Package Verifier - Could not create secure channel failure about home HOT 63 OPEN

Hi, just chiming in, I have the exact same problem with logstash package

I think my issue is regarding the fact that the date of the server is always 19 february, and the certificate for the endpoint i tried to reach was only vallid from 21 february.

Is there a reason why the date is fixed to 19 february? Perhaps other could verify as well if this is the case in fact for their packages?

from home.

@overag3 That was a rhetorical question and not aimed at you 😄

from home.

I think you may add the eduke32 package to the list as well.

from home.

And evga-flow-control probably should be added.

from home.

bluebrick - https://chocolatey.org/packages/bluebrick/1.9.1

from home.

@numericalfreedom , this is because the not before date for the certificate used on https://www.ggu-software.com hasn't occured yet:

Also, usually, the VM takes over the time of the host, so I'm confused why it actually takes an older date as well...

from home.

@numericalfreedom The underlying issue hasn't been resolved. As @UXabre said, a new instance of the sandbox was created. That's a short term fix for some of these issues, not all of them.

Longer term this is being worked on.

from home.

I have root caused the issue with octave.install and evga-flow-control. The chocolateyinstall.ps1 scripts for both packages were explicitly forcing TLS 1.1 in the installer and PowerShell/.NET was failing to connect to the mirrors as those sites were rejecting anything older than TLS 1.2. After removing those lines and rebuilding the packages, they installed without issue. I have a pull request with the appropriate fix here:

chtof/chocolatey-packages#42

The issue is in the downstream package install script and not in Chocolately.

from home.

@thundron This is only for Package Verifier and not for when you push packages. I'm going to hide your comment only because it may cause confusion when we go through this issue to find the problematic packages.

If this is a recurring issue for you when pushing, can you ask the question on Discord - you're likely going to get a quicker answer there and if an issue needs to be raised you can do that separately. Thanks.

from home.

For information, the comment I added for the review of evga-flow-control:

This package fails during Get-WebHeaders -url 'https://cdn.evga.com/utilities/EVGA_Flow_Control_Setup_v2.0.9.zip' -ErrorAction 'Stop'
After investigation, https://cdn.evga.com uses TLS1.3 and TLS1,3 seems it's not supported on Windows 2012.
(...)

To confirm but my thought is this issue concerns domains using TLS1.3.

I also checked eduke32 and it uses TLS1.3;

Now, my update script for lossless-audio-checker fails (au_GetLatest failed; The request was aborted: Could not create SSL/TLS secure channel.) and https://losslessaudiochecker.com/ uses TLS1.3

And I doubt possible to support TLS 1.3 on Windows 2012...

from home.

Well, not sure if related to TLS1.3 as 3 domains of the list don't use TLS1.3 (w10privacy/openflexure-connect/coolterm packages)
Or can be related to cypher supported (as suggested by @TheCakeIsNaOH in the review of evga-flow-control package).

==============================================================================
4k-video-downloader|https://gist.github.com/choco-bot/f1a8787080a08f6822b82c413b307b48#file-install-txt-L363|https://dl.4kdownload.com/app/4kvideodownloader_4.14.0_x64.msi?source=chocolatey
https://www.cdn77.com/tls-test?domain=dl.4kdownload.com
TLS 1.3 enabled
TLS 1.2 enabled
TLS 1.1 (deprecated) enabled
TLS 1.0 (deprecated) enabled

TLSv1.0
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA

TLSv1.1
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA

TLSv1.2
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA

TLSv1.3
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256

==============================================================================
4k-stogram|https://gist.github.com/choco-bot/4a4b0a187580d6ecbff3ee05fd0ff2a8#file-install-txt-L364|https://dl.4kdownload.com/app/4kstogram_3.3.0_x64.msi?source=chocolatey
https://www.cdn77.com/tls-test?domain=dl.4kdownload.com
TLS 1.3 enabled
TLS 1.2 enabled
TLS 1.1 (deprecated) enabled
TLS 1.0 (deprecated) enabled

TLSv1.0
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA

TLSv1.1
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA

TLSv1.2
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA

TLSv1.3
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256

==============================================================================
eduke32||https://dukeworld.com/eduke32/synthesis/20210206-9310-b7d4ae3a5/eduke32_win64_20210206-9310-b7d4ae3a5.7z
https://www.cdn77.com/tls-test?domain=dukeworld.com
TLS 1.3 enabled
TLS 1.2 enabled
TLS 1.1 (deprecated) disabled
TLS 1.0 (deprecated) disabled

