X-Recipient: archive-cygwin AT delorie DOT com X-Original-To: cygwin AT cygwin DOT com Delivered-To: cygwin AT cygwin DOT com DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org C8414385840E Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=dronecode.org.uk Authentication-Results: sourceware.org; spf=none smtp.mailfrom=dronecode.org.uk Authentication-Results: btinternet.com; auth=pass (PLAIN) smtp.auth=jonturney AT btinternet DOT com; bimi=skipped X-SNCR-Rigid: 613A8DE81430F8DC X-Originating-IP: [86.139.167.74] X-OWM-Source-IP: 86.139.167.74 (GB) X-OWM-Env-Sender: jonturney AT btinternet DOT com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgedvvddrieefgdejudcutefuodetggdotefrodftvfcurfhrohhfihhlvgemuceutffkvffkuffjvffgnffgvefqofdpqfgfvfenuceurghilhhouhhtmecufedtudenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepkfffgggfuffvfhfhjggtgfesthekredttdefjeenucfhrhhomheplfhonhcuvfhurhhnvgihuceojhhonhdrthhurhhnvgihsegurhhonhgvtghouggvrdhorhhgrdhukheqnecuggftrfgrthhtvghrnheptdeijeeijeehtdeftdehteeggfegfeeifeeufedthfdtudfgfeffjedtudfgueehnecuffhomhgrihhnpegthihgfihinhdrtghomhdpmhhirhhrohhrihhfihhtphhrvghsvghnthhsrggtrhhlughovghsnhhtmhgrkhgvrghlohhtohhfshgvnhhsvgdrihhmpdhhthhtphhsthhotgihghifihhnrdgtohhmpdhhthhtphhnohhpvghfohhrthhhvghrvggrshhonhhsrghlrhgvrgguhihgihhvvghnsgihrggurghmrdhiugenucfkphepkeeirddufeelrdduieejrdejgeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhephhgvlhhopegludelvddrudeikedruddruddtfegnpdhinhgvthepkeeirddufeelrdduieejrdejgedpmhgrihhlfhhrohhmpehjohhnrdhtuhhrnhgvhiesughrohhnvggtohguvgdrohhrghdruhhkpdhnsggprhgtphhtthhopedvpdhrtghpthhtoheptgihghifihhnsegthihgfihi nhdrtghomhdprhgtphhtthhopehvrghnuggrrdhvohgukhgrmhhilhhkvghvihgthhesghhmrghilhdrtghomh X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean Message-ID: <7bec0294-c042-0e42-dca7-352fd108534e@dronecode.org.uk> Date: Fri, 11 Feb 2022 15:08:14 +0000 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.5.1 Subject: Re: Setup 2.917 fails to load mirror list Content-Language: en-GB To: Vanda Vodkamilkevich , The Cygwin Mailing List References: <904e9b5c-bd3e-9afc-1512-c5e659156dec AT dronecode DOT org DOT uk> <6188769f-6250-384e-cfac-be2b460c872e AT dronecode DOT org DOT uk> From: Jon Turney In-Reply-To: X-Spam-Status: No, score=-3570.7 required=5.0 tests=BAYES_00, FORGED_SPF_HELO, KAM_DMARC_STATUS, KAM_LAZY_DOMAIN_SECURITY, NICE_REPLY_A, RCVD_IN_DNSWL_NONE, SPF_HELO_PASS, SPF_NONE, TXREP, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: cygwin AT cygwin DOT com X-Mailman-Version: 2.1.29 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8"; Format="flowed" Errors-To: cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com Sender: "Cygwin" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 21BF9AN5032184 On 10/02/2022 14:49, Vanda Vodkamilkevich wrote: > Le jeu. 10 févr. 2022 à 14:54, Jon Turney a écrit : >> On 09/02/2022 15:35, Vanda Vodkamilkevich wrote: >>> If it helps, the output log when I saw the issues with setup >> >>> ########### Try to download with proxy set >> [...] >>> Cached mirror list unavailable >> [...] >>> HTTP status 403 fetching https://cygwin.com/mirrors.lst >> >>> ########### Using 2.908 version: it works >> [...] >>> Cached mirror list unavailable >> [...] >>> Fetched URL: http://cygwin.com/mirrors.lst >> >>> ########### Rerun with new version >> [...] >>> Loaded cached mirror list >> [...]> connection error: 12057 fetching >> https://cygwin.com/mirrors.lst >>> Using cached mirror list >> >> The significant change seems to be we now fetch the mirror list >> using https (since 2.892, but since you are using a self-built >> setup with local changes, you don't seem to have picked that up >> until now) >> >> 12057 is ERROR_INTERNET_SEC_CERT_REV_FAILED, which leads down quite >> a rabbit hole, but apparently this means something like >> 'certificate validity isn't checked in the process using wininet, >> but in a service, which doesn't have access to the proxy >> credentials we are using, so fails trying to fetch any CRL'. >> >> You don't mention that your proxy actually needs any credentials. >> >> Why we get a different error code the second time is mysterious. >> >> How we can then go on to successfully fetch from a https:// mirror >> if it presents a CRL doesn't make a lot of sense. >> >> I'm baffled. > > You nailed it... My corporate proxy blocks the https to the mirror > list. And my old version of setup was using http. This could mean: - https is blocked by the proxy (due to policy or misconfiguration) - https to cygwin.com is blocked by the proxy (ditto) - the setup code is doing something wrong so that the proxy is blocking it's attempt to use http here > Maybe if https failed you should retry with http? Nope, for the reasons already given by Adam. I'd *maybe* consider a patch adding an '--no-https' option which causes plain http:// to be used (and probably turns off [1] as well) to allow setup to run in environments which are hostile to https. [1] https://cygwin.com/git/?p=cygwin-apps/setup.git;a=commitdiff;h=b4947fb6db0cbd8b0c673dc49a18224c44da8116;hp=57ddb743c06996e93567a98c6de6694ddcc5d616 > Btw where is this mirror list file saved? I could cheat by fetching > it with http before using setup? The 'cached mirror list' referred to here is stored in the mirrors-lst key in /etc/setup/setup.rc -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple