mkbundle --list-targets on windows fails with System.Net.WebException CERTIFICATE_VERIFY_FAILED

[dcasota]

Steps to Reproduce

1. deploy MS windows server 2019
2. install Mono. msiexec /i mono-6.4.0.198-x64-0.msi INSTALLFOLDER="c:\mono" /qb
3. run mkbundle --list-targets

Current Behavior

mkbundle --list-targets throws an unhandled exception.

Expected Behavior

list targets

On which platforms did you notice this

[ ] macOS
[ ] Linux
[x] Windows

Version Used:
Microsoft Windows [Version 10.0.17763.557]
Mono JIT compiler version 6.4.0 (Visual Studio built mono)
Copyright (C) 2002-2014 Novell, Inc, Xamarin Inc and Contributors. www.mono-project.com
TLS: __thread
SIGSEGV: normal
Notification: Thread + polling
Architecture: amd64
Disabled: none
Misc: softdebug
Interpreter: yes
LLVM: supported, not enabled.
Suspend: preemptive
GC: sgen (concurrent by default)

Stacktrace

C:\mono\bin>mkbundle --list-targets
Available targets locally:
        default - Current System Mono

Unhandled Exception:
System.Net.WebException: Error: TrustFailure (Authentication failed, see inner exception.) ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
  at D:\j\workspace\build-package-win-mono\2019-06\external\boringssl\ssl\handshake_client.c:1132
  at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00048] in <f842f4ab33544c528a167c9cde20e667>:0
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status, System.Boolean renegotiate) [0x000da] in <f842f4ab33544c528a167c9cde20e667>:0
  at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus,bool)
  at Mono.Net.Security.AsyncHandshakeRequest.Run (Mono.Net.Security.AsyncOperationStatus status) [0x00006] in <f842f4ab33544c528a167c9cde20e667>:0
  at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x000fc] in <f842f4ab33544c528a167c9cde20e667>:0
   --- End of inner exception stack trace ---
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessAuthentication (System.Boolean runSynchronously, Mono.Net.Security.MonoSslAuthenticationOptions options, System.Threading.CancellationToken cancellationToken) [0x00262] in <f842f4ab33544c528a167c9cde20e667>:0
  at Mono.Net.Security.MonoTlsStream.CreateStream (System.Net.WebConnectionTunnel tunnel, System.Threading.CancellationToken cancellationToken) [0x00176] in <f842f4ab33544c528a167c9cde20e667>:0
  at System.Net.WebConnection.CreateStream (System.Net.WebOperation operation, System.Boolean reused, System.Threading.CancellationToken cancellationToken) [0x001ba] in <f842f4ab33544c528a167c9cde20e667>:0
   --- End of inner exception stack trace ---
  at System.Net.WebConnection.CreateStream (System.Net.WebOperation operation, System.Boolean reused, System.Threading.CancellationToken cancellationToken) [0x0021a] in <f842f4ab33544c528a167c9cde20e667>:0
  at System.Net.WebConnection.InitConnection (System.Net.WebOperation operation, System.Threading.CancellationToken cancellationToken) [0x00141] in <f842f4ab33544c528a167c9cde20e667>:0
  at System.Net.WebOperation.Run () [0x0009a] in <f842f4ab33544c528a167c9cde20e667>:0
  at System.Net.WebCompletionSource`1[T].WaitForCompletion () [0x00094] in <f842f4ab33544c528a167c9cde20e667>:0
  at System.Net.HttpWebRequest.RunWithTimeoutWorker[T] (System.Threading.Tasks.Task`1[TResult] workerTask, System.Int32 timeout, System.Action abort, System.Func`1[TResult] aborted, System.Threading.CancellationTokenSource cts) [0x000f8] in <f842f4ab33544c528a167c9cde20e667>:0
  at System.Net.HttpWebRequest.GetResponse () [0x00016] in <f842f4ab33544c528a167c9cde20e667>:0
  at System.Net.WebClient.GetWebResponse (System.Net.WebRequest request) [0x00000] in <f842f4ab33544c528a167c9cde20e667>:0
  at System.Net.WebClient.DownloadBits (System.Net.WebRequest request, System.IO.Stream writeStream) [0x000e6] in <f842f4ab33544c528a167c9cde20e667>:0
  at System.Net.WebClient.DownloadDataInternal (System.Uri address, System.Net.WebRequest& request) [0x00061] in <f842f4ab33544c528a167c9cde20e667>:0
  at System.Net.WebClient.DownloadString (System.Uri address) [0x00011] in <f842f4ab33544c528a167c9cde20e667>:0
  at (wrapper remoting-invoke-with-check) System.Net.WebClient.DownloadString(System.Uri)
  at MakeBundle.Main (System.String[] args) [0x009e5] in <2bb15ee6195f4e80b501c9a45862b71e>:0
