dotnet download is no longer available via http
jmartin-tech opened this issue · 2 comments
Issue Description
During initial OS installation dotnet framework 4.5 is installed to meet minimum requirements for the rest of the build. However the http
url now redirects to an https
download that requires TLS 1.2 that the install is depending on dotnet 4.5 to provide. This causes all downloads that require TLS 1.2 further in the build process to fail as well.
PS C:\Users\vagrant> (New-Object System.Net.WebClient).DownloadFile('http://download.microsoft.com/download/1/6/7/167F0D79-9317-48AE-AEDB-17120579F8E2/NDP451-KB2858728-x86-x64-AllOS-ENU.exe', 'C:\Windows\Temp\dotnet.exe')
Exception calling "DownloadFile" with "2" argument(s): "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."
At line:1 char:47
+ (New-Object System.Net.WebClient).DownloadFile <<<< ('http://download.microsoft.com/download/1/6/7/167F0D79-9317-48AE-AEDB-17120579F8E2/NDP451-KB2858728-x86-x64-AllOS-ENU.exe', 'C:\Windows\Temp\dotnet.exe')
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException
Host System
- OS: macOS (intel) / Linux / Windows
- Packer Version: All
- Vagrant Version: All
- VirtualBox Version: All
I briefly looked into this article https://support.microsoft.com/en-gb/topic/update-to-add-support-for-tls-1-1-and-tls-1-2-in-windows-server-2008-sp2-windows-embedded-posready-2009-and-windows-embedded-standard-2009-b6ab553a-fa8f-3f5e-287c-e752eb3ce5f4
None of the stand-alone package installers from https://www.catalog.update.microsoft.com/Search.aspx?q=KB4019276 worked for me though
I have worked through a couple scenarios here and I believe I will need to shift downloads performed during autounattend.xml
segment of the build into a later provisioner with either a pre-downloaded package provided from the host system or an alternate provisioner task that can preform download with TLS 1.2.
I am considering adding a pre-download script for all intermediate downloads needed during the build however in the interest of not putting more intentionally vulnerable code on the build host this idea may need adjustment.
Ideas are in the works.