Home: dotnet restore, with HTTP_PROXY and HTTPS_PROXY (with user/password) broken again

_From @tebeco on May 28, 2018 14:15_

Just to be clear ... i also tried nuget.config to set
http_proxy https_proxy no_proxy

also if i have to provide ANY user and password ... it is not compliant with any form of "Continuous" integration right ?

setting up a proxy as an env var :

• Globally ==> will mess up all tool that read it and will try to access any internal url with the proxy, wich is forbiden
• In the process
  
  
  
  • it means i'll have to use a Vault to store user / password ?
  
  
  • it means i'll have to code the logic that will
    
    
    
    
    
    • fetch Vault cred
    
    
    
    • get values
    
    
    
    • set value in the shell
    
    
    
    • run dotnet restore
    
    
    
    • unset it ?
    
    
    
    • take care of NO_PROXY
    
    
    
  
  

we have same problem :( after install dotnet sdk 2.1.300
but we using global proxy (Internet options on windows) and its works fine on sdk 2.1.200

Holy cow, not again please

It’s been broken since alpha of dotnet cli.
As Nuget CLI works without having to set HTTP_PROXY
dotnet forced us to set it globally ... wtf seriously ?

now it is even worse since this is not working anymore in dotnet

@livarcocc @anangaur
who should we ping to get answer on that one, this is still a blocker for Corporation right ?

Related https://github.com/NuGet/Home/issues/6761
/cc: @rrelyea @nkolev92

i tried without the password it still break
i tried with a username and password that only contains letter lower and upper and digit
still break

if only it was easy to create a docker images in order to diagnostic that
it could be a Mandatory test in the Integrration test in the CI of both nuget and dotnet
i have no idea how to create an NTML pro y using windows containers so i could make it run in docker :s

@rohit21agrawal @nkolev92

After reading myself later deeply apologize about the way the things ended up here :s
will be more positive as possible ;)

Not sure what's going wrong here.

@tebeco
We need to investigate deeper.

Can you please try msbuild /t:restore? Not dotnet msbuild, but the VS built in one.

Same problem here with 2.1.300 final release.
Tried nuget.exe restore (4.7.0.5148, the same version dotnet sdk uses), it works. So the problem would be more on https://github.com/dotnet/cli/issues/9358, no ?

@livarcocc
https://github.com/tebeco/CheckHttpProxyNetCoreApp21

Is that what we were talking about yesterday ?

====
my tests on msbuild /t:restore were irrelevant as i forgot to clear all caches locally
I have to leae works i will test again tomorrow

is there anyone that knows if there's a Windows Container (probably nano server) that exists with a simple user/password with an NTLM proxy, so i could test it on my personnal laptop without beeing restricted by work hours ^^

Maybe this is an issue with the new SocketsHttpHandler. You can use the 2.0 http handler by setting DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER to 0.

I am also facing the same issue. I am struggling to find a solution for last two days. This is a blocker for me at the moment. I tried setting up the http_proxy/https_proxy with the username but still no luck.
This is how my docker file looks like:
FROM microsoft/aspnetcore:2.0-nanoserver-sac2016 AS base
WORKDIR /app
EXPOSE 80

FROM microsoft/aspnetcore-build:2.0-nanoserver-sac2016 AS build
WORKDIR /src
COPY IdSvr/IdSvr.csproj IdSvr/
RUN dotnet restore IdSvr.csproj
COPY . .
WORKDIR /src/IdSvr
RUN dotnet build IdSvr.csproj -c Release -o /app

FROM build AS publish
RUN dotnet publish IdSvr.csproj -c Release -o /app

FROM base AS final
WORKDIR /app
COPY --from=publish /app .
ENTRYPOINT ["dotnet", "IdSvr.dll"]

Output:
Step 7/16 : RUN dotnet restore IdSvr/IdSvr.csproj
---> Running in 244dbef710b6
Restoring packages for C:srcIdSvrIdSvr.csproj...
Restoring packages for C:srcIdSvrIdSvr.csproj...
Restore completed in 10.46 sec for C:srcIdSvrIdSvr.csproj.
C:Program Filesdotnetsdk2.1.200NuGet.targets(114,5): error : Unable to load the service index for source https://api.nuget.org/v3/index.json. [C:srcIdSvrIdSvr.csproj]
C:Program Filesdotnetsdk2.1.200NuGet.targets(114,5): error : An error occurred while sending the request. [C:srcIdSvrIdSvr.csproj]
C:Program Filesdotnetsdk2.1.200NuGet.targets(114,5): error : The operation timed out [C:srcIdSvrIdSvr.csproj]
ERROR: Service 'idsvr' failed to build: The command 'powershell -Command $ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue'; dotnet restore IdSvr/IdSvr.csproj' returned a non-zero code: 1

Note:
on my local, sdk 2.0.0 installed by default, but while trying to restore it is pointing to 2.1.200 which is not installed on my machine.