[ERROR] FATAL UNHANDLED EXCEPTION: System.Net.WebException: Error: TrustFailure (Authentication failed, see inner exception.) ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
  at D:\j\workspace\build-package-win-mono\2019-06\external\boringssl\ssl\handshake_client.c:1132
  at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00048] in <f842f4ab33544c528a167c9cde20e667>:0
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status, System.Boolean renegotiate) [0x000da] in <f842f4ab33544c528a167c9cde20e667>:0
  at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus,bool)
  at Mono.Net.Security.AsyncHandshakeRequest.Run (Mono.Net.Security.AsyncOperationStatus status) [0x00006] in <f842f4ab33544c528a167c9cde20e667>:0
  at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x000fc] in <f842f4ab33544c528a167c9cde20e667>:0
   --- End of inner exception stack trace ---
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessAuthentication (System.Boolean runSynchronously, Mono.Net.Security.MonoSslAuthenticationOptions options, System.Threading.CancellationToken cancellationToken) [0x00262] in <f842f4ab33544c528a167c9cde20e667>:0
  at Mono.Net.Security.MonoTlsStream.CreateStream (System.Net.WebConnectionTunnel tunnel, System.Threading.CancellationToken cancellationToken) [0x00176] in <f842f4ab33544c528a167c9cde20e667>:0
  at System.Net.WebConnection.CreateStream (System.Net.WebOperation operation, System.Boolean reused, System.Threading.CancellationToken cancellationToken) [0x001ba] in <f842f4ab33544c528a167c9cde20e667>:0
   --- End of inner exception stack trace ---
  at System.Net.WebConnection.CreateStream (System.Net.WebOperation operation, System.Boolean reused, System.Threading.CancellationToken cancellationToken) [0x0021a] in <f842f4ab33544c528a167c9cde20e667>:0
  at System.Net.WebConnection.InitConnection (System.Net.WebOperation operation, System.Threading.CancellationToken cancellationToken) [0x00141] in <f842f4ab33544c528a167c9cde20e667>:0
  at System.Net.WebOperation.Run () [0x0009a] in <f842f4ab33544c528a167c9cde20e667>:0
  at System.Net.WebCompletionSource`1[T].WaitForCompletion () [0x00094] in <f842f4ab33544c528a167c9cde20e667>:0
  at System.Net.HttpWebRequest.RunWithTimeoutWorker[T] (System.Threading.Tasks.Task`1[TResult] workerTask, System.Int32 timeout, System.Action abort, System.Func`1[TResult] aborted, System.Threading.CancellationTokenSource cts) [0x000f8] in <f842f4ab33544c528a167c9cde20e667>:0
  at System.Net.HttpWebRequest.GetResponse () [0x00016] in <f842f4ab33544c528a167c9cde20e667>:0
  at System.Net.WebClient.GetWebResponse (System.Net.WebRequest request) [0x00000] in <f842f4ab33544c528a167c9cde20e667>:0
  at System.Net.WebClient.DownloadBits (System.Net.WebRequest request, System.IO.Stream writeStream) [0x000e6] in <f842f4ab33544c528a167c9cde20e667>:0
  at System.Net.WebClient.DownloadDataInternal (System.Uri address, System.Net.WebRequest& request) [0x00061] in <f842f4ab33544c528a167c9cde20e667>:0
  at System.Net.WebClient.DownloadString (System.Uri address) [0x00011] in <f842f4ab33544c528a167c9cde20e667>:0
  at (wrapper remoting-invoke-with-check) System.Net.WebClient.DownloadString(System.Uri)
  at MakeBundle.Main (System.String[] args) [0x009e5] in <2bb15ee6195f4e80b501c9a45862b71e>:0

C:\mono\bin>

The docs https://www.mono-project.com/archived/usingtrustedrootsrespectfully/ or https://www.mono-project.com/docs/tools+libraries/tools/mkbundle/ unfortunately do not provide a reference for prerequisites mkbundle on windows.

[dcasota]

In reference to https://github.com/mono/mono/blob/master/mcs/tools/mkbundle/mkbundle.cs the param --list-targets assembles a downloadstring (new Uri (target_server + "target-sdks.txt")). target_server in mkbundle.cs is defined as static string https://download.mono-project.com/runtimes/raw/".
In reference to https://www.mono-project.com/docs/faq/security/ using certmgr.exe it may be possible to manually import the certificate of https://download.mono-project.com.

certmgr.exe of Mono 6.4.0.198 on Windows W2K19 10.0.17763.557 is installed in \lib\mono\4.5.

Unfortunately it throws another error independent:

Stacktrace

C:\mono\lib\mono\4.5>certmgr.exe -ssl -m "https://download.mono-project.com"
Mono Certificate Manager - version 6.4.0.0
Manage X.509 certificates and CRL from stores.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.