TLSv1.2
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLSv1.3
TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256

==============================================================================
exiftool|https://gist.github.com/choco-bot/c9f48504a00a21508ed8b1f074a40206#file-install-txt-L343|https://exiftool.org/exiftool-12.12.zip
https://www.cdn77.com/tls-test?domain=exiftool.org
TLS 1.3 enabled
TLS 1.2 enabled
TLS 1.1 (deprecated) disabled
TLS 1.0 (deprecated) disabled

TLSv1.2
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLSv1.3
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256

==============================================================================
evga-flow-control|https://gist.github.com/choco-bot/8d82c5b362a1e4bfac35a57b92e875f7|https://cdn.evga.com/utilities/EVGA_Flow_Control_Setup_v2.0.9.zip
https://www.cdn77.com/tls-test?domain=cdn.evga.com
TLS 1.3 enabled
TLS 1.2 enabled
TLS 1.1 (deprecated) disabled
TLS 1.0 (deprecated) disabled

TLSv1.2
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLSv1.3
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256

==============================================================================
4k-youtube-to-mp3|https://gist.github.com/choco-bot/556c775b8a971440f19d3b28bbd624a3#file-install-txt-L363|https://dl.4kdownload.com/app/4kyoutubetomp3_3.14.1_x64.msi?source=chocolatey
https://www.cdn77.com/tls-test?domain=dl.4kdownload.com
TLS 1.3 enabled
TLS 1.2 enabled
TLS 1.1 (deprecated) enabled
TLS 1.0 (deprecated) enabled

TLSv1.0
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA

TLSv1.1
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA

TLSv1.2
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA

TLSv1.3
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256
==============================================================================
w10privacy|https://gist.github.com/choco-bot/f0b8e7cd329fdb2223d2b2d6e5df3ac0#file-install-txt-L342|https://sf91b3285d9193eec.jimcontent.com/download/version/1609175074/module/12302828636/name/W10Privacy.zip' -fileName 'C:\Users\Administrator\AppData\Local\Temp\chocolatey\w10privacy\3.7.0.3\w10privacyInstall.zip
https://www.cdn77.com/tls-test?domain=sf91b3285d9193eec.jimcontent.com
TLS 1.3 disabled !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
TLS 1.2 enabled
TLS 1.1 (deprecated) enabled
TLS 1.0 (deprecated) enabled

TLSv1.0
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLSv1.1
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLSv1.2
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

==============================================================================
openflexure-connect|https://gist.github.com/choco-bot/6f8a07c575856b7c2a7b2fc38bb300f2#file-install-txt-L326|https://build.openflexure.org/openflexure-ev/openflexure-connect-4.0.1-win.exe
https://www.cdn77.com/tls-test?domain=build.openflexure.org
TLS 1.3 disabled !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
TLS 1.2 enabled
TLS 1.1 (deprecated) enabled
TLS 1.0 (deprecated) enabled

TLSv1.0
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLSv1.1
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLSv1.2
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

==============================================================================
CoolTerm||https://freeware.the-meiers.org/CoolTermWin.zip
https://www.cdn77.com/tls-test?domain=freeware.the-meiers.org
TLS 1.3 disabled !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
TLS 1.2 enabled
TLS 1.1 (deprecated) disabled
TLS 1.0 (deprecated) disabled

TLSv1.2
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

==============================================================================
minio-server|https://gist.github.com/choco-bot/dea28bf005cd923c3e9bfaa476956081#file-install-txt-L346|https://dl.min.io/server/minio/release/windows-amd64/minio.exe
https://www.cdn77.com/tls-test?domain=dl.min.io
TLS 1.3 enabled
TLS 1.2 enabled
TLS 1.1 (deprecated) disabled
TLS 1.0 (deprecated) disabled

TLSv1.2
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLSv1.3
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256

Note: minio/minio#5834 regarding why some ciphers have been removed by minio server in 2018.

from home.

And TLS2 ciphers supported by my Chocolatey test environment (Windows 2012):

Cipher Suites (26 suites)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
    Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
    Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
    Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)
    Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
    Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
    Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
    Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
    Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
    Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
    Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)

Notes:

• Windows 2012 Server doesn't support tls-ecdhe-rsa-with-aes-256-gcm-sha384 or 256/128 Ciphers. (https://stackoverflow.com/questions/48731089/tls-ecdhe-rsa-with-aes-256-gcm-sha384-in-windows-server-2012-r2)
• https://social.technet.microsoft.com/Forums/en-US/4cdae557-4992-4a7c-ad68-06554bf1b213/how-do-i-add-new-cipher-suiteslisted-below-to-windows-2012-r2-and-windows-2008-r2?forum=winserverPN (Seems TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 are not supported by W2012).

from home.

And octave.install should be also added:

• Chocolatey package: https://chocolatey.org/packages/octave.install/6.2.0
• Logs: https://gist.github.com/choco-bot/99e61edd44de3d3133aa9669637d1eb2

Attempt to get headers for https://ftpmirror.gnu.org/octave/windows/octave-6.2.0-w64-installer.exe failed.
  The remote file either doesn't exist, is unauthorized, or is forbidden for url 'https://ftpmirror.gnu.org/octave/windows/octave-6.2.0-w64-installer.exe'. Exception calling "GetResponse" with "0" argument(s): "The underlying connection was closed: An unexpected error occurred on a send."

from home.

https://chocolatey.org/packages/kodi/19.0

from home.

https://chocolatey.org/packages/pspad/5.0.5

https://gist.github.com/choco-bot/080f2a935daded858c38fa1311527310:

2021-02-19 12:51:04,902 2076 [DEBUG] - Running Get-WebHeaders -url 'https://www.pspad.com/files/pspad/pspad505en.zip' -ErrorAction 'Stop' 
2021-02-19 12:51:04,902 2076 [DEBUG] - Setting the UserAgent to 'chocolatey command line'
2021-02-19 12:51:04,919 2076 [DEBUG] - Request Headers:
2021-02-19 12:51:04,934 2076 [DEBUG] -   'Accept':'*/*'
2021-02-19 12:51:04,934 2076 [DEBUG] -   'User-Agent':'chocolatey command line'
2021-02-19 12:51:06,308 2076 [INFO ] - Attempt to get headers for https://www.pspad.com/files/pspad/pspad505en.zip failed.
  The remote file either doesn't exist, is unauthorized, or is forbidden for url 'https://www.pspad.com/files/pspad/pspad505en.zip'. Exception calling "GetResponse" with "0" argument(s): "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."

from home.

phraseexpress.install should be also added:

Chocolatey package: chocolatey.org/packages/phraseexpress.install/15.0.84.1
Log: gist.github.com/choco-bot/43f33a84932af4ee0a63386ccb5616db

2021-02-19 12:51:06,402 2284 [DEBUG] - Running Get-WebFile -url 'https://www.phraseexpress.com/PhraseExpressSetup.msi' -fileName 'C:\Users\Administrator\AppData\Local\Temp\chocolatey\phraseexpress.install\15.0.84.1\PhraseExpress.InstallInstall.MSI' -options 'System.Collections.Hashtable' 
2021-02-19 12:51:06,417 2284 [DEBUG] - Setting request timeout to  30000
2021-02-19 12:51:06,417 2284 [DEBUG] - Setting read/write timeout to  2700000
2021-02-19 12:51:06,434 2284 [DEBUG] - Setting the UserAgent to 'chocolatey command line'
2021-02-19 12:51:08,746 2284 [ERROR] - ERROR: The remote file either doesn't exist, is unauthorized, or is forbidden for url 'https://www.phraseexpress.com/PhraseExpressSetup.msi'. Exception calling "GetResponse" with "0" argument(s): "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."
 at Get-WebFile, C:\ProgramData\chocolatey\helpers\functions\Get-WebFile.ps1: line 331

no issues manually downloading the file via powershell and generating correct hash

Invoke-WebRequest -Uri https://www.phraseexpress.com/PhraseExpressSetup.msi -OutFile C:\PhraseExpressSetup.msi
Get-FileHash -Path C:\PhraseExpressSetup.msi -Algorithm SHA256
Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          84F077781B018C4354BB1DD9D828F610C3528686C149768EF9CABAE6666B6174       C:\PhraseExpressSetup.msi

installs fine in chocolatey test environment:

from home.

https://chocolatey.org/packages/bacula/11.0.1
https://gist.github.com/8ca3c8959594340c0f528e9a7b9792f2

2021-02-19 12:50:56,059 2276 [DEBUG] - Setting url to 'https://www.bacula.org/download/10592/' and bitPackage to 64
2021-02-19 12:50:56,105 2276 [DEBUG] - Running Get-WebFileName -url 'https://www.bacula.org/download/10592/' -defaultName 'baculaInstall.exe' 
2021-02-19 12:50:58,871 2276 [DEBUG] - Url request/response failed - file name will be 'baculaInstall.exe':  Exception calling "GetResponse" with "0" argument(s): "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."
2021-02-19 12:50:58,903 2276 [DEBUG] - Running Get-WebHeaders -url 'https://www.bacula.org/download/10592/' -ErrorAction 'Stop' 
2021-02-19 12:50:58,918 2276 [DEBUG] - Setting the UserAgent to 'chocolatey command line'

from home.

I am posting a similar issue for a zip file downloaded from sourceforge. My script uses Test-Url and it fails verification with the following message:

2021-02-19 12:51:10,965 1376 [DEBUG] - Setting url to 'https://sourceforge.net/projects/mrviewer/files/archive/v5.7.6/mrViewer-v5.7.6-Windows-64.zip' and bitPackage to 64
2021-02-19 12:51:11,152 1376 [DEBUG] - Running Get-WebFileName -url 'https://sourceforge.net/projects/mrviewer/files/archive/v5.7.6/mrViewer-v5.7.6-Windows-64.zip' -defaultName 'mrViewerInstall.zip'
2021-02-19 12:51:12,949 1376 [DEBUG] - Url request/response failed - file name will be 'mrViewerInstall.zip': Exception calling "GetResponse" with "0" argument(s): "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."
2021-02-19 12:51:13,058 1376 [DEBUG] - Running Get-WebHeaders -url 'https://sourceforge.net/projects/mrviewer/files/archive/v5.7.6/mrViewer-v5.7.6-Windows-64.zip' -ErrorAction 'Stop'
2021-02-19 12:51:13,058 1376 [DEBUG] - Setting the UserAgent to 'chocolatey command line'

Running the script locally it installs just fine. Full log at: t https://gist.github.com/0b97c974600d6d39f161cacbe0bad92b

from home.

Another one anystream: https://chocolatey.org/packages/anystream/1.0.9.0
https://gist.github.com/choco-bot/09b0047ef557e8da56fbf343a056a46b

I've added an exemption.

from home.

Yet more:
https://chocolatey.org/packages/openxcom/2021.02.27.1532
https://chocolatey.org/packages/victoria/5.36
https://chocolatey.org/packages/tapaal/3.7.1

from home.

Intunewinapputil - https://chocolatey.org/packages/intunewinapputil

from home.

from home.

@ggarra13 Must have missed that version to approve, I've approved it now.

In the future, if that happens, just leave a review comment on the package page and a moderator will pick it up.

from home.

also seeing this with https://chocolatey.org/packages/habitat/1.6.267

from home.

Here are more:
https://chocolatey.org/packages/logstash/7.11.1
https://chocolatey.org/packages/httpmaster-professional/4.8.1
https://chocolatey.org/packages/httpmaster-express/4.8.1
https://chocolatey.org/packages/habitat/1.6.267
https://chocolatey.org/packages/uhe-hive/2.1.0
https://chocolatey.org/packages/uhe-bazille/1.1.1.20210310
https://chocolatey.org/packages/uhe-diva/1.4.4.20210310

from home.

Looking at the logs for all the failures I saw with bluebrick seem to be showing the same thing (2021-02-19 even though it was already March) and it looks like the log entries pasted in this issue have similar timestamps as well!

from home.

https://chocolatey.org/packages/elasticsearch/7.11.2

from home.

Dear moderators,

I suddenly have the same issue with my packages ggu-software and ggu-software-international, they are both trusted and up to version 006, everything went absolutely smooth.

