Zulip Chat Archive

Stream: general

Topic: self signed certificate in certificate chain

Yakov Pechersky (Aug 15 2025 at 14:34):

With the new lean release, I am getting a
SSL certificate problem: self signed certificate in certificate chain
when doing lake exe cache get after a gh pr checkout 26588. This SSL issue only happens when I am under a VPN, not off-VPN. Has anyone else seen this? I haven't had issues with cache get under my VPN previously.

$ lake exe cache get
Current branch: fae_PR_RankOne
Using cache from git@github.com:faenuccio/fae_mathlib4.git: faenuccio/fae_mathlib4
Attempting to download 5995 file(s) from leanprover-community/mathlib4 cache
SSL certificate problem: self signed certificate in certificate chain
Downloaded: 0 file(s) [attempted 1/5995 = 0%], 1 failedSSL certificate problem: self signed certificate in certificate chain
SSL certificate problem: self signed certificate in certificate chain
SSL certificate problem: self signed certificate in certificate chain
Downloaded: 0 file(s) [attempted 4/5995 = 0%], 4 failedSSL certificate problem: self signed certificate in certificate chain
SSL certificate problem: self signed certificate in certificate chain
SSL certificate problem: self signed certificate in certificate chain
Downloaded: 0 file(s) [attempted 7/5995 = 0%], 7 failedSSL certificate problem: self signed certificate in certificate chain
SSL certificate problem: self signed certificate in certificate chain
SSL certificate problem: self signed certificate in certificate chain

Henrik Böving (Aug 15 2025 at 15:39):

What does "on a VPN" mean for you? Just an OpenVPN/IPsec/Wireguard connection or is there also something like an HTTPS proxy at play?

Yakov Pechersky (Aug 15 2025 at 18:11):

It's my company VPN, so there is likely an HTTPS proxy. I'll ask internally.

Henrik Böving (Aug 15 2025 at 18:19):

If there is an HTTPS proxy at play your company (assuming that your IT controls the machine you are working on) needs to configure the certificate store of your machine to account for that properly.

Eric Wieser (Aug 15 2025 at 18:40):

Perhaps https://unix.stackexchange.com/a/582310?

Yakov Pechersky (Aug 15 2025 at 18:48):

Where can I find the precise curl call that cache get uses so that I can verbose-introspect the certs?

Matthew Ballard (Aug 15 2025 at 18:56):

Cache.Requests.downloadFiles

Yakov Pechersky (Aug 29 2025 at 20:26):

Coming back to this: running the same curl with -k gives:

[...]
    <h1>Web Page Blocked</h1>
    <p>The web page you are trying to visit has been blocked in accordance with company policy. Please contact your system administrator if you believe this is an error.</p>

=C

Last updated: Dec 20 2025 at 21:32 UTC