Home: NuGet cannot restore from HTTPS sources that require Client Certificates
Idea
We should add a way for users to nominate a Client Certificate for HTTPS connections that require them.
Probably should be handled simliar to https://github.com/NuGet/Home/issues/4387
"Inspirations"
npm has this: https://docs.npmjs.com/misc/config#cert
cert="-----BEGIN CERTIFICATE-----\nXXXX\nXXXX\n-----END CERTIFICATE-----"
maven has this: https://maven.apache.org/guides/mini/guide-repository-ssl.html:
-Djavax.net.ssl.keyStore=/home/directory/mycertificate.p12
-Djavax.net.ssl.keyStoreType=pkcs12
-Djavax.net.ssl.keyStorePassword=XXXXXX"
Current Behavior
nuget list -source https://secured-server/repository/dev-nuget-feed -Verbosity Detailed
System.AggregateException: One or more errors occurred. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel
at System.Net.HttpWebRequest.GetResponse()
at NuGet.RequestHelper.GetResponse()
at NuGet.HttpClient.GetResponse()
at NuGet.RedirectedHttpClient.GetResponseUri(HttpClient client)
at NuGet.RedirectedHttpClient.EnsureClient()
at System.Lazy`1.CreateValue()
at System.Lazy`1.LazyInitValue()
at System.Lazy`1.get_Value()
at NuGet.MemoryCache.GetOrAdd[T](Object cacheKey, Func`1 factory, TimeSpan expiration, Boolean absoluteExpiration)
at NuGet.RedirectedHttpClient.get_CachedClient()
at NuGet.RedirectedHttpClient.get_Uri()
at NuGet.DataServicePackageRepository.get_Source()
at NuGet.Protocol.Core.v2.ListCommandResourceV2Provider.<TryCreate>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at NuGet.Protocol.Core.Types.SourceRepository.<GetResourceAsync>d__11`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at NuGet.Protocol.Core.Types.SourceRepository.<GetResourceAsync>d__10`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at NuGet.Commands.ListCommand.<GetListEndpointsAsync>d__21.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at NuGet.Commands.ListCommand.<ExecuteCommandAsync>d__22.MoveNext()
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken)
at NuGet.CommandLine.Command.Execute()
at NuGet.CommandLine.Program.MainCore(String workingDirectory, String[] args)
superstrom
All 28 comments
Another person asked about this issue: https://stackoverflow.com/questions/42096554/get-nuget-to-pass-a-client-certificate-to-a-private-proget-server-using-ssl
superstrom
on 18 Aug 2017
@rrelyea or nuget team,
Please reach out to me or someone on the VSTS Packaging team so that we can update the credential providers to support mutual SSL auth when you start working on this.
keithrob
on 13 Mar 2018
This support for mutual SSL authentication is sorely needed by the DoD community.
emmellee
on 14 Mar 2018
This support for mutual SSL authentication is needed by the DoD community.
jbo1984
on 14 Mar 2018
My team could really use this feature
aschoenborn
on 14 Mar 2018
This feature would go a long way in helping our team resolve an issue we're having with using nuget in several of our projects.
sean-gilliam
on 14 Mar 2018
Besides offering a mechanism for an application such as TFS/VSTS to "pass" client certificates to nuget for use during ssl client authentication, could you also ensure the nuget client can utilize an ssl client certificate from a smartcard device? VS 2015 appears to do this well.
emmellee
on 15 Mar 2018
I work for the government, and we really do need this feature available. We are currently having to use several workarounds. These workarounds are slow, time-consuming, and error prone.
m-spinks
on 30 Apr 2018
Yes, having this feature would be extremely helpful, I work for the Government as well and not having that option is cumbersome to say the least.
rcs0424
on 30 Apr 2018
I concur: "This support for mutual SSL authentication is SORELY needed by the DoD community."
SlayeroftheBrightRealm
on 1 May 2018
This would be a great thing to have, our project would benefit from this as well.
BeLikeMikeB
on 2 May 2018
@rrelyea , regarding this issue's designation as a feature rather than a bug type: Today, isn't mutual ssl authentication considered more of a basic functionality rather than a nice-to-have?
With security being paramount, my organization requires mutual ssl authentication without exception. Without nuget's support of ssl client authentication, we are unable to use Visual Studio Team Foundation Server's Package Management to host our nuget packages.
As a result, this issue is blocking our development of a much-needed modular redesign using nuget packages.
emmellee
on 3 May 2018
@emmellee - thanks for the interest.
@keithrob / @nkolev92 - pinged you via email. could our current 15.8 (VS 2017) and 5.8 (nuget.exe) based work help solve this? Timing good? Cost?
rrelyea
on 12 Jun 2018
Just looping back here.
This ask is orthogonal of our plugins feature.
nkolev92
on 24 Sep 2018
Issue 7212 was closed as duplicate of this ticket. Still wondering when nuget will support ssl client authentication? Thank you.
emmellee
on 17 Apr 2019
@nkolev92 , could you explain what "This ask is orthogonal of our plugins feature" means?
emmellee
on 29 May 2019
@emmellee
The plugins feature was independent of this one.
They are both in the same feature space (authentication), but the plugins were solving a different problem.
nkolev92
on 29 May 2019
@nkolev92
Thank you. Is there any idea when we might see nuget support of client certificates?
emmellee
on 29 May 2019
There're no immediate plans(5.2) as far as I am aware (5.2 which aligns to 16.2 of Visual Studio).
I can't make any claims beyond that.
nkolev92
on 29 May 2019
This would be a great feature for my team as well. We are required to use client certificate auth for our systems, which currently precludes us from using NuGet package hosting.
Auranis
on 15 Oct 2019
Did not expect that such feature still not exist. Today faced with same issue. Hope NuGet team will implement so desirable functionality soon.
BlackGad
on 23 Oct 2019
@nkolev92 @keithrob @rrelyea
I had almost given up hope this issue would be worked, but recent comments show others are as hopeful as I that it soon will be. Can you give us some confirmation that this issue will be worked and solved soon? Even after all this time, down alternative paths, our projects would still greatly benefit by using nuget in our ssl environment.
emmellee
on 25 Oct 2019
Hope that pull request somehow speedup feature implementation.
BlackGad
on 27 Oct 2019
Awesome work @BlackGad! Hopefully they'll take a look at this and merge it in quickly =)
sean-gilliam
on 27 Oct 2019
Thank you @BlackGad. It would be wonderful to be able to use the certificate store.
emmellee
on 28 Oct 2019
Huge thanks to @BlackGad for implementing this. It was a big effort as we went though a design spec process first, which needed the original implementation to change considerably. But this has now been merged! 馃帀
It will be available in:
- NuGet 5.7
- Visual Studio 2019 16.7 (probably preview 2)
- .NET Core 3.1 SDK 3.1.4xx
- .NET 5 SDK (I think preview 5)
zivkan
on 8 May 2020
Thanks @BlackGad! I can't wait to test this out.
superstrom
on 18 May 2020
For peoples who wants to secure theirs NuGet server with client certificates will leave here our configuration.
We are using regular BaGet NuGet server which listening not secured HTTP inside our private network (Read-through caching disabled)
and Apache reverse-proxy with configured Client Certificate Authentification feature for internet. Reverse-proxy routes HTTPS requests to our NuGet server HTTP endpoint.
For proper NuGet feed index response you need to specify additional headers for all forwarded HTTP requests from Apache to BaGet. See for details.
Apache configuration example:
ProxyPass http://<BaGet server IP>/
ProxyPassReverse http://<BaGet server IP>/
ProxyPassReverseCookieDomain https://<BaGet server IP>/
ProxyPreserveHost On
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
RequestHeader set "X-Forwarded-SSL" expr=%{HTTPS}
Above configuration allows:
- HTTP access for our build agents (TeamCity) and developers inside our private network without overhead. NuGet config for PCs in this area extended with direct HTTP endpoint.
- Secured HTTPS access with client certificates for developers outside our private network. NuGet config for PCs in this area extended with HTTPS endpoint to our apache server.
BlackGad
on 8 Jul 2020
Related issues
diverdan92
路
93Comments
livarcocc
路
73Comments
HEBOS
路
84Comments
harikmenon
路
91Comments
timotei
路
100Comments
Most helpful comment
Huge thanks to @BlackGad for implementing this. It was a big effort as we went though a design spec process first, which needed the original implementation to change considerably. But this has now been merged! 馃帀
It will be available in: