Julia 1.6 libcurl firewall download issue: Windows Schannel certificate revocation check failure

General Usage
1

In Julia 1.5.3, I had https-proxy, http_proxy, html_proxy, SSL_CERT_FILE set in the environment variables. I also had a _curlrc file with “insecure” in it in my home directory as well as a .condarc to get things working through our firewall. The SSL_CERT_FILE pointed to a .PEM file. I know little about what this all means.

In Julia 1.6, I was told by the system that I needed to remove the SSL_CERT_FILE and not have a JULIA_SSL_CA_ROOTS_PATH set to anything.

In 1.6, that seems to work for most of the repository stuff, until it gets to artifacts, like Qt and others which Plots.jl pulls in. They fail.

(xyzVector) pkg> add Plots
   Resolving package versions...
  Downloaded artifact: GLFW
  Downloaded artifact: GLFW
ERROR: Unable to automatically install 'GLFW' from 'C:\Users\bakerar\.julia\packages\GLFW_jll\cOXj2\Artifacts.toml'
Stacktrace:
  [1] error(s::String)
    @ Base .\error.jl:33
  [2] ensure_artifact_installed(name::String, meta::Dict{String, Any}, artifacts_toml::String; platform::Base.BinaryPlatforms.Platform, verbose::Bool, quiet_download::Bool)
    @ Pkg.Artifacts C:\buildbot\worker\package_win64\build\usr\share\julia\stdlib\v1.6\Pkg\src\Artifacts.jl:436
  [3] ensure_all_artifacts_installed(artifacts_toml::String; platform::Base.BinaryPlatforms.Platform, pkg_uuid::Nothing, include_lazy::Bool, verbose::Bool, quiet_download::Bool)
    @ Pkg.Artifacts C:\buildbot\worker\package_win64\build\usr\share\julia\stdlib\v1.6\Pkg\src\Artifacts.jl:501
  [4] download_artifacts(ctx::Pkg.Types.Context, pkg_roots::Vector{String}; platform::Base.BinaryPlatforms.Platform, verbose::Bool)
    @ Pkg.Operations C:\buildbot\worker\package_win64\build\usr\share\julia\stdlib\v1.6\Pkg\src\Operations.jl:702
  [5] download_artifacts(ctx::Pkg.Types.Context, pkgs::Vector{Pkg.Types.PackageSpec}; platform::Base.BinaryPlatforms.Platform, julia_version::VersionNumber, verbose::Bool)
    @ Pkg.Operations C:\buildbot\worker\package_win64\build\usr\share\julia\stdlib\v1.6\Pkg\src\Operations.jl:680
  [6] add(ctx::Pkg.Types.Context, pkgs::Vector{Pkg.Types.PackageSpec}, new_git::Vector{Base.UUID}; preserve::Pkg.Types.PreserveLevel, platform::Base.BinaryPlatforms.Platform)
    @ Pkg.Operations C:\buildbot\worker\package_win64\build\usr\share\julia\stdlib\v1.6\Pkg\src\Operations.jl:1235
  [7] add(ctx::Pkg.Types.Context, pkgs::Vector{Pkg.Types.PackageSpec}; preserve::Pkg.Types.PreserveLevel, platform::Base.BinaryPlatforms.Platform, kwargs::Base.Iterators.Pairs{Union{}, Union{}, Tuple{}, NamedTuple{(), Tuple{}}})
    @ Pkg.API C:\buildbot\worker\package_win64\build\usr\share\julia\stdlib\v1.6\Pkg\src\API.jl:197
  [8] add
    @ C:\buildbot\worker\package_win64\build\usr\share\julia\stdlib\v1.6\Pkg\src\API.jl:148 [inlined]
  [9] add(pkgs::Vector{Pkg.Types.PackageSpec}; kwargs::Base.Iterators.Pairs{Union{}, Union{}, Tuple{}, NamedTuple{(), Tuple{}}})
    @ Pkg.API C:\buildbot\worker\package_win64\build\usr\share\julia\stdlib\v1.6\Pkg\src\API.jl:73
 [10] add(pkgs::Vector{Pkg.Types.PackageSpec})
    @ Pkg.API C:\buildbot\worker\package_win64\build\usr\share\julia\stdlib\v1.6\Pkg\src\API.jl:72
 [11] do_cmd!(command::Pkg.REPLMode.Command, repl::REPL.LineEditREPL)
    @ Pkg.REPLMode C:\buildbot\worker\package_win64\build\usr\share\julia\stdlib\v1.6\Pkg\src\REPLMode\REPLMode.jl:408
 [12] do_cmd(repl::REPL.LineEditREPL, input::String; do_rethrow::Bool)
    @ Pkg.REPLMode C:\buildbot\worker\package_win64\build\usr\share\julia\stdlib\v1.6\Pkg\src\REPLMode\REPLMode.jl:386
 [13] do_cmd
    @ C:\buildbot\worker\package_win64\build\usr\share\julia\stdlib\v1.6\Pkg\src\REPLMode\REPLMode.jl:377 [inlined]
 [14] (::Pkg.REPLMode.var"#24#27"{REPL.LineEditREPL, REPL.LineEdit.Prompt})(s::REPL.LineEdit.MIState, buf::IOBuffer, ok::Bool)
    @ Pkg.REPLMode C:\buildbot\worker\package_win64\build\usr\share\julia\stdlib\v1.6\Pkg\src\REPLMode\REPLMode.jl:550
 [15] #invokelatest#2
    @ .\essentials.jl:708 [inlined]
 [16] invokelatest
    @ .\essentials.jl:706 [inlined]
 [17] run_interface(terminal::REPL.Terminals.TextTerminal, m::REPL.LineEdit.ModalInterface, s::REPL.LineEdit.MIState)
    @ REPL.LineEdit C:\buildbot\worker\package_win64\build\usr\share\julia\stdlib\v1.6\REPL\src\LineEdit.jl:2441
 [18] run_frontend(repl::REPL.LineEditREPL, backend::REPL.REPLBackendRef)
    @ REPL C:\buildbot\worker\package_win64\build\usr\share\julia\stdlib\v1.6\REPL\src\REPL.jl:1126
 [19] (::REPL.var"#44#49"{REPL.LineEditREPL, REPL.REPLBackendRef})()
    @ REPL .\task.jl:406