Unhandled Exception: System.MissingMethodException: Method not found: 'Void System.Array.Reverse(!!0[], Int32, Int32)'.
   at Mono.Security.X509.X509Certificate.Parse(Byte[] data)
   at Mono.Security.X509.X509Certificate..ctor(Byte[] data)
   at Mono.Tools.CertificateManager.<>c__DisplayClass18_0.<GetCertificatesFromSslSession>b__0(Object s, X509Certificate cert, X509Chain chain, SslPolicyErrors p)
   at System.Net.Security.SecureChannel.VerifyRemoteCertificate(RemoteCertValidationCallback remoteCertValidationCallback, ProtocolToken& alertToken)
   at System.Net.Security.SslState.CompleteHandshake(ProtocolToken& alertToken)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost)
   at Mono.Tools.CertificateManager.GetCertificatesFromSslSession(String url)
   at Mono.Tools.CertificateManager.Ssl(String host, Boolean machine, Boolean verbose)
   at Mono.Tools.CertificateManager.Main(String[] args)

C:\mono\lib\mono\4.5>

Same behavior on Mono x86 as well as on Mono x64.

The secure connection site information of https://download.mono-project.com/runtimes/raw/ shows that the certificate is issued by Microsoft IT TLS CA 2 and issued to *.vo.msecnd.net

The subject alternative name does not contain a wildcard DNS name *.mono-project.com however download.mono-project.com.

The certificate of https://mono-project.com is issued by Let's encrypt Authority X3 and issued to www.mono-project.com.

The subject alternative name contains only one entry DNS Name=www.mono-project.com.

In mkbundle.cs the source contains

			case "--list-targets":
				CommandLocalTargets ();
				var wc = new WebClient ();
				var s = wc.DownloadString (new Uri (target_server + "target-sdks.txt"));

but also

			Directory.CreateDirectory (directory);
			var wc = new WebClient ();
			var uri = new Uri ($"{target_server}{fetch_target}");
			try {
				if (!quiet){
					Console.WriteLine ($"Downloading runtime {uri} to {zip_download}");
				}
				
				wc.DownloadFile (uri, zip_download);

Afaik wc.downloadfile is the only code part where a download is processed.
May someone check where to add
System.Net.ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12; The issue seems to be a TLS 1.1 1.2 issue. Please check.

[steveisok]

/cc @baulig

[dcasota]

On the Windows setup certmgr.bat imports certificates. It uses mono.exe to start certmgr.exe.

C:\mono\bin>dir c:\mono\lib\mono\4.5\certmgr.*
 Volume in drive C is Windows
 Volume Serial Number is C401-2850

 Directory of c:\mono\lib\mono\4.5

09/18/2019  09:15 PM            30,208 certmgr.exe
09/18/2019  09:15 PM             5,208 certmgr.pdb
               2 File(s)         35,416 bytes
               0 Dir(s)  125,316,640,768 bytes free

C:\mono\bin>dir c:\mono\bin\certmgr.*
 Volume in drive C is Windows
 Volume Serial Number is C401-2850

 Directory of c:\mono\bin

09/18/2019  09:16 PM               123 certmgr
09/18/2019  09:16 PM                83 certmgr.bat
               2 File(s)            206 bytes
               0 Dir(s)  125,310,218,240 bytes free

C:\mono\bin>type certmgr.bat
@echo off
"%~dp0\mono.exe" %MONO_OPTIONS% "%~dp0\..\lib\mono\4.5\certmgr.exe" %*

C:\mono\bin>certmgr.bat -ssl -m https://download.mono-project.com
Mono Certificate Manager - version 6.4.0.0
Manage X.509 certificates and CRL from stores.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.


Self-signed X.509 Certificate v3
   Issued from: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
   Issued to:   C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
   Valid from:  5/12/2000 6:46:00 PM
   Valid until: 5/12/2025 11:59:00 PM
Import this certificate into the Trust store ?n

No certificate were added to the stores.

C:\mono\bin>certmgr.bat -ssl -m https://download.mono-project.com/runtimes/raw/
Mono Certificate Manager - version 6.4.0.0
Manage X.509 certificates and CRL from stores.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.


Self-signed X.509 Certificate v3
   Issued from: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
   Issued to:   C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
   Valid from:  5/12/2000 6:46:00 PM
   Valid until: 5/12/2025 11:59:00 PM
Import this certificate into the Trust store ?y

X.509 Certificate v3
   Issued from: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
   Issued to:   C=US, S=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 2
   Valid from:  5/20/2016 12:51:57 PM
   Valid until: 5/20/2024 12:51:57 PM
   *** WARNING: Certificate signature is INVALID ***
Import this certificate into the CA store ?y

X.509 Certificate v3
   Issued from: C=US, S=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 2
   Issued to:   CN=*.vo.msecnd.net
   Valid from:  3/30/2018 5:48:56 PM
   Valid until: 3/30/2020 5:48:56 PM
Import this certificate into the AddressBook store ?y

3 certificates added to the stores.

