SSL Error in Chocolatey Connector

We started to experience some strange behavior with the Chocolatey feed. When trying to download a remote package (either because a client is doing choco install or executing the Pull to Proget from the portal) the operation fails.

For the client it receives a

VisualStudioCode not installed. An error occurred during installation: Error en el servidor remoto: (503) Servidor no disponible. The install of VisualStudioCode was NOT successful.

While in the portal you get a

The package could not be installed. The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

Checking the error messages you see this message:
An error occurred processing a GET request to http://myserve:81/nuget/mychocolatey/package/VisualStudioCode/0.10.8: Cannot download package from https://chocolatey.org/api/v2

With the following stack trace:
at Inedo.ProGet.WebApplication.SimpleHandlers.NuGet.NuGetApi.GetHandler.<TransmitPackageAsync>d__1.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Inedo.ProGet.WebApplication.SimpleHandlers.NuGet.NuGetApi.GetHandler.<ProcessGetRequestAsync>d__0.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Inedo.ProGet.WebApplication.SimpleHandlers.NuGet.NuGetApi.<ProcessRequestAsync>d__6.MoveNext()

We try to analize the network traffic and seems there's something going on with the certifcate returned by the host of the package content. I believe the package should be downloaded from some url like packages.chocolatey.org but the certificate seems to be issued for ssl325587.cloudflaressl.com. I know you're not responsible for this but I have two questions:

Have you found this situarion or got any report about this mulfunction?
Is there any way to configure the application to ignore the SSL errors?

I'm not happy with that option but seems at this point we're analizing any option to bring the feed back. Thanks in advance!

Product: ProGet
Version: 4.0.8

This has happened a few times in the past on the NuGet side, and as you identified, it's related to their certificate configuration.

Because SSL negotiation is handled at the socket layer (well below our code), we're not so keen on adding an option to bypass SSL --- especially because many users would simply just "click ignore" without realizing that it's a man-in-the-middle attack. Especially a problem for chocolatey, which runs arbitrary powershell scripts in admin mode.

There are some settings you can do on Windows to ignore or trust mismatched certificates. Until they fix their certificates, you may want to investigate how to tweak those settings.

Howdy,
When you are seeing issues like this, please bring them back to the Chocolatey folks. We can't fix issues we don't know about!

I've created https://github.com/chocolatey/chocolatey.org/issues/365 to look further into this issue. If you can work with us over there we can help you get through this.

Our certificate configuration is pretty solid, but we've also added in CloudFlare which appears to be causing the issue you've identified. I'd love to work through this with you, but we need more details so we can go back to CloudFlare and ask their support about how to make this work appropriately.

In Chocolatey v0.10.1, we will automatically switch to using better TLS versions when available. This was done in https://github.com/chocolatey/choco/issues/458.

If you see this issue when you are attempting to install Chocolatey itself, please see this documentation to understand your options: https://github.com/chocolatey/choco/wiki/Installation#installing-with-restricted-tls