SSL Error When Downloading Packages

Topics: General
Nov 14, 2014 at 3:39 PM
I'm getting the following error when trying to download NuGet PAckages view the GUI in Visual Studio 2013:

"The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."

I've tried using https://packages.nuget.org/v1/FeedService.svc/ as my source with the same result.

If I drop the https to http, I get this error:

"The remote server returned an error: (403) Forbidden."

I've tried:
https://packages.nuget.org/v1/FeedService.svc/
http://packages.nuget.org/v1/FeedService.svc/
https://www.nuget.org/api/v2/
http://www.nuget.org/api/v2/

Nothing works... Anyone have ideas?
Nov 15, 2014 at 1:16 AM
To troubleshoot SSL/TLS issues, please capture some network packets (using Wireshark for example) and then analyze the handshake part.

While others can access the links without problems, I can only guess that on your machine some protocol settings (SChannel related) are misconfigured. The packets might show some key information for you to locate the culprit.

Overall, it is not a NuGet issue and you cannot fix it via NuGet settings.
Nov 15, 2014 at 1:28 AM
Thanks for the reply.

I just tried downloading packages again, and it is now working. I have not made any changes to my machine. However, I am now connecting to my network over VPN. This issue was happening while I was in the office today.

I wouldn't doubt that my issue was cause by something going on with the network at my office. At the same time, this same issue has been blamed on NuGet here and across the internet. Many people have had success changing NuGet settings to resolve this very problem.

Either way, I'm good... for now.
Jan 18, 2015 at 11:56 PM
I just ran into this problem on a 2003 R2 server. The cause is a SHA-2 certificate, which is not supported by default on 2003 R2.

I tracked this down by creating a nuget.exe.config file based on the information here and here. This reveals that the problem is with certificate signature validation:
System.Net Information: 0 : [0200] Remote certificate: [Version]
  V3

[Subject]
  CN=*.vo.msecnd.net
  Simple Name: *.vo.msecnd.net
  DNS Name: images.partner.windowsphone.com

[Issuer]
  CN=Microsoft IT SSL SHA2, OU=Microsoft IT, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  Simple Name: Microsoft IT SSL SHA2
  DNS Name: Microsoft IT SSL SHA2

[Serial Number]
  5A00005A45B7B2907CD8662D5C000100005A45

[Not Before]
  10/29/2014 8:40:20 PM

[Not After]
  10/28/2016 8:40:20 PM

[Thumbprint]
  080C7173188EDFB14433D34B0DB760951ADD3EB2

[Signature Algorithm]
  (1.2.840.113549.1.1.11)

[Public Key]
  Algorithm: RSA
  Length: 2048
  Key Blob: 30 82 01 0a 02 82 01 01 00 bf 88 7b b5 e2 f9 c1 33 b0 2b 14 11 82 82 99 ea eb ea a7 de 34 16 ea 76 3b e5 dc ba 8d 8e 6c c7 fc 2d 09 07 60 ed 5a b7 4d 7a 1a 46 87 52 b1 84 cf 43 de f2 35 99 ec 28 b4 6d 3e bd 76 6a 92 59 1e 6b 14 15 95 c7 e1 b7 f8 20 4b 5f 06 9b 24 15 26 a0 a9 a4 c6 cb 02 f9 92 3b 9b 70 58 a7 ec a3 31 73 40 8d 07 32 70 44 e4 f9 5e 1a 9e 3d 6a a7 02 7d d8 ba 3f 05 72 c3 bf ....
    ProcessId=4088
    DateTime=2015-01-19T00:23:58.7396635Z
System.Net Information: 0 : [0200] SecureChannel#9119245 - Remote certificate has errors:
    ProcessId=4088
    DateTime=2015-01-19T00:23:58.9115473Z
System.Net Information: 0 : [0200] SecureChannel#9119245 -  The signature of the certificate can not be verified.

    ProcessId=4088
    DateTime=2015-01-19T00:23:58.9115473Z
System.Net Information: 0 : [0200] SecureChannel#9119245 - Remote certificate was verified as invalid by the user.
    ProcessId=4088
    DateTime=2015-01-19T00:23:58.9115473Z
System.Net.Sockets Verbose: 0 : [0200] Socket#47145209::Dispose()
    ProcessId=4088
    DateTime=2015-01-19T00:23:58.9115473Z
System.Net Error: 0 : [0200] Exception in the HttpWebRequest#40902273:: - The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
    ProcessId=4088
    DateTime=2015-01-19T00:23:58.9115473Z
System.Net Error: 0 : [0200] Exception in the HttpWebRequest#40902273::GetResponse - The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
    ProcessId=4088
    DateTime=2015-01-19T00:23:58.9115473Z
Installing the on-demand Hotfix from here solved the problem for me.

While this hotfix is only good for 2003 (and maybe XP?), the nuget.exe.config trick should help troubleshoot the issue on any platform.