I’d like to use 1.6, so I really appreciate all of the the help. I haven’t had any luck finding anything in the documentation, which is still catching up. I am also hunting around for the log files to see what may be in there. I can’t recall where they get stashed.

Best Regards,
Allan

3 Likes
2

What happens if you run

mktempdir() do dir
	url = "https://github.com/JuliaBinaryWrappers/GLFW_jll.jl/releases/download/GLFW-v3.3.3%2B0/GLFW.v3.3.3.x86_64-linux-gnu.tar.gz"
	Pkg.PlatformEngines.download(url, joinpath(dir, "test.tar.gz"); verbose=true)
end

Also, does it work if you set ENV["JULIA_SSL_NO_VERIFY_HOSTS"] = "github.com"?

3 
julia> using Pkg

julia> mktempdir() do dir
           url = "https://github.com/JuliaBinaryWrappers/GLFW_jll.jl/releases/download/GLFW-v3.3.3%2B0/GLFW.v3.3.3.x86_64-linux-gnu.tar.gz"
               Pkg.PlatformEngines.download(url, joinpath(dir, "test.tar.gz"); verbose=true)
       end
ERROR: HTTP/1.1 200 Connection established (schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.) while requesting https://github.com/JuliaBinaryWrappers/GLFW_jll.jl/releases/download/GLFW-v3.3.3%2B0/GLFW.v3.3.3.x86_64-linux-gnu.tar.gz
Stacktrace:
  [1] (::Downloads.var"#9#18"{IOStream, Base.DevNull, Nothing, Vector{Pair{String, String}}, Float64, Downloads.var"#24#27"{Pkg.PlatformEngines.var"#13#15"{Base.TTY}}, Bool, Bool, String, Int64, Bool, Bool})(easy::Downloads.Curl.Easy)
    @ Downloads C:\buildbot\worker\package_win64\build\usr\share\julia\stdlib\v1.6\Downloads\src\Downloads.jl:356
  [2] with_handle(f::Downloads.var"#9#18"{IOStream, Base.DevNull, Nothing, Vector{Pair{String, String}}, Float64, Downloads.var"#24#27"{Pkg.PlatformEngines.var"#13#15"{Base.TTY}}, Bool, Bool, String, Int64, Bool, Bool}, handle::Downloads.Curl.Easy)
    @ Downloads.Curl C:\buildbot\worker\package_win64\build\usr\share\julia\stdlib\v1.6\Downloads\src\Curl\Curl.jl:60
  [3] #8
    @ C:\buildbot\worker\package_win64\build\usr\share\julia\stdlib\v1.6\Downloads\src\Downloads.jl:298 [inlined]
  [4] arg_write(f::Downloads.var"#8#17"{Base.DevNull, Nothing, Vector{Pair{String, String}}, Float64, Downloads.var"#24#27"{Pkg.PlatformEngines.var"#13#15"{Base.TTY}}, Bool, Bool, String, Int64, Bool, Bool}, arg::IOStream)
    @ ArgTools C:\buildbot\worker\package_win64\build\usr\share\julia\stdlib\v1.6\ArgTools\src\ArgTools.jl:112
  [5] #7
    @ C:\buildbot\worker\package_win64\build\usr\share\julia\stdlib\v1.6\Downloads\src\Downloads.jl:297 [inlined]
  [6] arg_read(f::Downloads.var"#7#16"{IOStream, Nothing, Vector{Pair{String, String}}, Float64, Downloads.var"#24#27"{Pkg.PlatformEngines.var"#13#15"{Base.TTY}}, Bool, Bool, String, Int64, Bool, Bool}, arg::Base.DevNull)
    @ ArgTools C:\buildbot\worker\package_win64\build\usr\share\julia\stdlib\v1.6\ArgTools\src\ArgTools.jl:61
  [7] request(url::String; input::Nothing, output::IOStream, method::Nothing, headers::Vector{Pair{String, String}}, timeout::Float64, progress::Pkg.PlatformEngines.var"#13#15"{Base.TTY}, verbose::Bool, throw::Bool, downloader::Nothing)
    @ Downloads C:\buildbot\worker\package_win64\build\usr\share\julia\stdlib\v1.6\Downloads\src\Downloads.jl:296
  [8] (::Downloads.var"#3#4"{Nothing, Vector{Pair{String, String}}, Float64, Pkg.PlatformEngines.var"#13#15"{Base.TTY}, Bool, Nothing, String})(output::IOStream)