Here the response from Chocolatey after pushing my package ggu-software (the pre-requisites are checked with 'curl' or 'wget' adjusting the checksum after download):

chocolatey-ops (reviewer)
on 13 Mar 2021 17:36:33 +00:00:

ggu-software has failed automated testing.
This is not the only check that is performed so check the package page to ensure a 'Ready' status.
Please visit https://gist.github.com/63335e969fd1a69feead8297e20a4aa0 for details.
The package status will be changed and will be waiting on your next actions.

Lines 347-357 in the log say:

2021-02-19 12:51:07,527 2112 [DEBUG] - Running Get-WebFile -url 'https://www.ggu-software.com/fileadmin/edelivery/COMPLETE_GGU_SOFTWARE_20_21_007.msi' -fileName 'C:\Users\Administrator\AppData\Local\Temp\chocolatey\ggu-software\20.21.007\ggu-softwareInstall.MSI' -options 'System.Collections.Hashtable'
2021-02-19 12:51:07,527 2112 [DEBUG] - Setting request timeout to 30000
2021-02-19 12:51:07,542 2112 [DEBUG] - Setting read/write timeout to 2700000
2021-02-19 12:51:07,542 2112 [DEBUG] - Setting the UserAgent to 'chocolatey command line'
2021-02-19 12:51:09,886 2112 [ERROR] - ERROR: The remote file either doesn't exist, is unauthorized, or is forbidden for url 'https://www.ggu-software.com/fileadmin/edelivery/COMPLETE_GGU_SOFTWARE_20_21_007.msi'. Exception calling "GetResponse" with "0" argument(s): "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."
at Get-WebFile, C:\ProgramData\chocolatey\helpers\functions\Get-WebFile.ps1: line 331
at Get-ChocolateyWebFile, C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyWebFile.ps1: line 345
at Install-ChocolateyPackage, C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyPackage.ps1: line 396
at , C:\ProgramData\chocolatey\lib\ggu-software\tools\chocolateyinstall.ps1: line 20
at , C:\ProgramData\chocolatey\helpers\chocolateyScriptRunner.ps1: line 49
at , : line 1

Please note the wrong DATE of the test server. I remember security exceptions to happen in the web, if the DATE setting on the client is erroneous (wrong BIOS setting for example).

Maybe, an NTP synchronisation of the virtual machine server would be a very simple persistent solution.

Best wishes.

from home.

phraseexpress.install should be also added:

Chocolatey package: chocolatey.org/packages/phraseexpress.install/15.0.84.1
Log: gist.github.com/choco-bot/43f33a84932af4ee0a63386ccb5616db

2021-02-19 12:51:06,402 2284 [DEBUG] - Running Get-WebFile -url 'https://www.phraseexpress.com/PhraseExpressSetup.msi' -fileName 'C:\Users\Administrator\AppData\Local\Temp\chocolatey\phraseexpress.install\15.0.84.1\PhraseExpress.InstallInstall.MSI' -options 'System.Collections.Hashtable' 
2021-02-19 12:51:06,417 2284 [DEBUG] - Setting request timeout to  30000
2021-02-19 12:51:06,417 2284 [DEBUG] - Setting read/write timeout to  2700000
2021-02-19 12:51:06,434 2284 [DEBUG] - Setting the UserAgent to 'chocolatey command line'
2021-02-19 12:51:08,746 2284 [ERROR] - ERROR: The remote file either doesn't exist, is unauthorized, or is forbidden for url 'https://www.phraseexpress.com/PhraseExpressSetup.msi'. Exception calling "GetResponse" with "0" argument(s): "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."
 at Get-WebFile, C:\ProgramData\chocolatey\helpers\functions\Get-WebFile.ps1: line 331

no issues manually downloading the file via powershell and generating correct hash

Invoke-WebRequest -Uri https://www.phraseexpress.com/PhraseExpressSetup.msi -OutFile C:\PhraseExpressSetup.msi
Get-FileHash -Path C:\PhraseExpressSetup.msi -Algorithm SHA256
Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          84F077781B018C4354BB1DD9D828F610C3528686C149768EF9CABAE6666B6174       C:\PhraseExpressSetup.msi

installs fine in chocolatey test environment:

The wrond DATE of the test server appears also in Your logs.

from home.

