Windows stack downloads are no longer secure

Question

Windows stack downloads are no longer secure

Closed this issue 5 years ago · 6 comments

The page at https://www.stackage.org/stack/windows-x86_64 is marked as insecure by Google and PowerShell refuses to invoke content from it. This has broken all my CI scripts, because they won't run non-https content.

Answer 1 · 2020-03-29T07:50:37.000Z

I don't know why it would be saying that. The SSL certs are up to date and redirect to an HTTPS link for github.com. Can you confirm that it is still happening?

Answer 2 · 2020-03-30T20:52:15.000Z

Yep, still happening.

Answer 3 · 2020-03-30T21:00:36.000Z

I'm going to need more information, since this works fine on all of my systems. My guess is that your system isn't accepting the CA signing the certificate in question (Let's Encrypt).

Answer 4 · 2020-03-30T21:55:05.000Z

Hmm, so I'm not totally sure if Chrome is just showing poor UI since I did that from the main page.

The root issue is that when I run:

Invoke-WebRequest 'https://www.stackage.org/stack/windows-x86_64' -OutFile 'stack.zip'

On AppVeyor VM's I get:

The request was aborted: Could not create SSL/TLS secure channel.

It worked last week, and has worked for many months without change. If there's no configuration changed on your end, I'll mark it down as a bug in AppVeyor. The workaround is to switch to:

Invoke-WebRequest 'https://github.com/commercialhaskell/stack/releases/download/v2.1.3/stack-2.1.3-windows-x86_64.zip' -OutFile 'stack.zip'

Which still works fine. Maybe it is Lets Encrypt, but given the percentage of the web using their certificates, that would seem like a pretty severe outage for AppVeyor.

Given I don't have any real additional information, feel free to close this unless it is also hitting your AppVeyor CI machines (if you still have some).

Answer 5 · 2020-03-31T03:31:35.000Z

I did change the setup significantly, but all of my testing indicates it's still fine. Maybe it's an old DNS record or something like that. Just to be sure, I ran an SSL test on the site:

From that, my best guess: are you using an older version of Windows that doesn't have SNI support?

Answer 6 · 2020-03-31T20:59:28.000Z

Appveyor is Windows 10, and likely to be a very new one at that. Maybe its stale DNS and will take a while to propagate. Given there's no way to reproduce this directly, and the error message doesn't give us enough to do anything, let's close. Thanks for checking though!