023 02:08

Hi @peter.wyss,

Those versions should be the exact same build so it sounds likely that there will be some environment configuration responsible for the difference, but I’ll see if I can reproduce any differences with each build my end.

The solution you found to use DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER is only available between .NET Core 2.1 to 3.1 and indicates for Curl to be used rather than OpenSSL.

This suggests that the issue is likely with the OpenSSL configuration (and it’s initialisation), I found this StackOverflow post which suggests to change the config using the following command:

sed -i 's/openssl_conf = openssl_init/#openssl_conf = openssl_init/g' /etc/ssl/openssl.cnf

Let me know if that helps or if I can explain anything further!

Best Regards,

system · 3 March 2023 02:08

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.