Certificate error when trying to install MSYS2 packages on Windows server

Question

I installed MSYS2-64bits on my Windows Server 2016 to support some Linux librairies, such as OpenSSL, which I need in my Ruby on Rails development. MSYS2 has been partially installed with Ruby 2.7, but did not complete due to certificates error messages.

I first downloaded and install msys2-x86_64-20210725.exe. It took a very long time and finished after a few messages about Updating the trust database:

==> Generating pacman master key. This may take some time.

==> Updating trust database...

==> Appending keys from msys2.gpg...

==> Locally signing trusted keys in keyring...

  -> Locally signed 6 keys.
==> Importing owner trust values...

==> Disabling revoked keys in keyring...

  -> Disabled 1 keys.
==> Updating trust database...

It stayed about 10 minutes at this stage, but finally declared a successful installation.

Then I tried to update the existing software by running pacman -Syuu. I restarted MSYS2 as requested, typed the statement, and got lots of errors such as the following, repeatedly:

$ pacman -Syuu
:: Synchronizing package databases...
 mingw32.db failed to download
 mingw64.db failed to download
 ucrt64.db failed to download
 clang64.db failed to download
 msys.db failed to download
error: failed retrieving file 'mingw32.db' from mirror.msys2.org : SSL certificate problem: self signed certificate in certificate chain
error: failed retrieving file 'mingw64.db' from mirror.msys2.org : SSL certificate problem: self signed certificate in certificate chain
error: failed retrieving file 'ucrt64.db' from mirror.msys2.org : SSL certificate problem: self signed certificate in certificate chain
warning: too many errors from mirror.msys2.org, skipping for the remainder of this transaction

I am afraid that the corporate proxy could refuse self-signed certificates. Is there a way to obtain correctly signed certificates and finalise the installation of all the packages?

Thanks for your help!

Answer 1

Great question, but it's not exactly the corporate proxy refusing self-signed certificates; it's pacman's SSL agent.

In your browser, go to repo.msys2.org to find which certificates are being used:

Open details:

You'll need to export all certificates individually, but don't need the lowest one for repo.msys2.org:

Save to a local file:

Export using Base-64 encoding:

Can save directly to the trust source anchors folder. Things move around from time to time, but as of now, that's C:\msys64\etc\pki\ca-trust\source\anchors\<anyfilename>.cer

Go through the same steps to import the top-level root certificate. Save in the same path, different file name.

$ update-ca-trust
## Done.
$ pacman -Syu

For newer versions of Chrome and Windows, your screenshots may look like this instead:

Here, I had to click the top-highlighted line, then Export, saving it as a .crt file, then click the bottom-highlighted line, then Export, also saving it as a .crt file with a different name. I kept the default names, copied the files to the path above, then ran the two commands, shown above, in the MSYS terminal.

When running pacman -Syu, if you get a lot of Operation too slow. Less than 1 bytes/sec transferred the last 10 seconds errors--Example:

error: failed retrieving file 'libopenssl-3.5.1-1-x86_64.pkg.tar.zst' from repo.msys2.org : Operation too slow. Less than 1 bytes/sec transferred the last 10 seconds

...then run this instead:

pacman -Syu --disable-download-timeout

See: https://github.com/msys2/MSYS2-packages/issues/1658#issuecomment-495955432