Installer fails at curl due to self-signed certificate #19
Comments
|
The only good solution is to generate a more offline setup that bundles as much content as possible into the installer. I'll prioritize this issue. I can't bundle everything, so I may need some back and forth with you in this ticket to get an offline setup that works.
|
|
I hate to inconvenience you, but I'd love to muddle through testing to help get it working. Let me know what I can do and when. |
|
If you are willing to get your hands dirty, can you:
|
|
New error code from curl now: I tried with both the original curl-ca-bundle.crt with my cert appended and with my cert renamed to curl-ca-bundle.crt. Copying my curl in is necessary to get the new error code. |
|
Can you try running your system (company) curl directly and reply with the output? |
|
Sorry, looks like that is my problem. I'll check with someone here and let you know if I still have a problem. Do you want me to close this issue now or wait until my install is successful? C:\Users\BarronRauEA>curl -v -L -o msys2-base.exe https://github.com/msys2/msys2-installer/releases/download/2022-01-28/msys2-base-x86_64-20220128.sfx.exe
|
|
Let's keep it open. Can you try to add (DKML uses sha256 checksum validation after downloading any content, so the insecure mode ( |
|
It does work with -k. I should have included that info before.
Perhaps it is too kludgy, but would it be possible to pass the curl -k flag through from the command line when calling the setup-diskuv-ocaml*?
From: jonahbeckford ***@***.***>
Sent: Friday, December 2, 2022 4:08 PM
To: diskuv/dkml-installer-ocaml ***@***.***>
Cc: Barron Rau ***@***.***>; Author ***@***.***>
Subject: Re: [diskuv/dkml-installer-ocaml] Installer fails at curl due to self-signed certificate (Issue #19)
Let's keep it open. Can you try to add -k to the curl command and see if that works?
(DKML uses sha256 checksum validation after downloading any content, so the insecure mode (-k) of curl can be safe to use if the checksum validation can be guaranteed.)
—
Reply to this email directly, view it on GitHub<#19 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AOJKXISP6MI4APQCUN7Q25TWLJQMHANCNFSM6AAAAAASSGRVHU>.
You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>
|
- Also re-enable 32-bit MSYS2 - Fix for diskuv/dkml-installer-ocaml#19
|
No, it is not possible to pass the curl flag down. But am making a change to the installer to embed the |
|
Good morning Jonah, Thanks for all your work on this. When I go to https://github.com/diskuv/dkml-installer-ocaml/releases and click on https://github.com/diskuv/dkml-installer-ocaml/releases/download/v1.0.2/setup-diskuv-ocaml-windows_x86_64-1.0.2.exe I get a 404 error. Let me know when you want me to try it again or if there is some other way I should be downloading the installer. |
|
Use:
Use the uninstaller first, and then the installer. Tell me how that goes. |
|
Well, we bypassed the first problem. Looks like the certificate is causing another problem. I had my MSP looking at it end of the day Friday and expect to hear more from him Monday. Output now is (I edited out the repetitive lines):
|
|
Sigh. You really need access to the MSYS2 package manager. There is a flow documented at https://www.msys2.org/docs/faq/ for accepting company TLS certificates, but there is no way to do that today in the middle of the installation process. The modifications to support that will have to wait until mid-next week at the earliest, and then I want to make sure everyone in your company who wants to use it has simple steps. Can you do a Zoom chat (or some alternative) on Tuesday? |
|
Perhaps a bit of explanation - I'm an accountant and program some for work and some for hobby. This will be mostly hobby for now and I'm the only one who will need it installed. The only internet connection I have is through my business. We're part of a conservative Mennonite church that requires we only access the internet through a church-approved filter. The filter uses the self-signed certificate to man-in-the-middle the traffic for filtering purposes. I feel bad having you put so much time into this, but perhaps you want to work the bugs out of the installer for others. I'd be happy to do a screen share or some other connection if you like. We don't use the video capabilities on zoom so let me know what works best, Zoom, Teams, TeamViewer, etc are all options from my end. Would it work to add the update-ca-trust command to msys command line before synchronizing the package databases? I could copy the certificate into the installer Enjoy your Lord's day and thanks for your patience. |
|
Oh no problem. Like you mentioned I think the proxy environment you have is fairly normal. I'd like to get it working for you and others. Can you schedule some time with https://calendly.com/diskuv/30-minute-dkml-installation? We won't be able to solve the problem, but I want to test that copying the certificates actually works. We'll test it outside the installer. Then I'll know that a change to the installer will work. Have a blessed day as well! |
|
On for Monday the 12th. I'm out of the office Wed. through Fri. next week (7th - 12th). |
|
Meeting Summary:
|
|
With that test we did, I think you should be able to complete most of the installation right now. Using the links you had earlier in this thread,
Then run the following in PowerShell: # Whatever directory you use to decompress the installer
cd C:\Users\beckf\Downloads\unsigned-diskuv-ocaml-windows_x86_64-i-1.0.1
if (!(test-path "$env:TEMP\dkml-issue-19")) { new-item -itemtype directory "$env:TEMP\dkml-issue-19" }
