Runtime: System.Net.Http.CurlException: SSL peer certificate or SSH remote key was not OK

@kendrahavens what distro is microsoft/dotnet:1.1.2-runtime ?

Removing the mac label since ther'es no reason to think this is a related cause.

@danmosemsft The linux container is debian:jessie based. The dockerfile can be found in the dotnet-docker repo. I'm not sure if this is relevant to you, but the 1.1.2-runtime tag is multi-arch so depending on whether Docker for Windows is in Windows or Linux container mode the base image will adapt though it was stated this issue wasn't present in nanoserver.

I'm having the same error using the microsoft/dotnet:2.0.0-runtime and microsoft/dotnet:2.0.0-sdk images. I'm running this in Docker for Windows (17.09.0-ce-win33 13620)

Message:

InnerException: System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.Http.CurlException: SSL peer certificate or SSH remote key was not OK

Stacktrace:

at System.Net.Http.CurlHandler.ThrowIfCURLEError(CURLcode error)
   at System.Net.Http.CurlHandler.MultiAgent.FinishRequest(StrongToWeakReference`1 easyWrapper, CURLcode messageResult)
--- End of inner exception stack trace ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
   at System.Net.Http.HttpClient.<FinishSendAsyncUnbuffered>d__59.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
   at System.Net.HttpWebRequest.<SendRequest>d__194.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
   at System.Net.HttpWebRequest.GetResponse()
TargetSite: System.Net.WebResponse GetResponse()
StackTrace:    at System.Net.HttpWebRequest.GetResponse()

Is there any sort of known workaround?

I'm hitting this same error. Do we at least know if it's restricted to Docker or a specific version of CURL?

Same error here, dotnet core 2.0 app in a rhel container trying to upload a file to Minio using the Amazon.S3 nuget.

Same issue with net core 2 running this in Ubuntu todays latest version-

Official Helix test failures analysis:

• Test SetDelegate_ConnectionSucceeds failed only during 6/27-7/4 -- 4x in each run on Mac only. No repro since. It was likely fixed in dotnet/corefx#21778.
• Test InvalidCertificateServers_CertificateValidationDisabled_Succeeds failed only during 6/22-7/4 -- 1x per each run on Mac only. No repro since. It was fixed in dotnet/corefx#21778.

The Mac failures were likely unrelated to the original problem reported here, deleting the comments above to avoid clutter.

Can someone please provide us with a minimal repro, so tat we can try to reproduce in house? Thanks!
cc @Priya91

Closing as no repro. If somebody has a minimal repro, we can reopen. Thanks!

I am facing the same error when calling SaltStack API from an Azure Web App with Containers support, running NET Core 2.0 Web API solution, using Flurl or RestSharp clients.

Dockerfile is using:
FROM microsoft/aspnetcore:2.0.8-jessie

using Flurl;
using Flurl.Http;

var result = await (saltMaster.Url + ":" + saltMaster.Port)
                    .AppendPathSegment("login")
                    .WithHeader("Accept", "application/json")
                    .PostJsonAsync(new { username = saltMaster.Username, password = saltMaster.Password, eauth = "pam" })
                    .ReceiveJson<SaltLoginResult>();

@provanguard thanks - let's follow up on your repro and how to investigate further in the new issue you created - dotnet/corefx#29891.

I am surprised to see 5 downvotes on my closing above ... if anyone else has a way to reproduce it, please speak up. Without a repro or additional information it is not actionable for us. Also note that .NET Core 2.1 does not use libcurl anymore, so trying it on 2.1 RC may get rid of the problem entirely. Let us know if you try it and what is the result. Thanks!

Code with the following URL throws exception SSL peer certificate or SSH remote key was not OK on Linux. But it works on Windows.
```c#
using (var wc = new WebClient())
{
Console.WriteLine( wc.DownloadString("https://www.radio174stream.ru:8080") );
}

**UPDATE**
It can be workarounded with ignoring the validation error in a certificate validation handler:
```c#
ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;

@HarpyWar can you please check if it is similar certificate problem as in dotnet/corefx#29891?

Full exception message:
Unhandled Exception: System.Net.WebException: An error occurred while sending the request. SSL peer certificate or SSH remote key was not OK

dotnet version 2.1.105
Tested on clean envoronments on Debian 8 and 9.

I think a source of the error is the same, and it can be solved by replacing a certificate on a server (I don't know what exactly wrong there) or by using a solution which I wrote above (ServicePointManager).
The same error message appears with other programming languages on Linux, and it always recommended everywhere to suppress certificate errors on a client side.