Package Verifier - Could not create secure channel failure

[gep13]

Hello,

The package CoolTerm failed automatic verification based on the following error:

"The request was aborted: Could not create SSL/TLS secure channel."

https://gist.github.com/choco-bot/9220df125541e90f4c9b91b42831cbfd#file-install-txt-L342

The browser doesn't show any warnings, and neither do cURL or wget. I've retried verification a few times, but to no avail.

Thanks!

Update

This seems to be starting to affect a number of packages...

• 4k-video-downloader - Exempted
• 4k-stogram - Exempted
• eduke32 - Exempted
• exiftool - Re-run through verifier as latest package version works correctly
• evga-flow-control - Exempted
• 4k-youtube-to-mp3 - Exempted
• w10privacy - Other issue needs to be addressed first before exemption
• openflexure-connect - Exempted
• CoolTerm - Exempted
• minio-server - Exempted

┆Issue is synchronized with this GitLab issue by Unito

[AdmiringWorm]

I think you may add the eduke32 package to the list as well.

[TheCakeIsNaOH]

And evga-flow-control probably should be added.

[chtof]

For information, the comment I added for the review of evga-flow-control:

This package fails during Get-WebHeaders -url 'https://cdn.evga.com/utilities/EVGA_Flow_Control_Setup_v2.0.9.zip' -ErrorAction 'Stop' After investigation, https://cdn.evga.com uses TLS1.3 and TLS1,3 seems it's not supported on Windows 2012. (...)

To confirm but my thought is this issue concerns domains using TLS1.3.

I also checked eduke32 and it uses TLS1.3;

Now, my update script for lossless-audio-checker fails (au_GetLatest failed; The request was aborted: Could not create SSL/TLS secure channel.) and https://losslessaudiochecker.com/ uses TLS1.3

And I doubt possible to support TLS 1.3 on Windows 2012...

[chtof]

Well, not sure if related to TLS1.3 as 3 domains of the list don't use TLS1.3 (w10privacy/openflexure-connect/coolterm packages) Or can be related to cypher supported (as suggested by @TheCakeIsNaOH in the review of evga-flow-control package).

============================================================================== 4k-video-downloader|https://gist.github.com/choco-bot/f1a8787080a08f6822b82c413b307b48#file-install-txt-L363|https://dl.4kdownload.com/app/4kvideodownloader_4.14.0_x64.msi?source=chocolatey https://www.cdn77.com/tls-test?domain=dl.4kdownload.com TLS 1.3 enabled TLS 1.2 enabled TLS 1.1 (deprecated) enabled TLS 1.0 (deprecated) enabled

TLSv1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA

TLSv1.1 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA

TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA

TLSv1.3 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256

============================================================================== 4k-stogram|https://gist.github.com/choco-bot/4a4b0a187580d6ecbff3ee05fd0ff2a8#file-install-txt-L364|https://dl.4kdownload.com/app/4kstogram_3.3.0_x64.msi?source=chocolatey https://www.cdn77.com/tls-test?domain=dl.4kdownload.com TLS 1.3 enabled TLS 1.2 enabled TLS 1.1 (deprecated) enabled TLS 1.0 (deprecated) enabled

TLSv1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA

TLSv1.1 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA

TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA

TLSv1.3 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256

============================================================================== eduke32||https://dukeworld.com/eduke32/synthesis/20210206-9310-b7d4ae3a5/eduke32_win64_20210206-9310-b7d4ae3a5.7z https://www.cdn77.com/tls-test?domain=dukeworld.com TLS 1.3 enabled TLS 1.2 enabled TLS 1.1 (deprecated) disabled TLS 1.0 (deprecated) disabled

TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLSv1.3 TLS_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256