    @ Downloads C:\buildbot\worker\package_win64\build\usr\share\julia\stdlib\v1.6\Downloads\src\Downloads.jl:209
  [9] open(f::Downloads.var"#3#4"{Nothing, Vector{Pair{String, String}}, Float64, Pkg.PlatformEngines.var"#13#15"{Base.TTY}, Bool, Nothing, String}, 
args::String; kwargs::Base.Iterators.Pairs{Symbol, Bool, Tuple{Symbol}, NamedTuple{(:write,), Tuple{Bool}}})
    @ Base .\io.jl:330
 [10] arg_write(f::Function, arg::String)
    @ ArgTools C:\buildbot\worker\package_win64\build\usr\share\julia\stdlib\v1.6\ArgTools\src\ArgTools.jl:86
 [11] #download#2
    @ C:\buildbot\worker\package_win64\build\usr\share\julia\stdlib\v1.6\Downloads\src\Downloads.jl:208 [inlined]
 [12] download(url::String, dest::String; verbose::Bool, headers::Vector{Pair{String, String}}, auth_header::Nothing)
    @ Pkg.PlatformEngines C:\buildbot\worker\package_win64\build\usr\share\julia\stdlib\v1.6\Pkg\src\PlatformEngines.jl:270
 [13] #7
    @ .\REPL[68]:3 [inlined]
 [14] mktempdir(fn::var"#7#8", parent::String; prefix::String)
    @ Base.Filesystem .\file.jl:729
 [15] mktempdir(fn::Function, parent::String) (repeats 2 times)
    @ Base.Filesystem .\file.jl:727
 [16] top-level scope
    @ REPL[68]:1

julia>
4

Setting that environment variable and running your test looks like it works.

mktempdir() do dir
           url = "https://github.com/JuliaBinaryWrappers/GLFW_jll.jl/releases/download/GLFW-v3.3.3%2B0/GLFW.v3.3.3.x86_64-linux-gnu.tar.gz"
               Pkg.PlatformEngines.download(url, joinpath(dir, "test.tar.gz"); verbose=true)
       end
"C:\\Users\\bakerar\\AppData\\Local\\Temp\\1\\jl_GoDV4l\\test.tar.gz"
5

Setting that environment variable looks like it works for adding Plots to the package manager. Now, as far as security is concerned, is that what I should be doing?

6

I don’t personally have the whole story here so I don’t want to do any strong recommendations. The configurations are documented in https://github.com/JuliaLang/NetworkOptions.jl so you might get some more useful information there.

7

Thanks, that explains some stuff.

I am also wondering if I need the HTTP_PROXY stuff set anymore? Could that be interfering with the new Julia package manager?

8

Hey,

I just removed my 1.5.3 julia to install the new 1.6 on a window machine behind a proxy.

For some reasons Pkg cannot download artifacts anymore:

(@v1.6) pkg> add Distributions
   Updating registry at `C:\Users\u009192\.julia\registries\General`
   Updating git-repo `https://github.com/JuliaRegistries/General.git`
  Resolving package versions...
 Downloading artifact: Rmath
    Downloading [>                                        ]  0.0 %

It hangs and never stop.

I setted up my .curlrc so that curl works correctly under my proxy:

julia> run(`curl https://google.com`)
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>
Process(`curl https://google.com`, ProcessExited(0))

julia>

Standard git operations also works correctly, since the General registry can be removed, reinstalled, updated, etc… I can install artifact-less packages without any issue.

Thinking Pkg was using Powershell to download the artifacts, I tried this solution but it did not work, it still hangs on artifacts.

Base.download("https://google.com") has the same hanging issue. By looking around, upon forcing some environment variables that matches my .curlrc before launching julia by:

export BINARYPROVIDER_DOWNLOAD_ENGINE="curl --proxy <my_proxy> --ssl-no-revoke --insecure"

I am able to make Base.download work, but not for https:

julia> Base.download("google.com")
"C:\\Users\\XXX\\AppData\\Local\\Temp\\jl_D511.tmp"

julia> Base.download("https://google.com")
ERROR: HTTP/1.0 200 Connection established (schannel: next InitializeSecurityContext failed: Unknown error (0x80092012)) while requesting https://google.com
Stacktrace:
 [Very long stacktrace, the same one.]
julia>

Moreover, I tried DebugArtifacts and the same thing occurs:

julia> using DebugArtifacts

julia> debug_artifact("OpenSpecFun")
[ Info: Platform: Windows x86_64 {cxxstring_abi=cxx11, julia_version=1.6.0, libgfortran_version=5.0.0}
Julia Version 1.6.0
Commit f9720dc2eb (2021-03-24 12:55 UTC)
Platform Info:
  OS: Windows (x86_64-w64-mingw32)
  CPU: Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz
  WORD_SIZE: 64
  LIBM: libopenlibm
  LLVM: libLLVM-11.0.1 (ORCJIT, skylake)

[ Info: Downloading Artifacts.toml to C:\Users\u009192\AppData\Local\Temp\jl_GfvfmC\Artifacts.toml...
ERROR: HTTP/1.0 200 Connection established (schannel: next InitializeSecurityContext failed: Unknown error (0x80092012)) while requesting https://raw.githubusercontent.com/JuliaBinaryWrappers/OpenSpecFun_jll.jl/master/Artifacts.toml
Stacktrace:
 [Very long stacktrace, the same one]

But with a simple run of curl, everything is still OK.

julia> run(`curl https://google.com`)
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>
Process(`curl https://google.com`, ProcessExited(0))

julia>

How can i tell the libcurl that is inside julia to respond to my .curlrc ?
Can i pass directly some parameters (the same i passed in my .curlrc to Julia’s libcurl ? How ?

9

See also Julia 1.6 libcurl firewall download issue: Windows Schannel certificate revocation check failure

10

Looks like setting

ENV["JULIA_SSL_NO_VERIFY_HOSTS"] = "github.com"

On top of everyhting i already did worked. Now the question is if everything else was really needed…

Thanks anyway, you saved my day.

Edit in facts it did not. After restarting it still does not work.

1 Like
11

Merging threads here since these seem like the same problem. I also filed an issue to track progress: problems with SSL host verification with proxy servers · Issue #108 · JuliaLang/Downloads.jl · GitHub

12

Well this is still not solved for me, the workaround did not work in both cases. I have the same errors as before.

13

I’m confused, you said that it worked, then you restarted and it stopped working. Did you set the same environment variables again after you restarted?

14

Yes sir, i did. I installed Plots.jl (a lot of artifacts), closed Julia, restarted it, resetted the environnement variable and now I have the same hanging problem.

15

What did you do differently the second time?

1 Like
16

Well, I cant remember :wink:

Now the situation is the following:

  • Base.download works if the wanted is http://, hangs if https
  • Artifacts downloads hangs as well
  • even debug_artifacts hangs without erroring out.
  • but of course run(curl https://google.com) works…

Setting BINARYPROVIDER_DOWNLOAD_ENGINE with or without the proxy parameters before launching Julia, and setting ENV["JULIA_SSL_NO_VERIFY_HOSTS"] = "github.com" after launching Julia or not does not change anything anymore.

17

After half hour of testing every potential combination of what I did, the following is necessary and sufficient for the thing to work:

Check that run(curl ...) works. Then in Julia:

ENV["http_proxy"] = "http://<your_proxy>:<port>"
ENV["https_proy"] = "http://<your_proxy>:<port>"
ENV["JULIA_SSL_NO_VERIFY_HOSTS"] = "github.com"

And now it works correctly.

These commands might go to .julia/config/startup.jl for convenience.

7 Likes
18

Thanks to everyone in this thread! This solution worked for me.
I also have Windows and when trying to install the Plots package after downloading v 1.6 I received the error:
ERROR: Unable to automatically install ‘GLFW’

Simply running in julia REPL
ENV[“JULIA_SSL_NO_VERIFY_HOSTS”] = “github.com

19

One more thing that was necessary for me:

I had my .curlrc in my home folder, and not in the right %APPDATA% folder, which had no effects on the windows curl that was called from julia.

Setting the proxy parmaeters and the insecure option in the right file made it work perfectly.

20

Saying that setting the insecure option makes it work perfectly sounds like an oxymoron though :wink: