Update helix references

[richlander]

I tried to modernize how we handle helix references (and update them). These changes may require a couple of updates.

Also filed: #61754. Somewhat related.

[dotnet-policy-service]

Hey @dotnet/aspnet-build, looks like this PR is something you want to take a look at.

[wtgodbe]

LGTM pending CI/helix-matrix

[wtgodbe]

There are some new Kestrel test failures on Ubuntu22 here that we didn't previously see on Ubuntu20 - they look to be Crypto related. @halter73 can you route?

[richlander]

Ubuntu 22.04 has OpenSSL 3.x. Perhaps the tests are not expecting that?

These type of upgrades frequently cause breaks in dotnet/runtime. We're testing with Ubuntu 25.04 in that repo, with a goal of moving to 26.04 before it ships. Let's get to Ubuntu 22.04 first, but we should try to adopt the same model here as with runtime (in main).

[wtgodbe]

Discussing this offline w/ Stephen & @JeremyKuhne

[halter73]

I pinged @bartonjs about it. He asked if we're using a certificate with a chain involving a UPN Name Constraint, but I don't think we are. The simplest one might be this one that just tries to new up an X509Certificate2 from a test aspnetdevcert.pfx that we pass directly to UseHttps() which AFICT doesn't have any unusual constraints. It's very expired, but that's a different issue.

Microsoft.AspNetCore.Server.Kestrel.Tests.HttpsConfigurationTests.UseHttpsMayNotImplyUseKestrelHttpsConfiguration

System.Security.Cryptography.CryptographicException : Error occurred during a cryptographic operation.
   at System.Security.Cryptography.X509Certificates.OpenSslX509ChainProcessor.MapOpenSsl30Code(X509VerifyStatusCode code)
   at System.Security.Cryptography.X509Certificates.OpenSslX509ChainProcessor.AddElementStatus(X509VerifyStatusCode errorCode, List`1 elementStatus, List`1 overallStatus, Boolean& overallHasNotSignatureValid)
   at System.Security.Cryptography.X509Certificates.OpenSslX509ChainProcessor.AddElementStatus(ErrorCollection errorCodes, List`1 elementStatus, List`1 overallStatus, Boolean& overallHasNotSignatureValid)
   at System.Security.Cryptography.X509Certificates.OpenSslX509ChainProcessor.BuildChainElements(WorkingChain workingChain, List`1& overallStatus)
   at System.Security.Cryptography.X509Certificates.OpenSslX509ChainProcessor.Finish(OidCollection applicationPolicy, OidCollection certificatePolicy)
   at System.Security.Cryptography.X509Certificates.ChainPal.BuildChainCore(Boolean useMachineContext, ICertificatePal cert, X509Certificate2Collection extraStore, OidCollection applicationPolicy, OidCollection certificatePolicy, X509RevocationMode revocationMode, X509RevocationFlag revocationFlag, X509Certificate2Collection customTrustStore, X509ChainTrustMode trustMode, DateTime verificationTime, TimeSpan timeout, Boolean disableAia)
   at System.Security.Cryptography.X509Certificates.ChainPal.BuildChain(Boolean useMachineContext, ICertificatePal cert, X509Certificate2Collection extraStore, OidCollection applicationPolicy, OidCollection certificatePolicy, X509RevocationMode revocationMode, X509RevocationFlag revocationFlag, X509Certificate2Collection customTrustStore, X509ChainTrustMode trustMode, DateTime verificationTime, TimeSpan timeout, Boolean disableAia)
   at System.Security.Cryptography.X509Certificates.X509Chain.Build(X509Certificate2 certificate, Boolean throwOnException)
   at System.Net.Security.SslStreamCertificateContext.Create(X509Certificate2 target, X509Certificate2Collection additionalCertificates, Boolean offline, SslCertificateTrust trust, Boolean noOcspFetch)
   at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware..ctor(ConnectionDelegate next, HttpsConnectionAdapterOptions options, HttpProtocols httpProtocols, ILoggerFactory loggerFactory, KestrelMetrics metrics) in /_/src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs:line 108
   at Microsoft.AspNetCore.Hosting.ListenOptionsHttpsExtensions.<>c__DisplayClass11_0.<UseHttps>b__0(ConnectionDelegate next) in /_/src/Servers/Kestrel/Core/src/ListenOptionsHttpsExtensions.cs:line 202
   at Microsoft.AspNetCore.Server.Kestrel.Core.ListenOptions.Build() in /_/src/Servers/Kestrel/Core/src/ListenOptions.cs:line 199
   at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerImpl.<>c__DisplayClass28_0`1.<<StartAsync>g__OnBind|0>d.MoveNext() in /_/src/Servers/Kestrel/Core/src/Internal/KestrelServerImpl.cs:line 196
--- End of stack trace from previous location ---
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.BindEndpointAsync(ListenOptions endpoint, AddressBindContext context, CancellationToken cancellationToken) in /_/src/Servers/Kestrel/Core/src/Internal/AddressBinder.cs:line 90
   at Microsoft.AspNetCore.Server.Kestrel.Core.ListenOptions.BindAsync(AddressBindContext context, CancellationToken cancellationToken) in /_/src/Servers/Kestrel/Core/src/ListenOptions.cs:line 224
   at Microsoft.AspNetCore.Server.Kestrel.Core.AnyIPListenOptions.BindAsync(AddressBindContext context, CancellationToken cancellationToken) in /_/src/Servers/Kestrel/Core/src/AnyIPListenOptions.cs:line 42
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.EndpointsStrategy.BindAsync(AddressBindContext context, CancellationToken cancellationToken) in /_/src/Servers/Kestrel/Core/src/Internal/AddressBinder.cs:line 219
   at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerImpl.BindAsync(CancellationToken cancellationToken) in /_/src/Servers/Kestrel/Core/src/Internal/KestrelServerImpl.cs:li

aspnetcore/src/Servers/Kestrel/Kestrel/test/HttpsConfigurationTests.cs

Lines 211 to 236 in 83e90c4

	[Fact]
	public async Task UseHttpsMayNotImplyUseKestrelHttpsConfiguration()
	{
	var hostBuilder = new WebHostBuilder()
	.UseKestrelCore()
	.ConfigureKestrel(serverOptions =>
	{
	serverOptions.ListenAnyIP(0, listenOptions =>
	{
	listenOptions.UseHttps(new HttpsConnectionAdapterOptions()
	{
	ServerCertificate = new X509Certificate2(Path.Combine("shared", "TestCertificates", "aspnetdevcert.pfx"), "testPassword"),
	});
	});
	})
	.Configure(app => { });
	var host = hostBuilder.Build();
	// Binding succeeds
	await host.StartAsync();
	await host.StopAsync();
	// This is more documentary than normative
	Assert.False(host.Services.GetRequiredService<IHttpsConfigurationService>().IsInitialized);
	}

[halter73]

FWIW, if I create a "Ubuntu Server 22.04 LTS - x64 Gen2" VM on Azure, clone the aspnetcore repo and run the UseHttpsMayNotImplyUseKestrelHttpsConfiguration test, it passes. I think it's something going on with the Helix agent in particular and not just Ubuntu 22.04 in general. Should we try recreating the agent?

Here's the failure on the CI: https://dev.azure.com/dnceng-public/public/_build/results?buildId=1031039&view=ms.vss-test-web.build-test-results-tab&runId=27684240&resultId=113534&paneView=debug

[richlander]

We could also try running in a container. That might be better anyway.