TeamCity Plugin SSL Error on Ubuntu 22.04 LTS

I updated a TeamCity Linux build agent from Ubuntu 20.04 LTS to 22.04 LTS. After that the Octopus plugin stopped working for example when trying to push packages:

System.Exception: Unable to connect to the Octopus Deploy server. See the inner exception for details.
System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
System.TypeInitializationException: The type initializer for 'SslMethods' threw an exception.
System.TypeInitializationException: The type initializer for 'Ssl' threw an exception.
System.TypeInitializationException: The type initializer for 'SslInitializer' threw an exception.
Interop+Crypto+OpenSslCryptographicException: error:0E076071:configuration file routines:module_run:unknown module name

In another thread I found I could set the environment variable DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER=0 which solves the error. This however is a workaround.

Will there be a real fix to this problem?

Hi Peter,
Welcome to the Octopus forum!

Sorry to see you run into that dotnet issue:

From our side I’m afraid the news isn’t helpful as we don’t have any direct fix for this issue. Unfortunately it looks like the dotnet folks have closed the issue on GH and don’t seem to be pursuing an actual fix.

We try hard not to make any changes to any OS as part of the Octopus install as that can be fraught with all kinds of potential problems. So trying to fix a dotnet/openssl issue would be well beyond our remit in this case.
The workaround in this case does seem reasonable which is why I guess Dotnet haven’t gone any further on this one.

Let us know if you need anything else.

Kind regards,

Hi Paraic,

what confuses me here is that when I download the Octopus CLI 9.1.3 and use that one, it works perfectly on that Linux machine. From what I saw this is the same version that the TeamCity plugin uses. The only difference seems to be that the one in the plugin is a DLL and the one that can be downloaded is an EXE.

So why does one work and the other doesn’t?

By the way, the CLI direct download link here is outdated: Download Octopus CLI - Octopus Deploy

Hi @peter.wyss,

Just stepping in for Paraic while he’s offline. Thanks for pointing out the outdated CLI link, I’ll make sure to get that fixed up!

New versions of our CLI now use .NET 6 instead of .NET Core, which doesn’t have the same issues with libssl1.1 that .NET Core has, as mentioned in the issue.

Feel free to reach out if you have any further questions at all!

Best Regards,

Hi @finnian.dempsey

you say that new versions of the CLI use .net 6. But I checked the version that is bundled with the TeamCity plugin and that seems to be 9.1.3. And when I call that bundled version from the bash I get the error. When I download the same version as a standalone application and run it from the bash it works. Was that one compiled with a newer .net even though they have the identical version number?

So if the .net version is the issue, it seems like the obvious solution would be to update the CLI bundled with the Octopus TeamCity plugin to a new version using .net 6, and the problem should be solved, right?

Hi @peter.wyss,

Those versions should be the exact same build so it sounds likely that there will be some environment configuration responsible for the difference, but I’ll see if I can reproduce any differences with each build my end.

The solution you found to use DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER is only available between .NET Core 2.1 to 3.1 and indicates for Curl to be used rather than OpenSSL.

This suggests that the issue is likely with the OpenSSL configuration (and it’s initialisation), I found this StackOverflow post which suggests to change the config using the following command:

sed -i 's/openssl_conf = openssl_init/#openssl_conf = openssl_init/g' /etc/ssl/openssl.cnf 

Let me know if that helps or if I can explain anything further!

Best Regards,

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.