This is a hot track, could explain the sudden series of difficulties with different packages with same sort of problem.

from home.

https://chocolatey.org/packages/sublimemerge/0.0.2049

https://gist.github.com/e5c649be53a713b65dc6d240ec8b8fd4:

2021-02-19 12:51:07,105 2112 [DEBUG] - Running Get-WebHeaders -url 'https://download.sublimetext.com/sublime_merge_build_2049_x64_setup.exe' -ErrorAction 'Stop' 
2021-02-19 12:51:07,121 2112 [DEBUG] - Setting the UserAgent to 'chocolatey command line'
2021-02-19 12:51:07,121 2112 [DEBUG] - Request Headers:
2021-02-19 12:51:07,169 2112 [DEBUG] -   'Accept':'*/*'
2021-02-19 12:51:07,169 2112 [DEBUG] -   'User-Agent':'chocolatey command line'
2021-02-19 12:51:08,496 2112 [INFO ] - Attempt to get headers for https://download.sublimetext.com/sublime_merge_build_2049_x64_setup.exe failed.
  The remote file either doesn't exist, is unauthorized, or is forbidden for url 'https://download.sublimetext.com/sublime_merge_build_2049_x64_setup.exe'. Exception calling "GetResponse" with "0" argument(s): "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."```

from home.

The date setting in the test server must be corrected and all package maintainers can try to repush the packages that have failed in the second triage phase.

from home.

The issue can be closed, correct packages work again fine, Best regards to all Administrators, Moderators and Maintainers in Chocolatey !!!
NandorTamaskovics
@numericalfreedom.com

from home.

Is it actually fixed? Or is it simply a new image of the buildserver, with a fixed date and thus problems will arise from, for instance, tomorrow onward?

from home.

@pauby My packages work again correctly for the moment again and I hope, that the date error does not return. Establishing a secure connection remains a tricky topic, anyway.

from home.

Some are working now, but I found a package that is still not working, probably due to cipher suite incompatibility.

https://chocolatey.org/packages/electron-cash.install/4.2.4
https://chocolatey.org/packages/electron-cash/4.2.4

from home.

My package gives the same error for package https://chocolatey.org/packages/potplayer/
https://gist.github.com/choco-bot/d71c6c5ec7c62522880bdacf100296e4
021-03-17 13:08:40,897 2148 [ERROR] - ERROR: The remote file either doesn't exist, is unauthorized, or is forbidden for url 'https://www.hakkah.net/potplayer/PotPlayerSetup64-210318.exe'. Exception calling "GetResponse" with "0" argument(s): "The request was aborted: Could not create SSL/TLS secure channel."

I need to use a mirror because the dev seems to use his download location with a daily build hence crc checks fail roughly every other day and yet his release cycle is probably once a month to once every other month.
The weird thing is the log always show the same time when trying to verify it. I tried it today and the log still says 17th of march.

from home.

octave.install still can't be downloaded:
ERROR: The remote file either doesn't exist, is unauthorized, or is forbidden for url 'https://ftpmirror.gnu.org/octave/windows/octave-6.2.0-w64-installer.exe'. Exception calling "GetResponse" with "0" argument(s): "The underlying connection was closed: An unexpected error occurred on a send." The install of octave.install was NOT successful.

from home.

I have the same issue as above:

Paste is here: https://pastebin.com/kEattzZ8

Error line for me is as above:

Attempt to get headers for https://ftpmirror.gnu.org/octave/windows/octave-6.2.0-w64-installer.exe failed. The remote file either doesn't exist, is unauthorized, or is forbidden for url 'https://ftpmirror.gnu.org/octave/windows/octave-6.2.0-w64-installer.exe'. Exception calling "GetResponse" with "0" argument(s): "The underlying connection wa s closed: An unexpected error occurred on a send."

from home.

issue with octave.install package may be due to this line ?
https://github.com/chtof/chocolatey-packages/blob/5778bd14894ef6d87195e948656c5bd2a49d7cdf/automatic/octave.install/tools/chocolateyinstall.ps1#L4

from home.

issue with octave.install package may be due to this line ?

On a related question, why is that line in there.

from home.

No idea, ask to maintainer @chtof

from home.

@penguin359 Thanks for taking the time to troubleshoot and fix this!

from home.

Besides the two packages I fixed in @chtof 's repo, I am not seeing any other issues with other packages when I try to install them in my Windows 10 environment so I think that is a separate issue where the testing environment itself is using incompatible TLS versions or limited cipher support. I do not have any Windows Server 2012 R2 systems myself, but I did see that I might be able to use one through AppVeyor.

