Alire (really curl) certificate problem on Windows

I’m on to my next experiment with Alire: using an existing crate. I created a project and then did alr with xmlada to install the XMLAda library into my project. When Alire tries to deploy xmlada, it uses curl to fetch the library and, on my Windows system, I get this:

Note: Deploying xmlada=25.0.0...
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

The website given talks generally about how curl finds issuer certificates and suggests that, on Windows, I might try using the system certificate cache by providing the --ca-native command line option to curl. I’m guessing that would work, since I doubt the server is using an exotic certificate issuer. My question is: how can I apply that command line argument? In this case, curl is being run by Alire, and not by me directly. Is there a setting somewhere for this?

Stepping back… I installed Alire on this system a while ago and successfully downloaded a toolchain at that time. I didn’t have time to play with Alire then, so I set it aside. More recently, I updated Alire and started working with it. I find that, in addition to not being able to download XMLAda, I also can’t download an updated toolchain (I get the same error from curl).

This leads me to wonder if there was some change in the more recent version of Alire on Windows that caused breakage: the old version was appling --ca-native on curl, but the new version doesn’t (maybe?). Or perhaps there is some leftover configuration from the old version that is causing confusion. I would welcome insights on this.

Thanks!

For the record I checked which curl is in my path and it is this one: C:\Windows\System32\curl.exe. At first I wondered if there could be a conflict with the curl alias in PowerShell, so I removed the alias. That didn’t help, but that’s not surprising since Alire is creating a child curl process (I assume) and PowerShell is not involved in that.

On Windows, Alire utilizes msys2. If you can open alire from the start menu, it should send you to a terminal that is in the msys2 environment.

Hopefully someone can chime in on how to pass other items to curl, but in the meantime, could you try updating the packages by running pacman -Suy?

If it tells you that the update requires closing the terminal, you can press yes then after it’s finished (and presumably closes the terminal), try re-updating with pacman -Suy again.

Hmm. When I open Alire from the start menu, I get a PowerShell prompt. The command where.exe pacman says there is no such file.

I also have an MSYS folder on my start menu with various flavors of options. However, I think that was added by Git for Windows… or at least some of it was. The “Git Bash” icon on my desktop opens a bash window with “MINGW64” in the prompt. However, the command which pacman does not return anything there either. (The which command is coming from Cygwin, by the way… yes, confusing I know).

I successfully installed Alire on a different machine, and it was able to download items via curl fine. Comparing the installation on the new machine with the installation on my primary machine yielded some insights.

First, I was able to update MSYS via the “MSYS2 MSYS” command prompt located in the MSYS folder on the start menu (the Alire start menu item opens a PowerShell with alr in the path, but does not seem to give direct access to anything related to MSYS).

The update didn’t help. The certificate problem was still present.

Since everything does work on the second machine, I removed Alire and MSYS from my primary machine, careful to not leave behind any components (hopefully). I then re-installed Alire from scratch. However, when I attempt to get a toolchain via alr toolchain --select I am prompted to install msys2, but the download of msys2 fails immediately with:

url: (35) schannel: next InitializeSecurityContext failed: CRYPT_E_NO_REVOCATION_CHECK (0x80092012) - The revocation function was unable to check revocation for the certificate.

ERROR: Command ["curl", "https://github.com/msys2/msys2-installer/releases/download/2024-07-27/msys2-x86_64-20240727.exe", "--location", "--progress-bar", "--output", "C:\Users\spica\AppData\Local\alire\cache\msys64\msys2-x86_64-20240727.exe"] exited with code 35. (This error can be overridden with --force.)

There is apparently something odd about the configuration of my primary machine that is causing problems. I will continue investigating this since, at the moment, I can’t use Alire on my primary Windows system (the other machine where it installed successfully isn’t an option for me for other reasons).

As an aside, Alire works fine for me on my MacBook and my Linux system.

I figured out my problem: Norton 360.

Although Norton claimed to have automatically created rules for curl allowing it to access the network normally (and it appeared like it did), for some reason it was still interfering with the way certificates were being handled. Temporarily turning off the “Safe Web” feature allowed everything to work fine.

I wish I understood more precisely exactly what the problem was so I could configure an appropriate exception rule, but that is an issue for another forum. At least I understand what is going on, and I can move forward from here.

3 Likes

Good luck! Back when I first started messing with alire on my macbook, I had multiple archs of homebrew, macports, and various different things in PATH and it was such a mess to untangle… I feel your pain.

1 Like