Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SslStreamNetworkStreamTest failures "The remote certificate is invalid because of errors in the certificate chain: PartialChain" #112856

Open
EgorBo opened this issue Feb 24, 2025 · 6 comments · May be fixed by #112858
Open

SslStreamNetworkStreamTest failures "The remote certificate is invalid because of errors in the certificate chain: PartialChain" #112856

EgorBo opened this issue Feb 24, 2025 · 6 comments · May be fixed by #112858
Assignees
@rzikm
Labels
area-System.Net.Security blocking-clean-ci Blocking PR or rolling runs of 'runtime' or 'runtime-extra-platforms' in-pr There is an active PR which will close this issue when it is merged Known Build Error Use this to report build issues in the .NET Helix tab

Comments

@EgorBo
Copy link
Member

EgorBo commented Feb 24, 2025
edited by build-analysis bot
Loading

Widespread failures on CI

Build Information

Build: https://dev.azure.com/dnceng-public/public/_build/results?buildId=960836
Build error leg or test failing:

Error Message

Fill the error message using step by step known issues guidance.

{
  "ErrorMessage": "The remote certificate is invalid because of errors in the certificate chain: PartialChain",
  "BuildRetry": false,
  "ExcludeConsoleLog": false
}

Known issue validation

Build: 🔎 https://dev.azure.com/dnceng-public/public/_build/results?buildId=960836
Error message validated: [The remote certificate is invalid because of errors in the certificate chain: PartialChain]
Result validation: ✅ Known issue matched with the provided build.
Validation performed at: 2/24/2025 12:02:22 PM UTC

Report

Build Definition Test Pull Request
961792 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK #112891
961687 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK #112705
961664 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK #112883
961574 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK #112884
961566 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK #112352
961503 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK #111626
961474 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK #112457
961420 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK #112736
961383 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK #111934
961399 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK #112879
961374 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK #111933
961413 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK
961356 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK #112728
961317 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK #112876
961301 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK #112875
961331 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK #112874
961258 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK #112872
961240 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK #112817
961252 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK #112864
961167 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK #112352
961205 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK #111759
961156 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK #112730
961085 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK #112863
961075 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK #112796
961063 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK #110472
961045 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK #112753
961015 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK #112853
960957 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK #111229
960984 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK #112787
960942 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK #112736
960946 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK #112736
960859 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK #112824
960836 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK #111933
960829 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK #111626
960826 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK #112851
960841 dotnet/runtime System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_ServerUntrustedCaWithCustomTrust_OK #111791

Summary

24-Hour Hit Count 7-Day Hit Count 1-Month Count
36 36 36
@EgorBo EgorBo added the Known Build Error Use this to report build issues in the .NET Helix tab label Feb 24, 2025
@dotnet-issue-labeler dotnet-issue-labeler bot added the needs-area-label An area label is needed to ensure this gets routed to the appropriate area owners label Feb 24, 2025
@dotnet-policy-service dotnet-policy-service bot added the untriaged New issue has not been triaged by the area owner label Feb 24, 2025
@EgorBo EgorBo added area-System.Net.Security blocking-clean-ci Blocking PR or rolling runs of 'runtime' or 'runtime-extra-platforms' and removed untriaged New issue has not been triaged by the area owner needs-area-label An area label is needed to ensure this gets routed to the appropriate area owners labels Feb 24, 2025
@dotnet-policy-service Dotnet Policy Service
Copy link
Contributor

Tagging subscribers to this area: @dotnet/ncl, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

@EgorBo
Copy link
Member Author

EgorBo commented Feb 24, 2025

Looks like it might be #112567 cc @rzikm @wfurt

@rzikm
Copy link
Member

rzikm commented Feb 24, 2025

Yes, interestingly, it did not show in build analysis on the PR, will investigate

@wfurt
Copy link
Member

wfurt commented Feb 24, 2025

I'm wondering if we can restore now session that was created just with certificate...? Or possibly different chain if the certificate was cross-signed (not this case) When the cache was linked to context we did not have that problem.

@EgorBo
Copy link
Member Author

EgorBo commented Feb 24, 2025

I assume it failed only on pipelines which ran on runtime/jit changes only. It looks like it's not the first time (see this) so maybe we should run these pipelines on changes in System Security stuff as well?

@rzikm
Copy link
Member

rzikm commented Feb 24, 2025

I assume it failed only on pipelines which ran on runtime/jit changes only.

The test failed on the PR as well, it just did not show in the Build Analysis. The failure is deterministic and would show on all outerloop pipeline runs.

I'm wondering if we can restore now session that was created just with certificate...? Or possibly different chain if the certificate was cross-signed (not this case) When the cache was linked to context we did not have that problem.

That is what I found, we need to include all cert(hashes) in the cache key

@rzikm rzikm self-assigned this Feb 24, 2025
@rzikm rzikm linked a pull request Feb 24, 2025 that will close this issue
Open
@dotnet-policy-service dotnet-policy-service bot added the in-pr There is an active PR which will close this issue when it is merged label Feb 24, 2025
@MichalStrehovsky MichalStrehovsky mentioned this issue Feb 24, 2025
Merged
@AndyAyersMS AndyAyersMS mentioned this issue Feb 24, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rzikm rzikm

Labels
area-System.Net.Security blocking-clean-ci Blocking PR or rolling runs of 'runtime' or 'runtime-extra-platforms' in-pr There is an active PR which will close this issue when it is merged Known Build Error Use this to report build issues in the .NET Helix tab
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use certificate thumbprints from entire chain in SSL_CTX cache rzikm/dotnet-runtime
3 participants
@EgorBo @wfurt @rzikm