sqlite & SSL error with "fossil clone https://fossil-scm.org"
(1.1) By matt w. (maphew) on 2021-08-20 22:02:36 edited from 1.0 [source]
When attempting to clone Fossil I get an sqlite error related to accepting the SSL certificate. The fossil-scm.fossil file is downloaded (56,885,248 bytes) but cannot be opened.
$ fossil clone https://fossil-scm.org
Unable to verify SSL cert from fossil-scm.org
subject: CN = sqlite.org
issuer: C = US, O = Let's Encrypt, CN = R3
sha256: 4a14452a4bac39e4780e320367f11b6491a43d42ff837a9713dd57996f7d2cba
accept this cert and continue (y/N)? y
remember this exception (y/N)? y
redirect with status 301 to https://fossil-scm.org/home
Round-trips: 8 Artifacts sent: 0 received: 53035
Clone done, wire bytes sent: 2384 received: 37083451 ip: 45.33.6.223
Rebuilding repository meta-data...
100.1% complete...
Extra delta compression...
Vacuuming the database...
project-id: CE59BB9F186226D80E49D1FA2DB29F935CCA0333
server-id: a58589e8e026cb56de14d38d4a8de3a5a37b32c6
admin-user: Matt (password is "o2M-edited-UG")
opening the new ./fossil-scm.fossil repository in directory ./fossil-scm...
Autosync: https://fossil-scm.org/home
Unable to verify SSL cert from fossil-scm.org
subject: CN = sqlite.org
issuer: C = US, O = Let's Encrypt, CN = R3
sha256: 4a14452a4bac39e4780e320367f11b6491a43d42ff837a9713dd57996f7d2cba
accept this cert and continue (y/N)? y
remember this exception (y/N)? y
SQLITE_ERROR(1): no such table: global_config in "REPLACE INTO global_config(name,value) VALUES('cert:fossil-scm.org','4a14452a4bac39e4780e320367f11b6491a43d42ff837a9713dd57996f7d2cba')"
Database error: no such table: global_config: {REPLACE INTO global_config(name,value) VALUES('cert:fossil-scm.org','4a14452a4bac39e4780e320367f11b6491a43d42ff837a9713dd57996f7d2cba')}
Matt@SERVER D:\Matt\code\lib
$ cd fossil-scm
Matt@SERVER D:\Matt\code\lib\fossil-scm
$ f open ..\fossil-scm.fossil
Autosync: https://fossil-scm.org/home
Unable to verify SSL cert from fossil-scm.org
subject: CN = sqlite.org
issuer: C = US, O = Let's Encrypt, CN = R3
sha256: 4a14452a4bac39e4780e320367f11b6491a43d42ff837a9713dd57996f7d2cba
accept this cert and continue (y/N)? y
remember this exception (y/N)? y
SQLITE_ERROR(1): no such table: global_config in "REPLACE INTO global_config(name,value) VALUES('cert:fossil-scm.org','4a14452a4bac39e4780e320367f11b6491a43d42ff837a9713dd57996f7d2cba')"
Database error: no such table: global_config: {REPLACE INTO global_config(name,value) VALUES('cert:fossil-scm.org','4a14452a4bac39e4780e320367f11b6491a43d42ff837a9713dd57996f7d2cba')}
with Fossil 2.17 [8dd7542892] on Windows 10.
(2) By matt w. (maphew) on 2021-08-20 22:05:33 in reply to 1.1 [link] [source]
Amendment: the repo can be opened if no sync flag is used: fossil open --nosync ...
(3) By Stephan Beal (stephan) on 2021-08-20 22:15:22 in reply to 1.1 [link] [source]
SQLITE_ERROR(1): no such table: global_config ...
Please see 07feafefbff4daab and, if able, try that patch. If that works for you we'll get it integrated.
(4) By Richard Hipp (drh) on 2021-08-20 22:33:25 in reply to 3 [link] [source]
I think that patch is definitely needed.
On another note, why do you suppose that OpenSSL is not able to verify the perfectly valid cert that is on fossil-scm.org. Do you think the local machine does not have up-to-date root certs that include Let's Encrypt? Or maybe the local machine root certs are just in a non-standard place? What does this say:
fossil tls
(5) By Stephan Beal (stephan) on 2021-08-20 22:42:52 in reply to 4 [link] [source]
I think that patch is definitely needed.
Done.
On another note, why do you suppose that OpenSSL is not able to verify the perfectly valid cert that is on fossil-scm.org.
That's well outside of my very basic SSL know-how. Warren can certain say something to that, though.
(6.3) By matt w. (maphew) on 2021-08-20 22:53:56 edited from 6.2 in reply to 4 [link] [source]
$ fossil tls
OpenSSL-version: OpenSSL 1.1.1i 8 Dec 2020 (0x01010109f)
OpenSSL-cert-file: C:\Program Files\Common Files\SSL/cert.pem
OpenSSL-cert-dir: C:\Program Files\Common Files\SSL/certs
SSL_CERT_FILE:
SSL_CERT_DIR:
ssl-ca-location:
ssl-identity:
exception: fossil-scm.org
exception: www.maphew.com
Edit: the folder listed, "C:\Program Files\Common Files\SSL
", does not exist
(7) By matt w. (maphew) on 2021-08-20 22:59:50 in reply to 6.3 [link] [source]
All the places I can locate a file called "cert.pem" (using Everything Search):
(8) By Warren Young (wyoung) on 2021-08-20 23:18:19 in reply to 7 [link] [source]
Your screenshot appears clipped, so perhaps "C:\Program Files\Common Files\SSL/cert.pem
" from the above output is there, but can you please verify it? If that file is indeed missing, there's your problem.
(9) By John Rouillard (rouilj) on 2021-08-21 00:00:07 in reply to 8 [link] [source]
As the OP noted in an edit, C:\Program Files\Common Files\SSL
doesn't exist on his system. It also doesn't exist on my system running
windows 10 Home, build 19042.1110 installed May 2021.
(I use a self-built Cygwin fossil, not windows fossil, so didn't try to reproduce his issue.)
(10) By Warren Young (wyoung) on 2021-08-21 00:25:13 in reply to 9 [link] [source]
These are two separate issues.
Matt W needs to provide this file to Fossil since the OpenSSL library for Windows doesn't know how to reach into the OS's proprietary certificate store and use those. It needs you to provide it in a format it can accept. I can only speculate as to why it's looking in that particular place, but he can either produce a copy of the CA root PEM store containing the roots he needs in that location or he can point Fossil at one of the others, if they're suitable. All of this is well-documented.
With Cygwin, however, you're using the Cygwin build of OpenSSL, which presumably references the Cygwin ca-certificates
package as a dependency, so you shouldn't be having the same trouble with TLS connections as Matt W.
(11) By John Rouillard (rouilj) on 2021-08-21 01:46:08 in reply to 10 [link] [source]
With Cygwin, however, you're using the Cygwin build of OpenSSL, which presumably references the Cygwin ca-certificates package as a dependency, so you shouldn't be having the same trouble with TLS connections as Matt W.
Correct I have no problem cloning fossil.
Do the directions for installing on windows include how to find a cacert.pem and make fossil use it?
(12) By Warren Young (wyoung) on 2021-08-21 02:35:38 in reply to 11 [link] [source]
"…I did find a third party source for the cacert.pem file…"
(13.1) By matt w. (maphew) on 2021-08-22 05:43:56 edited from 13.0 in reply to 10 [link] [source]
Oh, thank you. Not normally having had to do extra TLS/SSL setup to read from a server I didn't know to look for documentation on it.
I'm accustomed to messages like "accept this cert and continue (y/N)?" and "remember this exception (y/N)?" but up until now* I've only had to answer Yes and keep going (if I trust the source). Meaning I interepreted the messages as information and not errors.
I was helped to this understanding as the error messages Fossil emitted had me thinking the problem was internal. "no such table: global_config: {REPLACE INTO ..." reads like the destination doesn't exist, not a problem with being unable to find a source file.
* With other software like Firefox, WinSCP, Pu:tty, Remote Desktop, FileZilla, ...
(14) By Stephan Beal (stephan) on 2021-08-22 09:02:42 in reply to 13.1 [link] [source]
I was helped to this understanding as the error messages Fossil emitted had me thinking the problem was internal.
That particular problem was definitely internal to fossil (and has since been patched): its config db wasn't being opened, so saving of the cert exception could not succeed.