The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain

91
votes

While doing a docker build on my .NET Core project, I got the following error on all my NuGets:

80.19 /app/GradingTool.Tests/GradingTool.Tests.csproj : error NU3028: Package 'Microsoft.EntityFrameworkCore 5.0.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain [/app/GradingTool.sln]

#12 80.20 /app/GradingTool.Tests/GradingTool.Tests.csproj : error NU3037: Package 'Microsoft.EntityFrameworkCore 5.0.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired. [/app/GradingTool.sln]

#12 80.20 /app/GradingTool.Tests/GradingTool.Tests.csproj : error NU3028: Package 'Microsoft.EntityFrameworkCore 5.0.0' from source 'https://api.nuget.org/v3/index.json': The repository countersignature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain [/app/GradingTool.sln]

I never had this error before, Can someone help me figure out what the problem is?

Dockerfile:

FROM mcr.microsoft.com/dotnet/sdk:latest AS build-env
WORKDIR /app
RUN apt-get update -yq \
    && apt-get install curl gnupg -yq \
    && curl -sL https://deb.nodesource.com/setup_10.x | bash \
    && apt-get install nodejs -yq
# Copy csproj and restore as distinct layers
COPY . ./
RUN dotnet restore
RUN dotnet publish -c Release -o out

# Build runtime image
FROM mcr.microsoft.com/dotnet/aspnet:latest
RUN apt-get update \
    && apt-get install -y --no-install-recommends libgdiplus libc6-dev \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*
WORKDIR /app
COPY --from=build-env /app/out .
ENV ASPNETCORE_URLS="http://+:4200"
ENV ASPNETCORE_ENVIRONMENT="Production"
ENV GOOGLE_APPLICATION_CREDENTIALS="Credentials/SchoolTools-e9f260bdf56e.json"
ENV VIRTUAL_HOST="eva.schooltools.lu,www.eva.schooltools.lu,schooltools.lu,www.schooltools.lu"
ENV LETSENCRYPT_HOST="eva.schooltools.lu,www.eva.schooltools.lu,schooltools.lu,www.schooltools.lu"
ENV LETSENCRYPT_EMAIL="[email protected]"
EXPOSE 4200
ENTRYPOINT ["dotnet", "GradingTool.dll"]
8
.netdockerssl.net-corenuget
How does your dockerfile and project look like?Pavel Anikhouski
I added the docker file, but what do you mean by project look like?Wilson Silva
Content of GradingTool.Tests.csproj. Why do you need to install nodejs and libgdiplus?Pavel Anikhouski
My Projects has 4 Solutions, GradingTool.Tests.csproj, GradingTool.Core.csproj, GradingTool.Data.csproj and GradingTool.csprojWilson Silva
Watch github.com/NuGet/Home/issues/10491 for updatesMartin Ullrich

8 Answers

39
votes

In the Dockerfile file, I changed from

FROM mcr.microsoft.com/dotnet/aspnet:5.0-buster-slim

to

FROM mcr.microsoft.com/dotnet/sdk:5.0-alpine

This worked for me!

42
votes

Update: Check this announcement: https://github.com/NuGet/Announcements/issues/49

At the moment the issue appears to be related to the Debian image.

Switch to an Ubuntu or Alpine based image instead:

FROM mcr.microsoft.com/dotnet/sdk:5.0-focal AS build-env

Follow https://github.com/NuGet/Home/issues/10491 for updates.

21
votes

Short answer

Replace mcr.microsoft.com/dotnet/sdk:latest

With mcr.microsoft.com/dotnet/sdk:5.0.102-ca-patch-buster-slim-amd64

Once they officially patch the certificate issue, go back to :latest.

Long answer

This is because of an issue in the Debian docker image you are using: mcr.microsoft.com/dotnet/sdk:latest

The :latest tag is using a Debian image (5.0.102-1-buster-slim-amd64) and Debian released a patch that generated certificate issues.

The NuGet team published new pre-release Debian images that mitigate the ca-certificate issue. See the open issue & image replacements workarounds here:

https://github.com/NuGet/Announcements/issues/49#issuecomment-768766265

Later on they'll publish the release version of SDK images (once the Debian ca-certificates package is released in Debian 10 Buster).

Using the :focal tag (Ubuntu) might solve the issue for your .NET app as well, although you must consider you are not using Debian anymore.

LATEST UPDATE: Microsoft published patched docker images using the conventional tags like sdk:5.0. It is safe to revert from :5.0.102-ca-patch-buster-slim-amd64 to :5.0

19
votes

I think nuget.org is having some issues with their certificate. I'm currently getting the following for all NuGet packages from nuget.org

error NU3037: Package 'Microsoft.NETCore.Platforms 3.1.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature validity period has expired.

error NU3028: Package 'Microsoft.AspNetCore.Metadata 3.1.2' from source 'https://api.nuget.org/v3/index.json': The repository countersignature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain

18
votes

As already mentioned the current updates of issue could be followed here:
https://github.com/NuGet/Home/issues/10491
To shorten your journey
Known workarounds include:

  • Downgrade to .NET Core 3.1
  • If using docker, change your base image from "FROM mcr.microsoft.com/dotnet/sdk:5.0" to " FROM mcr.microsoft.com/dotnet/sdk:5.0-focal" or " FROM mcr.microsoft.com/dotnet/sdk:5.0-alpine"
  • Put this inside the tag in your nuget.config to disable validation altogether (works with dotnet restore) :

<config> <add key="signatureValidationMode" value="accept" />

You can also check the status here: https://status.nuget.org/

12
votes

This change also works:

FROM mcr.microsoft.com/dotnet/sdk:5.0-focal
5
votes

Better to go from Debian to Ubuntu and skip Alpine as .net Regions and Cultures are missing from Alpine! i.e sdk:5.0-focal is your best bet and does indeed fix this problem.

2
votes

In case you don't want to change your base image, another way to fix this is to install the ca-certificates package.

Add this to your Dockerfile:

RUN echo "deb http://deb.debian.org/debian bullseye main" >> /etc/apt/sources.list \
&& apt-get update \
&& apt-get install -y --no-install-recommends \
     ca-certificates \
&& rm -rf /var/lib/apt/lists/* \
&& sed -i '$ d' /etc/apt/sources.list

Of course, this can be removed again as soon as the underlying issue is fixed.