Certificate verification failed for downloading from https://www.lua.org

[osch]

I'm getting CERTIFICATE_VERIFY_FAILED when using Python Version 3.8.

hererocks c:\hererocks --%LUA% --target %HR_TARGET% -rlatest
Fetching Lua 5.1.5 (target: vs_64) from https://www.lua.org/ftp/lua-5.1.5.tar.gz
Download failed: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1108)
Fetching Lua 5.1.5 (target: vs_64) from https://webserver2.tecgraf.puc-rio.br/lua/mirror/ftp/lua-5.1.5.tar.gz
Verifying SHA256 checksum
Error: SHA256 checksum mismatch for C:\Users\appveyor\AppData\Local\HereRocks\Cache\lua-5.1.5.tar.gz
Expected: 2640fc56a795f29d28ef15e13c34a47e223960b0240e8cb0a82d9b0738695333
Observed: 2598647a7dd012b6c346023638258509103d36dd3f15941aebc31c009e6a80ab

With Python 3.9 the download from https://www.lua.org works but unfortunately: Python 3.9 is not available in an Appveyor image together with Visual Studio 2015, see https://www.appveyor.com/docs/windows-images-software/

It seems that Visual Studio 2015 is the latest version supported by hererocks:

hererocks.py: error: argument --target: invalid choice: 'vs19_64' (choose from 'linux', 'macosx', 'freebsd', 
'mingw', 'posix', 'generic', 'mingw', 'vs', 'vs_32', 'vs_64', 'vs08_32', 'vs08_64', 'vs10_32', 'vs10_64', 
'vs12_32', 'vs12_64', 'vs13_32', 'vs13_64', 'vs15_32', 'vs15_64')

As a workaround I got it working by using:

• AppVeyor image: Windows Server 2012 R2
• Python Version 3.8
• Old hererocks version 0.25 without https: pip install git+https://github.com/luarocks/hererocks@0.25.0
• Hererock targets vs_32 and vs_64 these are selecting VS 14.0 (x86) and VS 14.0 (x64) which seems to be Visual Studio 2015.

[hishamhm]

Thanks for the report! I am unfamiliar with Visual Studio — could you send a PR adding support for more recent MSVC versions? I think that would be the best way to deal with this Appveyor incompatibility. Thank you!

[osch]

I'm also unfamiliar with Visual Studio and also with Python. It took me a lot of try and error to figure out that certificate verification from https://lua.org in Python (for Windows) 2.7, 3.8 und 3.10 did not work (P.S. see below). So I would like to suggest to revert #14 or at least to implement an option to disable https. The checksums of the downloads are verified, so using https does not give extra security, but as shown it increases complexity by providing an additional point of possible failure.

P.S.: I re-checked Python 3.10 on my virtual box windows and now it works. Last time I checked it didn't work. So the problem seems to be related to the Windows certificate store, which could have been updated after latest Windows updates I guess. It also didn't work on the AppVeyor build server, could be that there the certificate store was/is not up to date too. Anyway I still would like to have an option to disable https for the mentioned reasons just to be able to prevent any problems without the need to check out an old version of Hererocks.

[hishamhm]

I just remembered I went through a similar issue in the LuaRocks repository with Appveyor+Hererocks+Python (d'oh!)

This is how I solved it, forcing Python to fetch and use updated certificates:

https://github.com/luarocks/luarocks/blob/master/appveyor.yml#L53-L58

[osch]

This is how I solved it

Ah OK thanks for pointing this out, I'll try it the next time I'm running into these problems.