HTTP Problem

[haphaeu]

Installed portable files of elm 0.19 and node-v10.16.0-win-x64.

Then:

C:\Users\abc\portable>elm repl
---- Elm 0.19.0 ----------------------------------------------------------------
Read <https://elm-lang.org/0.19.0/repl> to learn more: exit, help, imports, etc.
--------------------------------------------------------------------------------
> 1
-- HTTP PROBLEM ----------------------------------------------------------------

The following HTTP request failed:

    <https://package.elm-lang.org/all-packages>

Here is the error message I was able to extract:

    HttpExceptionRequest Request { host = "package.elm-lang.org" port = 443
    secure = True requestHeaders =
    [("User-Agent","elm/0.19.0"),("Accept-Encoding","gzip")] path =
    "/all-packages" queryString = "" method = "GET" proxy = Nothing rawBody =
    False redirectCount = 10 responseTimeout = ResponseTimeoutDefault
    requestVersion = HTTP/1.1 } (InternalException (HandshakeFailed
    (Error_Protocol ("certificate rejected: [InvalidSignature
    SignatureInvalid]",True,CertificateUnknown))))

>

[evancz]

Can you say more about your OS? What OS is it? What version?

Do these problems persist to today?

Are you on a computer with a firewall set up? When you ran this, were you on internet in a school, company, airport, hotel, country that intercepts HTTP requests? Could you access package.elm-lang.org in your browser?

[haphaeu]

Windows 7. Company computer behind a corporate a firewall. package.elm-lang.org is accessible in a browser.

Today I tried with other node.js versions, 12.7, both x86 and x64. No luck, exactly same exception.

-- edit -- Worth mentioning that company has some sort of URL defense running.

[evancz]

Do you get the same error from elm init or when trying to run elm make?

It is surprising to hear that it works in the browser. I do not know enough about firewalls to know if they can be more permissive for browsers than for terminal applications. Maybe!

Looking at the error message itself:

HandshakeFailed
  (Error_Protocol
    ("certificate rejected: [InvalidSignature SignatureInvalid]"
    , True
    , CertificateUnknown
    )
  )

It looks like this person has run into the same message when running a Haskell program on Windows 10, so it seems like there are two possible cases:

1. Whatever firewall situation was for that StackOverflow person is the same as it is for you.
2. There is something weird in the underlying Haskell library for HTTPS requests.

Case (1) seems way more likely to me, but I do not know a lot about Windows and corporate firewalls, so I am not sure how much I can help aside from hearing more information and having more questions.

Note: It shouldn't matter what version of node.js you have. The error is not related to that!

[rlefevre]

@haphaeu could you make a screenshot of the SSL certificate you get in your browser when going to https://package.elm-lang.org? You can find it by clicking the lock of the left on the URL in your browser.

It should currently be like this:

[haphaeu]

Before addressing your questions below, I run into an error in git related to certificates, that might be worth mentioning and give some clue:

> git clone https://github.com/evancz/elm-architecture-tutorial.git
Cloning into 'elm-architecture-tutorial'...
fatal: unable to access 'https://github.com/evancz/elm-architecture-tutorial.git/': SSL certificate problem: unable to get local issuer certificate

Then using this answer from stack overflow solved the problem:

> git config --global http.sslVerify false
> git clone https://github.com/evancz/elm-architecture-tutorial.git
Cloning into 'elm-architecture-tutorial'...
Done.
> git config --global http.sslVerify true

So even tough I don't understand about certificates and firewall etc, it gives a clue that to make this command to work I had to tweak git to skip something (unsafe according to SO comment, something to do with man-in-the-middle attacks), run the command, and then switch that security option on again.

@evancz same error with elm init and elm make. With elm reactor the browser opens and shows the directory contents but when I click one elm example I see the same error message in the browser.

@rlefevre Any particular fields of interest please let me know and I can copy their values.

I'm not sure how relevant that is, but I'm not at Zscalertwo. This Zscalertwo seems to be the cloud security provider for the company I work at. I've just made a test and tried to access a gaming site kongregate.com. It was blocked due to company policy and I see a message with a stamp from the Zscalertwo.

[rlefevre]

@haphaeu Your company is doing Man in the Middle for your HTTPS connections, self signing SSL certificates on the fly.

This means that all HTTPS connections will report an invalid SSL certificate, your browser is likely configured by IT with an exception for Zscaler issuer.