Several of the other sites I tested did fail when I used TLS 1.1, but all that I tested still supported TLS 1.2. I used this command to help test from an Ubuntu WSL environment:

openssl s_client -connect cdn.evga.com:443 -tls1_2

Changing the last argument to -tls1_1 caused a connection to be dropped immediately. I did see this update for Windows Server 2012:

https://support.microsoft.com/en-us/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392

from home.

Package https://community.chocolatey.org/packages/sourcemonitor/3.5.16 failing with "Could not create SSL/TLS secure channel" error.

Site seems to support TLS 1.2 and 1.3, though looking through earlier posts, it seems like the 1.2 ciphers aren't ones listed for 2012

from home.

https://community.chocolatey.org/packages/trillian/6.5.0.17

from home.

https://community.chocolatey.org/packages/qap/11.4

from home.

https://community.chocolatey.org/packages/termius/7.22.1

from home.

https://community.chocolatey.org/packages/SqlToolbelt/2022.01.10

from home.

https://community.chocolatey.org/packages/dell-system-update/1.9.3.0

from home.

https://community.chocolatey.org/packages/automouseclick/99.1.4.20220416
ERROR: The remote file either doesn't exist, is unauthorized, or is forbidden for url 'https://www.murgee.com/auto-mouse-click/download/setup.exe'. Exception calling "GetResponse" with "0" argument(s): "The request was aborted: Could not create SSL/TLS secure channel."

from home.

Here is another: https://community.chocolatey.org/packages/telegraf/1.22.0

from home.

https://community.chocolatey.org/packages/ubiquiti-unifi-controller/7.1.66

from home.

https://community.chocolatey.org/packages/ledger-live/2.44.0

from home.

https://community.chocolatey.org/packages/gocdserver/22.2.0
https://community.chocolatey.org/packages/gocdagent/22.2.0

  The remote file either doesn't exist, is unauthorized, or is forbidden for url 'https://download.gocd.org/binaries/22.2.0-14697/win/go-server-22.2.0-14697-jre-64bit-setup.exe'. Exception calling "GetResponse" with "0" argument(s): "The request was aborted: Could not create SSL/TLS secure channel."
  
  The remote file either doesn't exist, is unauthorized, or is forbidden for url 'https://download.gocd.org/binaries/22.2.0-14697/win/go-agent-22.2.0-14697-jre-64bit-setup.exe'. Exception calling "GetResponse" with "0" argument(s): "The request was aborted: Could not create SSL/TLS secure channel."

both seem to have TLS issues now due to https://download.gocd.org, which requires the below (Qualys SSL Labs "A" rating)

  Supported Server Cipher(s):
Preferred TLSv1.3  128 bits  TLS_AES_128_GCM_SHA256        Curve 25519 DHE 253
Accepted  TLSv1.3  256 bits  TLS_AES_256_GCM_SHA384        Curve 25519 DHE 253
Accepted  TLSv1.3  256 bits  TLS_CHACHA20_POLY1305_SHA256  Curve 25519 DHE 253
Preferred TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve 25519 DHE 253
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384   Curve 25519 DHE 253
Accepted  TLSv1.2  256 bits  ECDHE-RSA-CHACHA20-POLY1305   Curve 25519 DHE 253

  Server Key Exchange Group(s):
TLSv1.3  128 bits  secp256r1 (NIST P-256)
TLSv1.3  192 bits  secp384r1 (NIST P-384)
TLSv1.3  128 bits  x25519
TLSv1.2  128 bits  secp256r1 (NIST P-256)
TLSv1.2  192 bits  secp384r1 (NIST P-384)
TLSv1.2  128 bits  x25519

from home.

Terraform package has this error too since version 1.2.7 of the package and should be added to the list too: https://community.chocolatey.org/packages/terraform/1.2.7

from home.

I got the same issue when trying to push to a new package:
https://community.chocolatey.org/packages/postman-cli/0.0.3

from home.

https://community.chocolatey.org/packages/lens/2022.9.260655
https://gist.github.com/choco-bot/d050ffceccf6b81957997c6732756a86

2022-09-27 02:49:25,323 2944 [INFO ] - Attempt to get headers for https://downloads.k8slens.dev/ide/Lens%20Setup%202022.9.260655-latest.exe failed.
  The remote file either doesn't exist, is unauthorized, or is forbidden for url 'https://downloads.k8slens.dev/ide/Lens%20Setup%202022.9.260655-latest.exe'. Exception calling "GetResponse" with "0" argument(s): "The request was aborted: Could not create SSL/TLS secure channel."
2022-09-27 02:49:25,323 2944 [INFO ] - 
2022-09-27 02:49:25,323 2944 [INFO ] - Downloading lens 
  from 'https://downloads.k8slens.dev/ide/Lens%20Setup%202022.9.260655-latest.exe'
2022-09-27 02:49:25,338 2944 [INFO ] - 
2022-09-27 02:49:25,354 2944 [DEBUG] - Running Get-WebFile -url 'https://downloads.k8slens.dev/ide/Lens%20Setup%202022.9.260655-latest.exe' -fileName 'C:\Users\Administrator\AppData\Local\Temp\chocolatey\lens\2022.9.260655\lensInstall.exe' -options 'System.Collections.Hashtable' 
2022-09-27 02:49:25,354 2944 [DEBUG] - Setting request timeout to  30000
2022-09-27 02:49:25,354 2944 [DEBUG] - Setting read/write timeout to  2700000
2022-09-27 02:49:25,354 2944 [DEBUG] - Setting the UserAgent to 'chocolatey command line'
2022-09-27 02:49:27,479 2944 [ERROR] - ERROR: The remote file either doesn't exist, is unauthorized, or is forbidden for url 'https://downloads.k8slens.dev/ide/Lens%20Setup%202022.9.260655-latest.exe'. Exception calling "GetResponse" with "0" argument(s): "The request was aborted: Could not create SSL/TLS secure channel."
 at Get-WebFile, C:\ProgramData\chocolatey\helpers\functions\Get-WebFile.ps1: line 330

https://community.chocolatey.org/packages/lens/2022.9.280635
https://gist.github.com/choco-bot/6d4ed50fca70c2d0cc8f5c3813d52273

2022-09-28 12:43:02,611 2968 [DEBUG] - Running Get-WebFile -url 'https://downloads.k8slens.dev/ide/Lens%20Setup%202022.9.280635-latest.exe' -fileName 'C:\Users\Administrator\AppData\Local\Temp\chocolatey\lens\2022.9.280635\lensInstall.exe' -options 'System.Collections.Hashtable' 
2022-09-28 12:43:02,611 2968 [DEBUG] - Setting request timeout to  30000
2022-09-28 12:43:02,611 2968 [DEBUG] - Setting read/write timeout to  2700000
2022-09-28 12:43:02,611 2968 [DEBUG] - Setting the UserAgent to 'chocolatey command line'
2022-09-28 12:43:04,766 2968 [ERROR] - ERROR: The remote file either doesn't exist, is unauthorized, or is forbidden for url 'https://downloads.k8slens.dev/ide/Lens%20Setup%202022.9.280635-latest.exe'. Exception calling "GetResponse" with "0" argument(s): "The request was aborted: Could not create SSL/TLS secure channel."
 at Get-WebFile, C:\ProgramData\chocolatey\helpers\functions\Get-WebFile.ps1: line 330

from home.

binance is part of this problem too

from home.

I pushed a dozen versions of the Burp Suite Community Edition package (burp-suite-free-edition). All have failed with the same error message. They work fine when I install them from local disk.

Versions:

• 2022.9.5
• 2022.8.5
• 2022.8.4
• 2022.8.3
• 2022.8.2
• 2022.8.1
• 2022.7.1
• 2022.6.1
• 2022.5.2

Only -beta versions are available because the verification process is not mandatory for them.

Beta versions:

• 2022.9.4-beta
• 2022.9.3-beta
• 2022.9.2-beta
• 2022.9.1-beta
• 2022.9-beta
• 2022.8-beta
• 2022.7-beta
• 2022.6-beta

from home.

colemak package is affected. See SSL Server Test

from home.

teleport-tsh also affected:
https://community.chocolatey.org/packages/teleport-tsh/11.0.3

from home.

Potplayer seems to be affected again
#11 (comment) I first mentioned it here, but it appears that a few users are getting the error again.

from home.