dotnet 2.1.300 in centos 7 Error：The SSL connection could not be established, see inner exception System.Net.Http

[aibujie]

Error: One or more errors occurred. (The SSL connection could not be established, see inner exception.)
Code:
var http = new System.Net.Http.HttpClient();
http.DefaultRequestHeaders.Add("user-agent", "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36");
http.GetStringAsync("https://www.23us.net/90/90325/23873102.html");

Normal in Centos7, most of them will produce this error, part of the URL is normal, this URL in the example will produce this error
Everything works fine under Windows

[aibujie]

the code in the netcore 2.0 is ok

[ghost]

could it be because that HTML page link does not work in browser too?

[aibujie]

This code is completely error-free in netcore 2.0.
Only linux netcore 2.1 error

[ghost]

got:

Unhandled Exception: System.Net.Http.HttpRequestException: Resource temporarily unavailable ---> System.Net.Sockets.SocketException: Resource temporarily unavailable
   at System.Net.Http.ConnectHelper.ConnectAsync(String host, Int32 port, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at System.Net.Http.ConnectHelper.ConnectAsync(String host, Int32 port, CancellationToken cancellationToken)
   at System.Threading.Tasks.ValueTask`1.get_Result()
   at System.Net.Http.HttpConnectionPool.CreateConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Threading.Tasks.ValueTask`1.get_Result()
   at System.Net.Http.HttpConnectionPool.WaitForCreatedConnectionAsync(ValueTask`1 creationTask)
   at System.Threading.Tasks.ValueTask`1.get_Result()
   at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.FinishSendAsyncUnbuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
   at System.Net.Http.HttpClient.GetStringAsyncCore(Task`1 getTask)
   at g.Program.Main(String[] args) in /g/Program.cs:line 13
   at g.Program.<Main>(String[] args)

with:

using System;
using System.Net;
using System.Threading.Tasks;

class Program
{
    static async Task Main(string[] args)
    {
        using(var client = new System.Net.Http.HttpClient())
        {
            client.DefaultRequestHeaders.Add("user-agent", "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36");
            Console.WriteLine(await client.GetStringAsync("https://www.23us.net/90/90325/23873102.html"));
        }
    }
}

works fine with https://github.com, for example.

How else can anyone reproduce this issue if your link https://www.23us.net/90/90325/23873102.html is broken?

[aibujie]

error
http://read.qidian.com/chapter/1011679984/416536350
https://www.x23us.com/html/66/66656/31202152.html

success
http://www.xiangcunxiaoshuo.la/html/366401/68407998.html
https://www.soushu6.com/book/1692/45/read_2.html

[marekhanzlik]

Experiencing this problem as well, running on Amazon AMI Linux

[pjanotti]

@bujie are you hitting the same stack as https://github.com/dotnet/corefx/issues/30641 or something different?

[pjanotti]

@bujie I can't repro with current master, 2.1.301, 2.1.300-preview1-008174, Please, copy the full callstack that you are getting.

[aibujie]

@pjanotti My project has been rolled back to dotnet core 2.0, temporarily solve this problem, I expect 2.1.302 can solve this problem

[aibujie]

the demo run in ubuntu 16.04(dotnet core 2.1.301) is ok

run the Centos 7(2.1.301) is error

Unhandled Exception: System.AggregateException: One or more errors occurred. (The SSL connection could not be established, see inner exception.) ---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)

[pjanotti]

hum the stack is different from #26294, this looks like a different issue. @bartonjs are you aware of anything like this on Centos 7?

[pjanotti]

Most of my runs on centos-7 2.1.301 were No such device or address but I was able to complete it successfully once, perhaps, they are switching certs according to timezones or geo-location. If you can provide some info about the cert that you get when there is a failure it might be helpful. Is this something affecting only this specific address?

[bartonjs]

CentOS's curl (by default) uses NSS as the TLS backend, so it's possible that NSS was trusting a root cert that OpenSSL isn't.

The easiest way I know of to diagnose it is to register a custom callback for validation and inspect the X509Chain object.

X509ChainElementCollection elements = chain.ChainElements;
Console.WriteLine($"Chain built with {elements.Count} elements");
for (int i = 0; i < elements.Count; i++)
{
    X509ChainElement element = elements[i];
    Console.WriteLine($"Element {i}: {element.Certificate.GetNameInfo(X509NameType.SimpleName, false)}");
    Console.WriteLine("  Status:");

    foreach (X509ChainStatus status in element.ChainElementStatus)
    {
        Console.WriteLine($"  {status.Status}: {status.StatusInformation}");
    }
}

I'm guessing it's UntrustedRootAuthority, which might be fixed by running update-ca-trust extract (based on https://manuals.gfi.com/en/kerio/connect/content/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html's multi-OS/distro advice)

[karelz]

@bujie @marekhanzlik were you able to inspect the X509Chain as @bartonjs suggested?
BTW: Please do not expect bugs to be magically fixed in next version when the root-cause is not clear.

[pjanotti]

Closing since we lack information to do anything about it.

[h0730303779]

oh ~ I also encountered this problem.

my system centos 7.2 sdk 2.2

[karelz]

@h0730303779 can you please provide more details - can you reproduce it repeatedly? On more than 1 machine?
Did you try to analyze the network traffic with packet capture tools?

Also, it is not clear if your problem is truly the same underlying problem as the original report - I would suggest to create a new one. In general we do not monitor comments on closed issues.

[h0730303779]

@h0730303779 can you please provide more details - can you reproduce it repeatedly? On more than 1 machine?
Did you try to analyze the network traffic with packet capture tools?

Also, it is not clear if your problem is truly the same underlying problem as the original report - I would suggest to create a new one. In general we do not monitor comments on closed issues.

My two centos cloud virtual machines are like this.
But I solved it myself, I used docker ;
No problems with WebClient in docker ; thank you for your reply

[marekhanzlik]

I'm not really sure now (it was some time ago) but i think i've fixed this problem by installing CURL in my docker container (had this problem in container)

[Rwing]

FYI
https://docs.microsoft.com/en-us/dotnet/api/system.net.http.httpclienthandler?redirectedfrom=MSDN&view=netframework-4.7.2#remarks