download.cypress.io expired cert when response is cypress.zip

[tay-j-kohn]

Current behavior

Noticed on my latest install of cypress that the npm postinstall which goes to download cypress from https://download.cypress.io/desktop/3.3.1?platform=linux&arch=x64 fails because of an expired certificate. Thought it was maybe my corporate network but I see the same behavior from a browser of my personal machine on my home network. If you browse to, for example, https://download.cypress.io/desktop.json you get the proper cert but it seems if you go to any path which downloads cypress.zip you get a bad cert. (such as https://download.cypress.io/ and the link above for v3.3.1 or any other version

)

Debug logs

cypress@3.3.1 postinstall /var/jenkins/workspace/Agent_agent-csr_master/node_modules/cypress
> node index.js --exec install

Installing Cypress (version: 3.3.1)

[?25l[15:42:48]  Downloading Cypress     [started]
[15:42:48]  Downloading Cypress     [failed]
[?25hThe Cypress App could not be downloaded.

Please check network connectivity and try again:

----------

URL: https://download.cypress.io/desktop/3.3.1?platform=linux&arch=x64
Error: certificate has expired

----------

Cypress Version

3.3.1

Node version

v8.11.4

Package Manager

npm

Package Manager Version

v5.6.0

Operating system

Linux

Operating System Version

Amazon linux 2023

Other

No response

[jennifer-shehane]

@tay-j-kohn Are you intending to download version 3.3.1? This is an extremely old version. Our latest release is 13.6.6. I’m not certain that’s related to the issue, but could you try a more recent version?

[MikeMcC399]

@tay-j-kohn

What happens if you check with https://www.sslshopper.com/ssl-checker.html#hostname=download.cypress.io ?

This was also reported in https://discord.com/channels/755913899261296641/1215012354023235634 for https://download.cypress.io/desktop/4.12.1?platform=linux&arch=x64

[MikeMcC399]

@tay-j-kohn

Please check your version of Node.js by executing node -v. The earliest supported version is 18.x (for example v18.19.1) and you write v8.11.4.

[tay-j-kohn]

@MikeMcC399 @jennifer-shehane looks like the install works on later versions of node. I'm surprised cert checking got more lax in later versions of node. Still though something weird is going on with your download server. Regardless of node versions and cypress versions you can see the bad cert in a browser as my screenshots show.

[MikeMcC399]

@tay-j-kohn

I would suspect a rogue server in the Cloudflare cdn network which is missing a certificate update, however I can't be sure, since I'm not seeing this certificate error. You might find your location on https://www.cloudflarestatus.com/ and see if there are any temporary outages.

Have you tried again today to access https://download.cypress.io/desktop/3.3.1?platform=linux&arch=x64 through a browser? Do you still get a certificate error?

[tay-j-kohn]

@MikeMcC399 copy and paste the download.cypress.io link into a new tab to see the bad cert. I still see it today. Both from my home network which is showing operational status in cloudflare and from my corporate vpn network which comes out of Utah. That one is showing re-routed.

[MikeMcC399]

@tay-j-kohn I don't doubt your issue! I'm just not seeing it here from my network location in Germany.

[jennifer-shehane]

Our certificate is up to date and valid, if you check download.cypress.io in any site that checks certificates. I'd strongly suggest upgrading to a newer version of Cypress. I'm not sure if we handled things differently in the past - since this is only showing up on older versions, some of these versions are 6+ years old at this point.

[tay-j-kohn]

I think it is something to do with the fact that download.cypress.io 302 redirects to cdn.cypress.io. If you use the latest version number for cypress https://download.cypress.io/desktop/13.7.0?platform=linux&arch=x64 it redirects you to https://cdn.cypress.io/desktop/13.7.0/linux-x64/cypress.zip and I see the cert error in my chrome browser (it does download anyway though). Node also sees a bad cert but only on older versions. I'm not sure why though as your cert is setup for *.cypress.io. You can recreate what I did in a browser by copying and pasting the download.cypress.io URL and putting it in a new browser tab. If you click the link or paste it into a tab that is browsed to another site it won't show the cert error because I guess chrome only shows the user the cert when an actual html page navigation occurs and not for file downloads.

[MikeMcC399]

@tay-j-kohn

Which browser / version is showing you a certificate error?

Did you check the certificate with https://www.sslshopper.com/ssl-checker.html#hostname=download.cypress.io ?