============================================================================== exiftool|https://gist.github.com/choco-bot/c9f48504a00a21508ed8b1f074a40206#file-install-txt-L343|https://exiftool.org/exiftool-12.12.zip https://www.cdn77.com/tls-test?domain=exiftool.org TLS 1.3 enabled TLS 1.2 enabled TLS 1.1 (deprecated) disabled TLS 1.0 (deprecated) disabled

TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLSv1.3 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256

============================================================================== evga-flow-control|https://gist.github.com/choco-bot/8d82c5b362a1e4bfac35a57b92e875f7|https://cdn.evga.com/utilities/EVGA_Flow_Control_Setup_v2.0.9.zip https://www.cdn77.com/tls-test?domain=cdn.evga.com TLS 1.3 enabled TLS 1.2 enabled TLS 1.1 (deprecated) disabled TLS 1.0 (deprecated) disabled

TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLSv1.3 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256

============================================================================== 4k-youtube-to-mp3|https://gist.github.com/choco-bot/556c775b8a971440f19d3b28bbd624a3#file-install-txt-L363|https://dl.4kdownload.com/app/4kyoutubetomp3_3.14.1_x64.msi?source=chocolatey https://www.cdn77.com/tls-test?domain=dl.4kdownload.com TLS 1.3 enabled TLS 1.2 enabled TLS 1.1 (deprecated) enabled TLS 1.0 (deprecated) enabled

TLSv1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA

TLSv1.1 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA

TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA

TLSv1.3 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 ============================================================================== w10privacy|https://gist.github.com/choco-bot/f0b8e7cd329fdb2223d2b2d6e5df3ac0#file-install-txt-L342|https://sf91b3285d9193eec.jimcontent.com/download/version/1609175074/module/12302828636/name/W10Privacy.zip' -fileName 'C:\Users\Administrator\AppData\Local\Temp\chocolatey\w10privacy\3.7.0.3\w10privacyInstall.zip https://www.cdn77.com/tls-test?domain=sf91b3285d9193eec.jimcontent.com TLS 1.3 disabled !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! TLS 1.2 enabled TLS 1.1 (deprecated) enabled TLS 1.0 (deprecated) enabled

TLSv1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLSv1.1 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA

============================================================================== openflexure-connect|https://gist.github.com/choco-bot/6f8a07c575856b7c2a7b2fc38bb300f2#file-install-txt-L326|https://build.openflexure.org/openflexure-ev/openflexure-connect-4.0.1-win.exe https://www.cdn77.com/tls-test?domain=build.openflexure.org TLS 1.3 disabled !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! TLS 1.2 enabled TLS 1.1 (deprecated) enabled TLS 1.0 (deprecated) enabled

TLSv1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLSv1.1 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA

============================================================================== CoolTerm||https://freeware.the-meiers.org/CoolTermWin.zip https://www.cdn77.com/tls-test?domain=freeware.the-meiers.org TLS 1.3 disabled !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! TLS 1.2 enabled TLS 1.1 (deprecated) disabled TLS 1.0 (deprecated) disabled

TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

============================================================================== minio-server|https://gist.github.com/choco-bot/dea28bf005cd923c3e9bfaa476956081#file-install-txt-L346|https://dl.min.io/server/minio/release/windows-amd64/minio.exe https://www.cdn77.com/tls-test?domain=dl.min.io TLS 1.3 enabled TLS 1.2 enabled TLS 1.1 (deprecated) disabled TLS 1.0 (deprecated) disabled

TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLSv1.3 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256

Note: https://github.com/minio/minio/issues/5834 regarding why some ciphers have been removed by minio server in 2018.

[chtof]

And TLS2 ciphers supported by my Chocolatey test environment (Windows 2012):

Cipher Suites (26 suites)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
    Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
    Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
    Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)
    Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
    Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
    Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
    Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
    Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
    Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
    Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)

Notes:

• Windows 2012 Server doesn't support tls-ecdhe-rsa-with-aes-256-gcm-sha384 or 256/128 Ciphers. (https://stackoverflow.com/questions/48731089/tls-ecdhe-rsa-with-aes-256-gcm-sha384-in-windows-server-2012-r2)
• https://social.technet.microsoft.com/Forums/en-US/4cdae557-4992-4a7c-ad68-06554bf1b213/how-do-i-add-new-cipher-suiteslisted-below-to-windows-2012-r2-and-windows-2008-r2?forum=winserverPN (Seems TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 are not supported by W2012).

[chtof]

And octave.install should be also added:

• Chocolatey package: https://chocolatey.org/packages/octave.install/6.2.0
• Logs: https://gist.github.com/choco-bot/99e61edd44de3d3133aa9669637d1eb2

Attempt to get headers for https://ftpmirror.gnu.org/octave/windows/octave-6.2.0-w64-installer.exe failed.
  The remote file either doesn't exist, is unauthorized, or is forbidden for url 'https://ftpmirror.gnu.org/octave/windows/octave-6.2.0-w64-installer.exe'. Exception calling "GetResponse" with "0" argument(s): "The underlying connection was closed: An unexpected error occurred on a send."

[flcdrg]

https://chocolatey.org/packages/kodi/19.0

[chtof]

https://chocolatey.org/packages/pspad/5.0.5

https://gist.github.com/choco-bot/080f2a935daded858c38fa1311527310:

2021-02-19 12:51:04,902 2076 [DEBUG] - Running Get-WebHeaders -url 'https://www.pspad.com/files/pspad/pspad505en.zip' -ErrorAction 'Stop' 
2021-02-19 12:51:04,902 2076 [DEBUG] - Setting the UserAgent to 'chocolatey command line'
2021-02-19 12:51:04,919 2076 [DEBUG] - Request Headers:
2021-02-19 12:51:04,934 2076 [DEBUG] -   'Accept':'*/*'
2021-02-19 12:51:04,934 2076 [DEBUG] -   'User-Agent':'chocolatey command line'
2021-02-19 12:51:06,308 2076 [INFO ] - Attempt to get headers for https://www.pspad.com/files/pspad/pspad505en.zip failed.
  The remote file either doesn't exist, is unauthorized, or is forbidden for url 'https://www.pspad.com/files/pspad/pspad505en.zip'. Exception calling "GetResponse" with "0" argument(s): "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."

[virtualex-itv]

phraseexpress.install should be also added:

Chocolatey package: chocolatey.org/packages/phraseexpress.install/15.0.84.1 Log: gist.github.com/choco-bot/43f33a84932af4ee0a63386ccb5616db

2021-02-19 12:51:06,402 2284 [DEBUG] - Running Get-WebFile -url 'https://www.phraseexpress.com/PhraseExpressSetup.msi' -fileName 'C:\Users\Administrator\AppData\Local\Temp\chocolatey\phraseexpress.install\15.0.84.1\PhraseExpress.InstallInstall.MSI' -options 'System.Collections.Hashtable' 
2021-02-19 12:51:06,417 2284 [DEBUG] - Setting request timeout to  30000
2021-02-19 12:51:06,417 2284 [DEBUG] - Setting read/write timeout to  2700000
2021-02-19 12:51:06,434 2284 [DEBUG] - Setting the UserAgent to 'chocolatey command line'
2021-02-19 12:51:08,746 2284 [ERROR] - ERROR: The remote file either doesn't exist, is unauthorized, or is forbidden for url 'https://www.phraseexpress.com/PhraseExpressSetup.msi'. Exception calling "GetResponse" with "0" argument(s): "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."
 at Get-WebFile, C:\ProgramData\chocolatey\helpers\functions\Get-WebFile.ps1: line 331

no issues manually downloading the file via powershell and generating correct hash

Invoke-WebRequest -Uri https://www.phraseexpress.com/PhraseExpressSetup.msi -OutFile C:\PhraseExpressSetup.msi
Get-FileHash -Path C:\PhraseExpressSetup.msi -Algorithm SHA256
Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          84F077781B018C4354BB1DD9D828F610C3528686C149768EF9CABAE6666B6174       C:\PhraseExpressSetup.msi

installs fine in chocolatey test environment:

[mkevenaar]

https://chocolatey.org/packages/bacula/11.0.1 https://gist.github.com/8ca3c8959594340c0f528e9a7b9792f2

2021-02-19 12:50:56,059 2276 [DEBUG] - Setting url to 'https://www.bacula.org/download/10592/' and bitPackage to 64
2021-02-19 12:50:56,105 2276 [DEBUG] - Running Get-WebFileName -url 'https://www.bacula.org/download/10592/' -defaultName 'baculaInstall.exe' 
2021-02-19 12:50:58,871 2276 [DEBUG] - Url request/response failed - file name will be 'baculaInstall.exe':  Exception calling "GetResponse" with "0" argument(s): "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."
2021-02-19 12:50:58,903 2276 [DEBUG] - Running Get-WebHeaders -url 'https://www.bacula.org/download/10592/' -ErrorAction 'Stop' 
2021-02-19 12:50:58,918 2276 [DEBUG] - Setting the UserAgent to 'chocolatey command line'

[ggarra13]

I am posting a similar issue for a zip file downloaded from sourceforge. My script uses Test-Url and it fails verification with the following message:

2021-02-19 12:51:10,965 1376 [DEBUG] - Setting url to 'https://sourceforge.net/projects/mrviewer/files/archive/v5.7.6/mrViewer-v5.7.6-Windows-64.zip' and bitPackage to 64 2021-02-19 12:51:11,152 1376 [DEBUG] - Running Get-WebFileName -url 'https://sourceforge.net/projects/mrviewer/files/archive/v5.7.6/mrViewer-v5.7.6-Windows-64.zip' -defaultName 'mrViewerInstall.zip' 2021-02-19 12:51:12,949 1376 [DEBUG] - Url request/response failed - file name will be 'mrViewerInstall.zip': Exception calling "GetResponse" with "0" argument(s): "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel." 2021-02-19 12:51:13,058 1376 [DEBUG] - Running Get-WebHeaders -url 'https://sourceforge.net/projects/mrviewer/files/archive/v5.7.6/mrViewer-v5.7.6-Windows-64.zip' -ErrorAction 'Stop' 2021-02-19 12:51:13,058 1376 [DEBUG] - Setting the UserAgent to 'chocolatey command line'

Running the script locally it installs just fine. Full log at: t https://gist.github.com/0b97c974600d6d39f161cacbe0bad92b

[TheCakeIsNaOH]

Another one anystream: https://chocolatey.org/packages/anystream/1.0.9.0 https://gist.github.com/choco-bot/09b0047ef557e8da56fbf343a056a46b

I've added an exemption.

[TheCakeIsNaOH]

Yet more: https://chocolatey.org/packages/openxcom/2021.02.27.1532 https://chocolatey.org/packages/victoria/5.36 https://chocolatey.org/packages/tapaal/3.7.1

[pauby]

Intunewinapputil - https://chocolatey.org/packages/intunewinapputil

[TheCakeIsNaOH]

bluebrick - https://chocolatey.org/packages/bluebrick/1.9.1

[ggarra13]

mrViewer 5.7.5 was approved with conditions, but v5.7.6 still remains unapproved.

El 9/3/21 a las 15:31, TheCakeIsNaOH escribió:

mrViewer - https://chocolatey.org/packages/mrviewer/5.7.6 https://chocolatey.org/packages/bluebrick/1.9.1

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/chocolatey/home/issues/11#issuecomment-794276866, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABOKUC6BK22BBCQNKDVA2KLTCZLQPANCNFSM4YCIXK3Q.

[TheCakeIsNaOH]

@ggarra13 Must have missed that version to approve, I've approved it now.

In the future, if that happens, just leave a review comment on the package page and a moderator will pick it up.

