Just downloaded the nightly snapshot. Tried to update a package, got this. I’m trying to remember how to resolve this problem. raco pkg update files-viewer
Resolving "files-viewer" via <https://plt.cs.northwestern.edu/snapshots/20210206-965c941caa/catalog/>
ssl-connect: connect failed (error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed)
let me try
This looks like a problem that @robby was having recently as well
Yeah, I don’t know what’s going on, as visiting http://plt.cs.northwestern.edu\|plt.cs.northwestern.edu in a browser works just fine
I’ve asked the people who run the webserver (IT staff at Northwestern) if they have any ideas. It seemed to start happening when the name changed from plt.eecs to plt.cs, so hopefully there will be something easy that they know how to fix.
Since it works in a browser and fails on multiple machines in Racket, it seems likely that there’s something we need to do differently in Racket somewhere
@gknauth what kind of machine is it that had the problem?
I don’t think this is machine specific, @samth. Here’s how to make it fail: #lang racket
(require net/url net/url-connect)
(current-https-protocol 'secure)
(close-input-port
(get-pure-port
(string->url "<https://plt.cs.northwestern.edu/>")))
You can tell your admins that it also fails in curl
How do you get curl to fail?
This works: curl -o x.html <https://plt.cs.northwestern.edu/>
I just did curl <https://plt.cs.northwestern.edh\|https://plt.cs.northwestern.ed>u
And got an ssl error
That works for me.
$ curl --version
curl 7.54.0 (x86_64-apple-darwin18.0) libcurl/7.54.0 LibreSSL/2.6.5 zlib/1.2.11 nghttp2/1.24.1
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz HTTP2 UnixSockets HTTPS-proxy
[samth@homer:~/tmp plt] curl -vvv <https://plt.cs.northwestern.edu/>
* Trying 129.105.5.241:443...
* TCP_NODELAY set
* Connected to <http://plt.cs.northwestern.edu\|plt.cs.northwestern.edu> (129.105.5.241) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: <https://curl.haxx.se/docs/sslcerts.html>
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
[samth@homer:~/tmp plt] curl --version
curl 7.68.0 (x86_64-pc-linux-gnu) libcurl/7.68.0 OpenSSL/1.1.1f zlib/1.2.11 brotli/1.0.9 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.3.0) libssh/0.9.3/openssl/zlib nghttp2/1.41.0 librtmp/2.3
Release-Date: 2020-01-08
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets
okay, thanks. Maybe the diagnostic from your attempt will be helpful.
@robby I’m quite late answering your question, but I did the above on macos Big Sur. I downloaded the 8.0.0.5 snapshot from Northwestern Sunday morning.
I had the same result from curl as @samth.
Maybe that was @samth ’a question. :)
Oops, yeah you’re right.
I think the “chain issues” mentioned here https://www.ssllabs.com/ssltest/analyze.html?d=plt.cs.northwestern.edu\|https://www.ssllabs.com/ssltest/analyze.html?d=plt.cs.northwestern.edu are a plausible cause
Specifically, the trust chain for the certificate used involves an intermediate cert that is neither sent with the request nor in the trust store
Thanks! I’ve passed that on.