/cc: @rrelyea

If nuget.exe works, but dotnet.exe restore doesn't (please make sure you clean all the caches as @tebeco
mentioned, nuget locals or dotnet nuget locals), can you please test whether msbuild.exe works?

That'll help us a lot toward diagnosing this issue.

If you went through the above, and msbuild.exe works, please try setting DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER=0. as @tmds recommended and let us know what you encountered.

@nkolev92 so if i set a proxy (using a PAC Script) in IE (Win10)
the following should works ?
nuget seems perfectly ok that moby ever set HTTP_PROXY
never seen dotnet works since a long time without it)

SET DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER=0
SET HTTP_PROXY=
SET HTTPS_PROXY=
dotnet nuget locals -c all
dotnet restore

will test that today

Trying the @tebeco and @nkolev92 proposed above thread I got this error on dotnet restore:

Unhandled Exception: System.TypeInitializationException: The type initializer for 'Ssl' threw an exception. ---> System.TypeInitializationException: The type initializer for 'SslInitializer' threw an exception. ---> Interop+Crypto+OpenSslCryptographicException: error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table
at Interop.SslInitializer..cctor()
--- End of inner exception stack trace ---
at Interop.Ssl..cctor()
--- End of inner exception stack trace ---
at Interop.Ssl.SetProtocolOptions(IntPtr ctx, SslProtocols protocols)
at System.Net.Http.CurlHandler.SslProvider.SslCtxCallback(IntPtr curl, IntPtr sslCtx, IntPtr userPointer)
at Interop.Http.MultiPerform(SafeCurlMultiHandle multiHandle)
at System.Net.Http.CurlHandler.MultiAgent.PerformCurlWork()
at System.Net.Http.CurlHandler.MultiAgent.WorkerBodyLoop()

@nkolev92

TL;DR)
nuget restore : OK
dotnet restore: KO with a 407

Details :

D:\>dotnet new console -n deleteme
D:\>cd deleteme
D:\>dotnet new nugetconfig

edit the nuget.config and replace with :

<?xml version="1.0" encoding="utf-8"?>
<configuration>
 <packageSources>
    <!--To inherit the global NuGet package sources remove the <clear/> line below -->
    <clear />

    <add key="nuget" value="https://api.nuget.org/v3/index.json" />
 </packageSources>
</configuration>

edit the csproj :

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>netcoreapp2.1</TargetFramework>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="MarbleTest.Net" Version="[1.4.0, )" />
  </ItemGroup>

</Project>

D:\deleteme>dotnet nuget locals -c all
info : Clearing NuGet HTTP cache: C:\Users\xxx\AppData\Local\NuGet\v3-cache
info : Clearing NuGet global packages cache: C:\Users\xxx\.nuget\packages\
info : Clearing NuGet Temp cache: C:\Users\xxx\AppData\Local\Temp\NuGetScratch
info : Local resources cleared.


D:\deleteme>SET DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER=0

D:\deleteme>SET HTTP_PROXY=

D:\deleteme>SET HTTPS_PROXY=

D:\deleteme>dotnet restore
  Restoring packages for D:\deleteme\deleteme.csproj...
C:\Program Files\dotnet\sdk\2.1.300\NuGet.targets(114,5): error : Unable to load the service index for source https://api.nuget.org/v3/index.json. [D:\deleteme\deleteme.csproj]
C:\Program Files\dotnet\sdk\2.1.300\NuGet.targets(114,5): error :   Response status code does not indicate success: 407 (authenticationrequired). [D:\deleteme\deleteme.csproj]





D:\deleteme>nuget restore deleteme.csproj
MSBuild auto-detection: using msbuild version '15.7.179.6572' from 'C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\MSBuild\15.0\bin'.
Restoring packages for D:\deleteme\deleteme.csproj...
  GET https://api.nuget.org/v3-flatcontainer/marbletest.net/index.json
  OK https://api.nuget.org/v3-flatcontainer/marbletest.net/index.json 714ms
  GET https://api.nuget.org/v3-flatcontainer/marbletest.net/1.4.0/marbletest.net.1.4.0.nupkg
  OK https://api.nuget.org/v3-flatcontainer/marbletest.net/1.4.0/marbletest.net.1.4.0.nupkg 755ms
  GET https://api.nuget.org/v3-flatcontainer/microsoft.reactive.testing/index.json
  GET https://api.nuget.org/v3-flatcontainer/system.reactive/index.json
  OK https://api.nuget.org/v3-flatcontainer/microsoft.reactive.testing/index.json 508ms
  GET https://api.nuget.org/v3-flatcontainer/microsoft.reactive.testing/3.1.1/microsoft.reactive.testing.3.1.1.nupkg
  OK https://api.nuget.org/v3-flatcontainer/system.reactive/index.json 577ms
  GET https://api.nuget.org/v3-flatcontainer/system.reactive/3.1.1/system.reactive.3.1.1.nupkg
  OK https://api.nuget.org/v3-flatcontainer/system.reactive/3.1.1/system.reactive.3.1.1.nupkg 731ms
  GET https://api.nuget.org/v3-flatcontainer/system.reactive.platformservices/index.json
  OK https://api.nuget.org/v3-flatcontainer/microsoft.reactive.testing/3.1.1/microsoft.reactive.testing.3.1.1.nupkg 1179ms
  OK https://api.nuget.org/v3-flatcontainer/system.reactive.platformservices/index.json 500ms
  GET https://api.nuget.org/v3-flatcontainer/system.reactive.platformservices/3.1.1/system.reactive.platformservices.3.1.1.nupkg
  OK https://api.nuget.org/v3-flatcontainer/system.reactive.platformservices/3.1.1/system.reactive.platformservices.3.1.1.nupkg 820ms
  GET https://api.nuget.org/v3-flatcontainer/system.reactive.linq/index.json
  OK https://api.nuget.org/v3-flatcontainer/system.reactive.linq/index.json 557ms
  GET https://api.nuget.org/v3-flatcontainer/system.reactive.linq/3.1.1/system.reactive.linq.3.1.1.nupkg
  OK https://api.nuget.org/v3-flatcontainer/system.reactive.linq/3.1.1/system.reactive.linq.3.1.1.nupkg 882ms
  GET https://api.nuget.org/v3-flatcontainer/system.reactive.core/index.json
  GET https://api.nuget.org/v3-flatcontainer/system.runtime.interopservices.windowsruntime/index.json
  OK https://api.nuget.org/v3-flatcontainer/system.runtime.interopservices.windowsruntime/index.json 494ms
  OK https://api.nuget.org/v3-flatcontainer/system.reactive.core/index.json 497ms
  GET https://api.nuget.org/v3-flatcontainer/system.runtime.interopservices.windowsruntime/4.0.1/system.runtime.interopservices.windowsruntime.4.0.1.nupkg
  GET https://api.nuget.org/v3-flatcontainer/system.reactive.core/3.1.1/system.reactive.core.3.1.1.nupkg
  OK https://api.nuget.org/v3-flatcontainer/system.runtime.interopservices.windowsruntime/4.0.1/system.runtime.interopservices.windowsruntime.4.0.1.nupkg 861ms
  OK https://api.nuget.org/v3-flatcontainer/system.reactive.core/3.1.1/system.reactive.core.3.1.1.nupkg 972ms
  GET https://api.nuget.org/v3-flatcontainer/system.reactive.interfaces/index.json
  GET https://api.nuget.org/v3-flatcontainer/system.componentmodel/index.json
  OK https://api.nuget.org/v3-flatcontainer/system.componentmodel/index.json 511ms
  GET https://api.nuget.org/v3-flatcontainer/system.componentmodel/4.0.1/system.componentmodel.4.0.1.nupkg
  OK https://api.nuget.org/v3-flatcontainer/system.reactive.interfaces/index.json 534ms
  GET https://api.nuget.org/v3-flatcontainer/system.reactive.interfaces/3.1.1/system.reactive.interfaces.3.1.1.nupkg
  OK https://api.nuget.org/v3-flatcontainer/system.reactive.interfaces/3.1.1/system.reactive.interfaces.3.1.1.nupkg 747ms
  OK https://api.nuget.org/v3-flatcontainer/system.componentmodel/4.0.1/system.componentmodel.4.0.1.nupkg 883ms
Installing System.ComponentModel 4.0.1.
Installing System.Reactive.Interfaces 3.1.1.
Installing System.Reactive.Core 3.1.1.
Installing System.Runtime.InteropServices.WindowsRuntime 4.0.1.
Installing System.Reactive.Linq 3.1.1.
Installing System.Reactive.PlatformServices 3.1.1.
Installing Microsoft.Reactive.Testing 3.1.1.
Installing System.Reactive 3.1.1.
Installing MarbleTest.Net 1.4.0.
Committing restore...
Generating MSBuild file D:\deleteme\obj\deleteme.csproj.nuget.g.props.
Generating MSBuild file D:\deleteme\obj\deleteme.csproj.nuget.g.targets.
Writing lock file to disk. Path: D:\deleteme\obj\project.assets.json
Restore completed in 10.22 sec for D:\deleteme\deleteme.csproj.

NuGet Config files used:
    D:\deleteme\NuGet.Config
    C:\Users\xxx\AppData\Roaming\NuGet\NuGet.Config
    C:\Program Files (x86)\NuGet\Config\Microsoft.VisualStudio.Offline.config

Feeds used:
    https://api.nuget.org/v3/index.json

Installed:
    9 package(s) to D:\deleteme\deleteme.csproj

Is it possible to change the title to something that does not involve either
username
password
or env var

something like this (there’s probably a better title ^^) :
embedded nuget version of dotnet 2.1.300 does not handle windows NTLM proxy settings (settings in Internet explorer panel)

@tebeco
Can you please try msbuild /t:restore?
The .NET Framework version, not the dotnet msbuild one.

last time i used it, it was from vs2017 prompt for devs and where msbuild pointes to some folder in program files
was that the good one ?

@tebeco
Yes that's it.

Easiest approach is to go to the developer command prompt and run
"msbuild /t:restore"

it was working with it
should i past the logs here ? (i think i pasted the logs somewhere in github)
and msbuild /t:build was ok too

EDIT : i can’t remember if i cleared the cache before so it may not be relevant

it’s 0:30 here gonna have to go to bed will have to try tomorrow

Nope, that's perfect.

Knowing it works with nuget.exe AND msbuild.exe, but it doesn't with dotnet.exe suggest that it could be a framework issue.

if i understand correctly this issue has been splitted into at least 2 issue ?
one for servicing as a regression for WinHttpHandler (is it the 2.1.1 ?)
the other for SockerXXXXHandler ?

do you need network trace for the SocketHandler to avoid discovering a new weird scenario ? if so how could i help to get these traces

@nkolev92 back from holidays,
do you need any new test / answer or anything else to helps you about this one ?

@tebeco
Please refer to https://github.com/NuGet/Home/issues/5358#issuecomment-397010460

Tracking issue on corefx side https://github.com/dotnet/corefx/issues/30354

hi again
i just tested this morning with 2.1.401-xxxxx (the “final preview”)

this photo is the result of my attempt

after few investigation and playing around with fiddler, a colleague of mine pointed out that :

• our proxy is NTLM (header in the 407)
• the proxy in http (not https)
• when we access https is has to do a CONNECT (tunneling https inside http for the proxy)
• the http client only (from the capture) does the first request then nothing more

In my Windows 10, I run commands:
nuget.exe config -set http_proxy=http://proxy:port
nuget.exe config -set http_proxy.user=username
These settings are found in C:UsersusernameAppDataRoamingNuGetNuGet.Config
I did not set password (i did before using nuget.exe config -set http_proxy.password=userPassword, but it did not work for me, and I have removed string from the file).
Maybe – I do not know, I think – it uses saved password from Control Panel | User Accounts | Manage Windows Cridentials, the value _git:http://username@proxy:port_ – it asked me the password when I run git pull/push.
After that I run dotnet restore and it successfully finished.

i understand that on the paper it works.

in reality you have 4-5 feed
some on nuget.org (require proxy + ad auth)
some in the LAN (http bad gateway if you use that settings ... logical)
some feed on vsts (need another proxy and probably auth too)

i’m order to do a dotnet restore on the aspnetcore repo i had to create like 8 artifactory proxy (cost money because of a handshake not handled at tcp/http level)

and even with that it still not work properly

as i understand that setup affect the all machine this is good in very limited scenario but it does not scale well

i would love to have a simple way to customize this per feed because this is the only thing that matter, not a huge global state of rule affecting every single feed

This my successful soulution:

1. download the nuget.exe from http://www.nuget.org
2. excute command:
   nuget config -Set http_proxy="http://proxy.com:port" -Set http_proxy.user="username" -Set http_proxy.password="password"
3. then you can see some configs in nuget.config file.
4. try to exec "dotnet add " command and you will get the success.

i think the most important thing is the password need to set by nuget config -Set command, not add manully.

or never enter either username and password.
open an issue on github and ask if it's possible to let the httpclient handle the NTLM Challenge properly using the current user for the NetworkCredential.

that way you never need to specify either a password or a username.
good thing about it :

• you don't leak a username
• you don't leak potential password if you do it bad (manually)
• you don't need to add NO_PROXY
• you won't block you account when password change because it will do more than 3 attempt
• it will work out of the box with absolutely 0 change or 0 manual manipulation

Looking at the code, it appears that only the user-level config works for proxy settings. This matches the behavior I see, at least on dotnet 2.2.401.

Thanks @zarenner
I've noticed that too, right now I'm having finding the issue calling that out.

That could be the root cause of some of the issues in this thread (Unfortunately I'm not confident everyone on this thread is hitting the same issues.

edit Of course I find it after I comment :D https://github.com/NuGet/Home/issues/747
edit 2 Seems like you found that one too :D

In my Windows 10, I run commands:
nuget.exe config -set http_proxy=http://proxy:port nuget.exe config -set http_proxy.user=username
These settings are found in C:UsersusernameAppDataRoamingNuGetNuGet.Config
I did not set password (i did before using nuget.exe config -set http_proxy.password=userPassword, but it did not work for me, and I have removed string from the file).
Maybe – I do not know, I think – it uses saved password from Control Panel | User Accounts | Manage Windows Cridentials, the value _git:http://username@proxy:port_ – it asked me the password when I run git pull/push.
After that I run dotnet restore and it successfully finished.

This worked for me, thanks.

@tebeco any clue / solution to get this working on CentOS, tried all the above methods. Setting DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER to zero gives authentication required. Unsetting gives an error related to GSSAPI error. Going crazy over this. Both dotnet 2.2 & 3 have the same error

Setting DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER to zero gives authentication required

I'm not surprised, on windows disabling this one could help re-enable the WinHttpSockerHandler (can't remember the real name) that could (in netfx) handle Authentication based on the user logged in.

Unsetting gives an error related to GSSAPI error.

I'll be honest i have no idea what it is and that it existed.

To be fair, i found literally no clean solution if the proxy is an explicit proxy.
The only way we had it working was to create an on premise "nuget gateway"

As we have hundreds of teams releasing nugets internally we had/have either Sonatype Nexus / JFrog Artifactory and we created Remote repository that points to nuget.org.
These "on premise" feeds would have the authenticated proxy setup (service account with internet right for example)
These would be anonymous and in LAN only, all you would have to do is stop using nuget.org and replace it with that feed URL in the LAN

It have LOTS of inconvenience ... like :

• if you try to restore repo like dotnet/aspnetcore, it reliad on like ~4-5 remote so you need t create 1 for each
• some repo relies on azure blob as a feed
• Artifactory does not seem to be compliant with feedz.io
  ...

for regular and limited remote feed, that works, but it does not scale well. I often fork / clone repo like dotnet/aspnetcore dotnet/runtime or azure/azure-signalr and that's very very hard to make it restore everything properly
and there's also the tooling from dotnet/arcade ....

to be fair, this issue could potentially be fixed if there's a way to add specific code in the Windows binary to support PAC proxy and "IE Proxy"
see https://github.com/NuGet/Home/issues/6981

One of the Issue with HTTP_PROXY could be explicit proxy, and it could often be NTLM proxy (expliciy user/pass/domain in clear)

It leads used toward custom alias / handling password changes every XX weeks / that could also trigger Account Locked because the password changed but you forgot that one script.

HTTP_PROXY and HTTPS_PROXY are very limited for such scenario :(

This helped me with this problem on Ubuntu - https://github.com/dotnet/core/blob/master/Documentation/linux-setup.md - specifically:

export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
export SSL_CERT_DIR=/dev/null

perhaps the equivalent on Windows will help the Windows folks

Hey all,

Thank you for this discussion. Apologies for not being able to get to all of your feedback.
At this point I think that this discussion has gone into a few different directions.

A few takeaways from what I am noticing:

• NuGet.exe/MSBuild.exe worked better for folks than dotnet.exe.
• A lot of the issues were related to: https://github.com/dotnet/runtime/issues/26461, which has been fixed since then.
• There are still difficulties configuring different types of proxy, specifically ntlm proxy, which is something that @tebeco has raised in https://github.com/NuGet/Home/issues/6981.

As such I'm gonna to close this issue, as given the number of different directions we've gone it'd be difficult to get clarity on every single problem.

Please file individual problems for the specific issues that you are facing.

Please check the following 2 issues before filing:

• https://github.com/NuGet/Home/issues/6981
• https://github.com/NuGet/Home/issues/747