[mwrock]

also seeing this with https://chocolatey.org/packages/habitat/1.6.267

[TheCakeIsNaOH]

Here are more: https://chocolatey.org/packages/logstash/7.11.1 https://chocolatey.org/packages/httpmaster-professional/4.8.1 https://chocolatey.org/packages/httpmaster-express/4.8.1 https://chocolatey.org/packages/habitat/1.6.267 https://chocolatey.org/packages/uhe-hive/2.1.0 https://chocolatey.org/packages/uhe-bazille/1.1.1.20210310 https://chocolatey.org/packages/uhe-diva/1.4.4.20210310

[UXabre]

Hi, just chiming in, I have the exact same problem with logstash package

I think my issue is regarding the fact that the date of the server is always 19 february, and the certificate for the endpoint i tried to reach was only vallid from 21 february.

Is there a reason why the date is fixed to 19 february? Perhaps other could verify as well if this is the case in fact for their packages?

[douglaswth]

Looking at the logs for all the failures I saw with bluebrick seem to be showing the same thing (2021-02-19 even though it was already March) and it looks like the log entries pasted in this issue have similar timestamps as well!

[mkevenaar]

https://chocolatey.org/packages/elasticsearch/7.11.2

[numericalfreedom]

Dear moderators,

I suddenly have the same issue with my packages ggu-software and ggu-software-international, they are both trusted and up to version 006, everything went absolutely smooth.

Here the response from Chocolatey after pushing my package ggu-software (the pre-requisites are checked with 'curl' or 'wget' adjusting the checksum after download):

---

chocolatey-ops (reviewer) on 13 Mar 2021 17:36:33 +00:00:

ggu-software has failed automated testing. This is not the only check that is performed so check the package page to ensure a 'Ready' status. Please visit https://gist.github.com/63335e969fd1a69feead8297e20a4aa0 for details. The package status will be changed and will be waiting on your next actions.

Lines 347-357 in the log say:

2021-02-19 12:51:07,527 2112 [DEBUG] - Running Get-WebFile -url 'https://www.ggu-software.com/fileadmin/edelivery/COMPLETE_GGU_SOFTWARE_20_21_007.msi' -fileName 'C:\Users\Administrator\AppData\Local\Temp\chocolatey\ggu-software\20.21.007\ggu-softwareInstall.MSI' -options 'System.Collections.Hashtable' 2021-02-19 12:51:07,527 2112 [DEBUG] - Setting request timeout to 30000 2021-02-19 12:51:07,542 2112 [DEBUG] - Setting read/write timeout to 2700000 2021-02-19 12:51:07,542 2112 [DEBUG] - Setting the UserAgent to 'chocolatey command line' 2021-02-19 12:51:09,886 2112 [ERROR] - ERROR: The remote file either doesn't exist, is unauthorized, or is forbidden for url 'https://www.ggu-software.com/fileadmin/edelivery/COMPLETE_GGU_SOFTWARE_20_21_007.msi'. Exception calling "GetResponse" with "0" argument(s): "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel." at Get-WebFile, C:\ProgramData\chocolatey\helpers\functions\Get-WebFile.ps1: line 331 at Get-ChocolateyWebFile, C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyWebFile.ps1: line 345 at Install-ChocolateyPackage, C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyPackage.ps1: line 396 at <ScriptBlock>, C:\ProgramData\chocolatey\lib\ggu-software\tools\chocolateyinstall.ps1: line 20 at <ScriptBlock>, C:\ProgramData\chocolatey\helpers\chocolateyScriptRunner.ps1: line 49 at <ScriptBlock>, <No file>: line 1

---

Please note the wrong DATE of the test server. I remember security exceptions to happen in the web, if the DATE setting on the client is erroneous (wrong BIOS setting for example).

Maybe, an NTP synchronisation of the virtual machine server would be a very simple persistent solution.

Best wishes.

[numericalfreedom]

phraseexpress.install should be also added:

Chocolatey package: chocolatey.org/packages/phraseexpress.install/15.0.84.1 Log: gist.github.com/choco-bot/43f33a84932af4ee0a63386ccb5616db

2021-02-19 12:51:06,402 2284 [DEBUG] - Running Get-WebFile -url 'https://www.phraseexpress.com/PhraseExpressSetup.msi' -fileName 'C:\Users\Administrator\AppData\Local\Temp\chocolatey\phraseexpress.install\15.0.84.1\PhraseExpress.InstallInstall.MSI' -options 'System.Collections.Hashtable' 
2021-02-19 12:51:06,417 2284 [DEBUG] - Setting request timeout to  30000
2021-02-19 12:51:06,417 2284 [DEBUG] - Setting read/write timeout to  2700000
2021-02-19 12:51:06,434 2284 [DEBUG] - Setting the UserAgent to 'chocolatey command line'
2021-02-19 12:51:08,746 2284 [ERROR] - ERROR: The remote file either doesn't exist, is unauthorized, or is forbidden for url 'https://www.phraseexpress.com/PhraseExpressSetup.msi'. Exception calling "GetResponse" with "0" argument(s): "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."
 at Get-WebFile, C:\ProgramData\chocolatey\helpers\functions\Get-WebFile.ps1: line 331

no issues manually downloading the file via powershell and generating correct hash

Invoke-WebRequest -Uri https://www.phraseexpress.com/PhraseExpressSetup.msi -OutFile C:\PhraseExpressSetup.msi
Get-FileHash -Path C:\PhraseExpressSetup.msi -Algorithm SHA256
Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          84F077781B018C4354BB1DD9D828F610C3528686C149768EF9CABAE6666B6174       C:\PhraseExpressSetup.msi

installs fine in chocolatey test environment:

The wrond DATE of the test server appears also in Your logs.

[UXabre]

@numericalfreedom , this is because the not before date for the certificate used on https://www.ggu-software.com hasn't occured yet:

Also, usually, the VM takes over the time of the host, so I'm confused why it actually takes an older date as well...

[numericalfreedom]

This is a hot track, could explain the sudden series of difficulties with different packages with same sort of problem.

[chtof]

https://chocolatey.org/packages/sublimemerge/0.0.2049

https://gist.github.com/e5c649be53a713b65dc6d240ec8b8fd4:

2021-02-19 12:51:07,105 2112 [DEBUG] - Running Get-WebHeaders -url 'https://download.sublimetext.com/sublime_merge_build_2049_x64_setup.exe' -ErrorAction 'Stop' 
2021-02-19 12:51:07,121 2112 [DEBUG] - Setting the UserAgent to 'chocolatey command line'
2021-02-19 12:51:07,121 2112 [DEBUG] - Request Headers:
2021-02-19 12:51:07,169 2112 [DEBUG] -   'Accept':'*/*'
2021-02-19 12:51:07,169 2112 [DEBUG] -   'User-Agent':'chocolatey command line'
2021-02-19 12:51:08,496 2112 [INFO ] - Attempt to get headers for https://download.sublimetext.com/sublime_merge_build_2049_x64_setup.exe failed.
  The remote file either doesn't exist, is unauthorized, or is forbidden for url 'https://download.sublimetext.com/sublime_merge_build_2049_x64_setup.exe'. Exception calling "GetResponse" with "0" argument(s): "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."```

[numericalfreedom]

The date setting in the test server must be corrected and all package maintainers can try to repush the packages that have failed in the second triage phase.

[numericalfreedom]

The issue can be closed, correct packages work again fine, Best regards to all Administrators, Moderators and Maintainers in Chocolatey !!! NandorTamaskovics @numericalfreedom.com

[UXabre]

Is it actually fixed? Or is it simply a new image of the buildserver, with a fixed date and thus problems will arise from, for instance, tomorrow onward?