Zulip Chat Archive

Stream: general

Topic: Certificate problem at installing elan


Ingmar Velien (Apr 16 2022 at 18:37):

I wanted to install Lean 4 for Windows 10 according to https://leanprover-community.github.io/install/windows.html, but got the following error message:

$ curl https://raw.githubusercontent.com/leanprover/elan/master/elan-init.sh -sSf | sh
info: downloading installer
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
elan: command failed: curl -sSf https://github.com/leanprover/elan/releases/latest
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
elan: command failed: curl -sSfL https://github.com/leanprover/elan/releases/download//elan-x86_64-pc-windows-msvc.zip -o /tmp/tmp.7GehohGdST/elan-init.zip

How can I proceed?

Ingmar Velien (Apr 16 2022 at 18:38):

(deleted)

Henrik Böving (Apr 16 2022 at 18:42):

If you visit the websites it's telling you it's having issues with manually via your browser, does that work? Or do you get errors there as well?

Henrik Böving (Apr 16 2022 at 18:43):

Also do you happen to be behind some proxy of a company/university/w/e that might be intercepting your traffic via a self signed certificate?

Ingmar Velien (Apr 16 2022 at 19:42):

I downloaded and installed elan manually and fortunately it works. It works without setting the unknown environmental variables manually. (Certficates and its expiry dates are horrible.)

Eric Wieser (Apr 16 2022 at 21:45):

As a general warning, if your response to SSL issues is to ignore them and download things without SSL, then an attacker can get what they want (in this case, installing arbitrary software on your computer) simply by serving you a bad certificate so that you give up and override SSL manually.

Eric Wieser (Apr 16 2022 at 21:46):

I can't tell if that's actually what you did from your message, but someone else reading it might think it's fine to do that, and it's not.

Ingmar Velien (Apr 17 2022 at 13:27):

What's the solution if the computer refuses the download because the software vendor's certificate is out of date? So we cannot install Lean.

Henrik Böving (Apr 17 2022 at 13:34):

The software vendors certificate is not out of date, as evident by everyone else that is using elan on a daily basis to fetch the latest nightly. The issue is with your system either being configured or (in the malicious cased) tricked into accepting certificates that are out of date. Now what exactly the issue is with your system configuration is hard to tell without looking into the details of which certificates it is using and from where they are coming from.

Ingmar Velien (Apr 17 2022 at 13:49):

I'm only a typical computer user (here: WINDOWS). I don't know anything about certficates and how they are controlled. Certificate problems are common and typical today.

Henrik Böving (Apr 17 2022 at 14:21):

Yeah they are very much uncommon if your system is setup up correctly, hence why someone should probably take a look at it :P

Eric Wieser (Apr 17 2022 at 15:10):

Note that since you're seeing the issue with curl and github, this isn't a lean or elan problem; you would likely do better to ask for help elsewhere; superuser.com might be appropriate, as might a local IT office at your school / workplace if this windows device is used for education / work.

Mauricio Collares (Apr 17 2022 at 15:14):

Do you use antivirus software? If so, which one? Most AV vendors are remarkably bad with their security practices

Jireh Loreaux (Apr 17 2022 at 15:48):

Are you running a very old version of Windows? I wonder if all the certificate problems you are seeing have something to do with the Let's Encrypt root certificate expiration from several months ago.

Julian Berman (Apr 17 2022 at 15:51):

If you're ever wondering whether a server is having SSL issues, https://www.ssllabs.com/ssltest/ is another good first place to go. You put the domain in and it will give you a second opinion on whether other computers agree with you on the certificate issue.

Yaël Dillies (Apr 17 2022 at 16:12):

(deleted)


Last updated: Dec 20 2023 at 11:08 UTC