Seb's IT blog

Fix PowerShell Core Snap TLS connectivity issues

  • Oct 17, 2018

Issue Description

PowerShell Core is installed as classic snap. The web cmdlets and WebClient related actions all fail with the following error message when attempting to connect to TLS protected resources while host OS binaries like curl can connect just fine:

The remote certificate is invalid according to the validation procedure.

Setup Details

PS /home/megamorf> $PSVersionTable                                                                          

Name                           Value
----                           -----
PSVersion                      6.1.0
PSEdition                      Core
GitCommitId                    6.1.0
OS                             Linux 4.18.11-93.current #1 SMP PREEMPT Tue Oct 2 00:24:40 UTC 2018
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Installed as snap:

PS /home/megamorf> snap list powershell
Name        Version  Rev  Tracking  Publisher              Notes
powershell  6.1.0    11   stable    microsoft-powershell✓  classic

Troubleshooting

The Gallery is not available and cannot be registered:

PS /home/megamorf> Get-PSRepository
WARNING: Unable to find module repositories.
PS /home/megamorf> Register-PSRepository -Default -Verbose
VERBOSE: Performing the operation "Register Module Repository." on target "Module Repository 'PSGallery' () in provider 'PowerShellGet'.".
PS /home/megamorf> Get-PSRepository
WARNING: Unable to find module repositories.

I tried the PowerShellGet version that ships with PS as well as the latest stable release from GitHub:

PS /home/megamorf> Get-Module PowerShellGet -ListAvailable


    Directory: /home/megamorf/.local/share/powershell/Modules


ModuleType Version    Name                                PSEdition ExportedCommands
---------- -------    ----                                --------- ----------------
Script     2.0.1      PowerShellGet                       Desk      {Find-Command, Find-DSCResource, Find-Module, Find-RoleCapability...}


    Directory: /snap/powershell/11/opt/powershell/Modules


ModuleType Version    Name                                PSEdition ExportedCommands
---------- -------    ----                                --------- ----------------
Script     1.6.7      PowerShellGet                       Desk      {Find-Command, Find-DSCResource, Find-Module, Find-RoleCapability...}

Apparently something is wrong with the certificate store/trust. Querying the v2 endpoint of the Gallery by IP works:

PS /home/megamorf> Invoke-WebRequest -Uri https://40.87.85.101/api/v2 -SslProtocol Tls12 -SkipCertificateCheck

StatusCode        : 200                                                                                                                                                  StatusDescription : OK                                                                                                                                                   
Content           : <?xml version="1.0" encoding="utf-8"?><service xml:base="https://40.87.85.101/api/v2" xmlns="http://www.w3.org/2007/app" 
                    xmlns:atom="http://www.w3.org/2005/Atom"><workspace><atom:title type="text">Def...
RawContent        : HTTP/1.1 200 OK
                    Cache-Control: no-cache
                    Pragma: no-cache
                    Server: Microsoft-IIS/10.0
                    X-CorrelationId: 80007c2b-0007-e000-b63f-84710c7967bb
                    DataServiceVersion: 3.0
                    Content-Security-Policy: frame-ancesto...
Headers           : {[Cache-Control, System.String[]], [Pragma, System.String[]], [Server, System.String[]], [X-CorrelationId, System.String[]]...}
Images            : {}
InputFields       : {}
Links             : {}
RawContentLength  : 325
RelationLink      : {}

But with TLS1.2 it does not work:

PS /home/megamorf> Invoke-WebRequest -Uri https://www.powershellgallery.com/api/v2 -SslProtocol Tls12
Invoke-WebRequest : The remote certificate is invalid according to the validation procedure.
At line:1 char:1
+ Invoke-WebRequest -Uri https://www.powershellgallery.com/api/v2 -SslP ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : InvalidOperation: (Method: GET, Re...rShell/6.1.0
}:HttpRequestMessage) [Invoke-WebRequest], HttpRequestException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

I assumed the ca-certificates provided by the snap environment are not up to date or missing certificates to complete the CA chain of trust.

Solution

I seem to have narrowed down the issue. Among the people affected seem to be some Solus users as well. There are two possible workarounds:

Option 1

I was able to get restore working on my Solus box by first running export DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER=0. Once I did that, dotnet restore worked.

Source: https://github.com/dotnet/core/issues/1668#issuecomment-398960685

Option 2

There’s a bit of openssl which has been dormant forever which we are tripping over in some scenarios and we’re working through the best fix. In the meantime, you can workaround this by setting the SSL_CERT_FILE to the host OS cert. Setting it to the Snap subsystem also works but that feels funny to me.

export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
export SSL_CERT_DIR=/dev/null

Source: https://github.com/dotnet/core-setup/issues/4295#issuecomment-422208914

Follow GitHub Issue 7827 to stay in the loop.

Search