[tay-j-kohn]

Chrome 123.0.6312.59

And yes sslhopper and ssllabs show as valid cert as does openssl from my machine.

I don't know if the chrome thing is the same reason node v8 shows expired certificate though so that may be a red herring. I would say I'm fine closing this since it seems to work on node 10+ but the other issue (https://github.com/cypress-io/cypress/issues/29166) said they tried node v10.24.1 and got the expired cert error as well. I tried with their same node and npm version on cypress 1.4.2 and it downloaded for me though. @davpatrik

[tay-j-kohn]

I think this is relevant to the node issue: https://github.com/nodejs/node/issues/40282#issuecomment-939192317. This also mentions it was fixed since version 10 and "let's encrypt" which the cypress download hosting uses. If davpatrick can confirm that he can install on version 10 I think this should be closed since it isn't an issue with cypress but likely with old certificate trusts/configurations in versions of node below 10.

[MikeMcC399]

@tay-j-kohn

There are two issues here:

1) Attempting to download and install the legacy version cypress@3.1.1 with Node.js v8.11.4 leads to a certificate error.

Error: certificate has expired

2) Accessing the URL https://download.cypress.io/desktop/3.3.1?platform=linux&arch=x64 with Google Chrome shows the warning "Your connection to this site is not secure".

Download with Node.js v8.11.4

The issue with Node.js v8.11.4 can be demonstrated with:

   npm init -y
   npm install cypress@3.1.1 --ignore-scripts
   npx cypress install --force

This issue is rectified by updating Node.js to the latest 8.x version 8.17.0 Node.js 10.24.1. This version is however unsupported, so the recommendation is to use at least Node.js 18.x and preferably the current LTS version Node.js 20.x.

Node.js 8 entered end-of-life on Dec 31, 2019. The lowest supported version of Node.js is 18. (See Node.js release schedule and Cypress system requirements).

Google Chrome warning

It is currently unclear what is causing the warning "Your connection to this site is not secure" when accessing https://download.cypress.io/desktop/3.3.1?platform=linux&arch=x64 with Google Chrome. This is a vague warning.

The test site https://expired.badssl.com/ can be used to demonstrate how Google Chrome responds to an expired certificate and this is not the same as seen when accessing https://download.cypress.io/desktop/3.3.1?platform=linux&arch=x64 .

Accessing the Developer tools (F12) in Google Chrome, and the Security tab, shows valid certificates.

The following also confirms active certificates are in place:

curl -vI https://download.cypress.io
curl -vI https://cdn.cypress.io

Comments

My apologies for misreading your report as I thought you were getting an explicit certificate error in Google Chrome. I do see the message "Your connection to this site is not secure" in Google Chrome! This is however only shown if I actively select the site information icon (i) on the left in the address field.

The issue with Google Chrome ("Your connection to this site is not secure") could be continued in a separate new issue if this issue is closed. I have not seen this issue preventing download however.

[tay-j-kohn]

Yeah, I'm pretty convinced the chrome thing is just an oddity and nothing is actually insecure there. And agreed with your node assessment other than the version. I tried 8.17.0 as you suggested and the issue is still there. I can only make valid ssl requests to your site and letsencrypt.org on 10+ since that's when they updated openssl. You can quickly verify this with this node code:

const https = require("https");
https.get("https://download.cypress.io/", (res) => { console.log("PASS"); })

[MikeMcC399]

@tay-j-kohn

... And agreed with your node assessment other than the version. I tried 8.17.0 as you suggested and the issue is still there. I can only make valid ssl requests to your site and letsencrypt.org on 10+ since that's when they updated openssl.

You're right and it seems I made a mistake when I tested. 🤭 Sorry for the incorrect statement, which I have corrected in https://github.com/cypress-io/cypress/issues/29110#issuecomment-2011360767 above.

PS Just for the record, it's not "my site". I'm an external open source community contributor and I am not an employee of Cypress.io, although I do work closely with their team. 🙂

[MikeMcC399]

Google Chrome shows no warning status "Your connection to this site is not secure" when downloading from https://download.cypress.io using an Incognito window. Firefox and Edge also show no warning downloading a Cypress binary. I wasn't able to find out why Chrome is showing this status downloading from a regular window. Chrome itself does not give any further hints for the reason.

[jennifer-shehane]

I don't think there's anything actionable for us to do on Cypress' side here. I'd recommend updating from these older versions altogether.