C:\mono\bin>

Another finding is that I had to start certmgr.bat twice.
The certificates were signaled as added to the stores. The CA store Microsoft IT TLS CA 2 certificate is still displayed with a warning.

C:\mono\bin>certmgr.bat -ssl -m https://download.mono-project.com/runtimes/raw/
Mono Certificate Manager - version 6.4.0.0
Manage X.509 certificates and CRL from stores.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.


Self-signed X.509 Certificate v3
   Issued from: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
   Issued to:   C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
   Valid from:  5/12/2000 6:46:00 PM
   Valid until: 5/12/2025 11:59:00 PM
This certificate is already in the Trust store.

X.509 Certificate v3
   Issued from: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
   Issued to:   C=US, S=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 2
   Valid from:  5/20/2016 12:51:57 PM
   Valid until: 5/20/2024 12:51:57 PM
   *** WARNING: Certificate signature is INVALID ***
This certificate is already in the CA store.

X.509 Certificate v3
   Issued from: C=US, S=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 2
   Issued to:   CN=*.vo.msecnd.net
   Valid from:  3/30/2018 5:48:56 PM
   Valid until: 3/30/2020 5:48:56 PM
This certificate is already in the AddressBook store.

No certificate were added to the stores.

C:\mono\bin>

There is a batch script mkbundle.bat using mono.exe to start mkbundle.exe, but after having imported the certificates using certmgr.bat it still throws the exception.

C:\mono\bin>type mkbundle.bat
@echo off
"%~dp0\mono.exe" %MONO_OPTIONS% "%~dp0\..\lib\mono\4.5\mkbundle.exe" %*

C:\mono\bin>mkbundle.bat --list-targets
Available targets locally:
        default - Current System Mono

Unhandled Exception:
System.Net.WebException: Error: TrustFailure (Authentication failed, see inner exception.) ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED

To check which certificates are in which stores, type
checkmgr.bat -list -c Trust the valid store is Trust. The Baltimore certificate is listed as well.
checkmgr.bat -list -c CA the valid store is CA. Unfortunately this does not list any certificate.
checkmgr.bat -list -c AddressBook the valid store is AddressBook. Unfortunately this does not list any certificate.
certmgr.bat -list -c throws an exception. checkmgr.bat -list -c Wrong is more user friendly and displays all valid store names.

Findings:

1. mkbundle.bat --list-targets (or mkbundle.exe --list-targets) throws an exception that may have a correlation to TLS 1.1 1.2.
2. certmgr.bat -ssl -m https://download.mono-project.com/runtimes/raw/-imported certificates do no affect the behavior of mkbundle.exe --list-targets.

[directhex]

The long-standing issue is we have no mechanism to import a default state for the Mono trust store on Windows (i.e. Mono doesn't use the Windows trust store, doesn't bundle a trust store, and doesn't sync from the Windows trust store to its own format either).

As a workaround, if you have a PEM bundle handy, e.g. from a Cygwin install, you can import it (c:\cygwin\etc\pki\ca-trust\extracted\pem>cert-sync tls-ca-bundle.pem) - but obviously that's a bad user experience.

[dcasota]

@directhex I am a beginner in Mono and non-English. Some of the Mkbundle instructions learned are applicable as well on Linux as on Windows, some not (yet?). But mostly it seems to be a learn&study project, and it evolves. The implicit expectation of some sort of trust store sync has been first. OpenSSL is on Windows as well as on Linux. I didn't figure out where to fix the Mkbundle prerequisites. There are no visualized if-this-then-that software development workflow docs.

[dcasota]

Here's the script creating a VM from the Azure W2k19 template: https://github.com/dcasota/azure-scripts/blob/master/W2K19-Install.ps1. Here's the script installing Mono on W2K19 https://github.com/dcasota/azure-scripts/blob/master/MonoOnW2K19-install.ps1

@directhex According to #17417 Mono works on Windows (W2K19). Thank you for sharing!

[dcasota]

Unfortunately I am not skilled enough to drill down to the root cause and to get a solution bakened, but in my issue the use of mkbundle on W2k19 has become obsolet.

[sarilouis]

I was getting the same problem on my Windows 10 machine. Tried to install certificates to no avail. I eventually went around it by explicitly specifying the download URL to not use SSL as per below:

mkbundle --target-server http://download.mono-project.com/runtimes/raw/ --list-targets

[directhex]

I've filed a bug for this. #17903