# Change the MSYS2Dir to your customized installation!
sg\network-ocamlcompiler\windows_x86_64\setup-userprofile.bat `
-AllowRunAsAdmin `
-InstallationPrefix `
C:\Users\BARRON~2\AppData\Local\Programs\DISKUV~1 `
-MSYS2Dir `
C:\Users\BARRON~2\AppData\Local\Programs\DISKUV~1\tools\MSYS2 `
-OpamExe C:\Users\BARRON~2\AppData\Local\Programs\DISKUV~1\bin\OPAM-R~1.EXE `
-DkmlPath "$PWD\sg\NETWOR~1\WINDOW~1\dkmldir" `
-GlobalCompileDir "$PWD\sg\STAGIN~1\generic" `
-NoDeploymentSlot -DkmlHostAbi windows_x86_64 `
-TempParentPath "$env:TEMP\dkml-issue-19" `
-SkipProgressPlease tell me if anything else errors. |
|
I’ll try to get to it later today or tomorrow.
|
I have pre-release "17" that you can use. Installer: https://github.com/diskuv/dkml-installer-ocaml/releases/download/v1.1.0-prerel17/unsigned-diskuv-ocaml-windows_x86_64-i-1.0.1.exe Here is the relevant part of the upcoming release notes: New security:
(I don't have an ETA when the full release will be available, although it will be fairly soon) |
|
You can use https://github.com/diskuv/dkml-installer-ocaml/releases/tag/v1.1.0_r2 . Search for |
I am installing on a machine that is behind a proxy and uses a company certificate. The failure is:
windows_install.bc: [INFO] Downloading https://github.com/msys2/msys2-installer/releases/download/2022-01-28/msys2-base-x86_64-20220128.sfx.exewindows_install.bc: [INFO] Running command: C:\Users\BARRON~2\AppData\Local\Temp\7z17ECACAC\sg\staging-curl\windows_x86_64\bin\curl.exe -L -o C:\Users\BARRON~2\AppData\Local\Temp\path_eval_77c67b\curlo01eb9f https://github.com/msys2/msys2-installer/releases/download/2022-01-28/msys2-base-x86_64-20220128.sfx.exe% Total % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 00 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0curl: (60) SSL certificate problem: self-signed certificate in certificate chainMore details here: https://curl.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.FATAL [e6435b12]. A transient failure occurred.Root cause: The conformant command had exit code 60: C:\Users\BARRON~2\AppData\Local\Temp\7z17ECACAC\sg\staging-curl\windows_x86_64\bin\curl.exe -L -o C:\Users\BARRON~2\AppData\Local\Temp\path_eval_77c67b\curlo01eb9f https://github.com/msys2/msys2-installer/releases/download/2022-01-28/msys2-base-x86_64-20220128.sfx.exeA transient failure occurred.dkml-package.bc: [ERROR] FATAL [5f927a8b].A transient failure occurred.Root cause: The command had exit code 20:C:\Users\BARRON~2\AppData\Local\Temp\7z17ECACAC\bin\dkml-install-user-runner.exeinstall-user-network-unixutils--verbosity=info --color=always--prefix C:\Users\BarronRauEA\AppData\Local\Programs\DiskuvOCaml--staging-files C:\Users\BARRON~2\AppData\Local\Temp\7z17ECACAC\sgA transient failure occurred.It appears that the installer uses a copy of curl from a temp file at
C:\Users\BarronRauEA\AppData\Local\Temp\7z6912243C\sg\staging-curl\windows_x86_64\bin. I tried adding my cert to the end of thecurl-ca-bundle.crtfile and rerunning the installer but had the same problem. I also tried removing the staged cert file and curl.exe and replaced them with a shortcut to my local curl installation, with the same failure.Is it possible for the installer to use my existing instance of curl instead of the staged one or is there a way for the staged instance to use my certificate?
The text was updated successfully, but these errors were encountered: