Setup 2.917 fails to load mirror list

Jon Turney jon.turney@dronecode.org.uk
Fri Feb 11 15:08:14 GMT 2022


On 10/02/2022 14:49, Vanda Vodkamilkevich wrote:
> Le jeu. 10 févr. 2022 à 14:54, Jon Turney a écrit :
>> On 09/02/2022 15:35, Vanda Vodkamilkevich wrote:
>>> If it helps, the output log when I saw the issues with setup
>> 
>>> ########### Try to download with proxy set
>> [...]
>>> Cached mirror list unavailable
>> [...]
>>> HTTP status 403 fetching https://cygwin.com/mirrors.lst
>> 
>>> ########### Using 2.908 version: it works
>> [...]
>>> Cached mirror list unavailable
>> [...]
>>> Fetched URL: http://cygwin.com/mirrors.lst
>> 
>>> ########### Rerun with new version
>> [...]
>>> Loaded cached mirror list
>> [...]> connection error: 12057 fetching
>> https://cygwin.com/mirrors.lst
>>> Using cached mirror list
>> 
>> The significant change seems to be we now fetch the mirror list
>> using https (since 2.892, but since you are using a self-built
>> setup with local changes, you don't seem to have picked that up
>> until now)
>> 
>> 12057 is ERROR_INTERNET_SEC_CERT_REV_FAILED, which leads down quite
>> a rabbit hole, but apparently this means something like
>> 'certificate validity isn't checked in the process using wininet,
>> but in a service, which doesn't have access to the proxy
>> credentials we are using, so fails trying to fetch any CRL'.
>> 
>> You don't mention that your proxy actually needs any credentials.
>> 
>> Why we get a different error code the second time is mysterious.
>> 
>> How we can then go on to successfully fetch from a https:// mirror
>> if it presents a CRL doesn't make a lot of sense.
>> 
>> I'm baffled.
> 
> You nailed it... My corporate proxy blocks the https to the mirror
> list. And my old version of setup was using http.

This could mean:
- https is blocked by the proxy (due to policy or misconfiguration)
- https to cygwin.com is blocked by the proxy (ditto)
- the setup code is doing something wrong so that the proxy is blocking 
it's attempt to use http here

> Maybe if https failed you should retry with http?

Nope, for the reasons already given by Adam.

I'd *maybe* consider a patch adding an '--no-https' option which causes 
plain http:// to be used (and probably turns off [1] as well) to allow 
setup to run in environments which are hostile to https.

[1] 
https://cygwin.com/git/?p=cygwin-apps/setup.git;a=commitdiff;h=b4947fb6db0cbd8b0c673dc49a18224c44da8116;hp=57ddb743c06996e93567a98c6de6694ddcc5d616

> Btw where is this mirror list file saved? I could cheat by fetching
> it with http before using setup?

The 'cached mirror list' referred to here is stored in the mirrors-lst 
key in /etc/setup/setup.rc


More information about the Cygwin mailing list