This also means that your HTTPS connections are not safe. Everything can be sniffed and logged by your company, don't enter critical data there (bank accounts authentication for example).

Your git config command removes the SSL certificate check. Unfortunately, there isn't such a flag for elm at the moment.

As you are able to run git commands, you could try using this package cache to fill yours until a better solution is found, it has not been updated since February though: https://github.com/drathier/elm-offline

I'm not sure though if this will be enough to avoid elm SSL errors :thinking:

[haphaeu]

@rlefevre thanks for the explanation and the link to elm-offline. I'm trying it out without success. What would be ~/.elm for a portable installation in Windows 7? I tried to use my home directory C:\Users\username\ but it didn't work. Also tried to set HOME=\path\to\home\ in the same environment where I run elm from, with no luck.

[rlefevre]

On Windows, your elm home is at:

C:\Users\<user>\AppData\Roaming\elm

You can also change it by setting the ELM_HOME variable when running elm.

[rlefevre]

Actually, using a proxy should allow to bypass your own MITM proxy (as this would be the proxy that would connect to package.elm-lang.org), however this would work only if your company does not also block such connections, which is unfortunately unlikely given what they do with HTTPS.

Could you try running elm commands after setting the following https proxy (the elm-offline cache would not be needed in this case):

set https_proxy=elm.dmy.fr:9999

then

elm init
elm install ...

This comes from https://gist.github.com/rlefevre/7c21513c3cc14ea23524223ab35e4ca6.

[rlefevre]

@haphaeu Tell us if something worked :crossed_fingers:

[haphaeu]

@rlefevre about bypassing proxy, it is getting blocked - note that the error message changed:

C:\tmp\elm-architecture-tutorial>set https_proxy=elm.dmy.fr:9999

C:\tmp\elm-architecture-tutorial>elm make
-- HTTP PROBLEM ----------------------------------------------------------------

The following HTTP request failed:

    <https://package.elm-lang.org/all-packages>

Here is the error message I was able to extract:

    HttpExceptionRequest Request { host = "package.elm-lang.org" port = 443
    secure = True requestHeaders =
    [("User-Agent","elm/0.19.0"),("Accept-Encoding","gzip")] path =
    "/all-packages" queryString = "" method = "GET" proxy = Nothing rawBody =
    False redirectCount = 10 responseTimeout = ResponseTimeoutDefault
    requestVersion = HTTP/1.1 } (InternalException (HostCannotConnect
    "elm.dmy.fr" [Network.Socket.connect: <socket: 464>: failed (Connection
    timed out (WSAETIMEDOUT))]))

Need to go now, I'll give elm-offline another go tomorrow with the HOME you've mentioned.

[haphaeu]

@rlefevre Your suggestion of using elm-offline is working fine now =) I'm sticking to a fully portable version using set ELM_HOME=path/to/portable/elm-home. It does run into the certificate issue when I try to make or reactor a project with dependencies not found. But by editing the elm.json file to match requirement to whichever version is available in the offline packages, I managed to run the elm-architecture-tutorial examples. Thanks a lot.

@evancz even though it is not a real pure elm solution, for me that solves my issue for now. I'll close it. I believe in the long run elm would benefit of having an option similar to git to remove the SSL certificate check.

[rlefevre]

@haphaeu Ok thank you for the feedback. You could put your portable ELM_HOME on an USB key/disk and install new packages from outside your company (you just need to install them in a project and call elm make at least once). You will be able to use them anywhere after this.

Also, you can use this tool to install specific versions of packages and handle nicely dependencies: https://www.npmjs.com/package/elm-json It is currently more powerful than elm install.

[JesterXL]

I'm having this exact issue with my new Mac. Oddly, my old Mac somehow got around this? I've installed our company's certs, rebooted a few times, all to no avail. So... just another vote for this disabling ability. Or, features along the lines the guy Alex Taylor outlines because we do all those for npm here at work: https://stackoverflow.com/questions/13913941/how-to-fix-ssl-certificate-error-when-running-npm-on-windows/30341389

[JesterXL]

An update on this, turns out my network won't allow installing of packages unless they come from internal Artifactory. We have the same problem using stack with Haskell. I hacked around it, but it's an error prone, unnatural, not long term solution.

Anyone know what it would take to get Artifactory to support Elm? I don't know much about it beyond it stores things.