ScoopInstaller
lynx: SSL error: Can't find common name in certificate
Bug Report
Package Name: lynx
Current Behaviour
Websites using HTTPS do not open at all.
Expected Behaviour
All websites should open.
Additional context/output
The dependency cacert might be the cause of the problem.
❯ lynx
Looking up lynx.invisible-island.net
Making HTTPS connection to lynx.invisible-island.net
lynx: Can't access startfile https://lynx.invisible-island.net/
Possible Solution
System details
Windows version: 10.0.19043.1288 OS arch (32 or 64 bit): 64 PowerShell version: 7.1.5 Additional software: none
I can't get it to work either. I'm not sure it is an issue with cacert because lynx does not throw an error if the SSL_CERT_FILE which lynx.cfg points to is missing (e.g if you uninstall cacert).
When running the copy of openssl included in the bin directory, it says that the site does have a common name (CN):
❯ .\openssl s_client -quiet -connect lynx.invisible-island.net:443
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
verify return:1
depth=0 CN = lynx.invisible-island.net
verify return:1
I just tested the version of lynx that Homebrew installs on macOS, which is version 2.8.9rel.1 (the last stable release), and it works great. MacPorts also installs the stable version. Maybe we shouldn't be installing the development builds?
It has been like that for quite some time - https://github.com/ScoopInstaller/Main/pull/512#pullrequestreview-308197679 - I'm not sure it will work in stable either.
The actual problem might be this - mentioned on the Lynx homepage
The manifest currently downloads OpenSSL 1.1.1, but that is not supported it seems. And OpenSSL 1.1.0 is hard to find anywhere.
You're right. Just tested the stable release with OpenSSL 1.1.1l and it doesn't work. Looks like there are security vulnerabilities with version 1.1.0 so that's why it's hard to find - I don't recommend we go looking for it and introduce vulnerabilities for scoop users! So, it looks like it's up to lynx to add support for 1.1.1 which was released 11 September 2018. Or better yet the latest version 3.0.0 which was recently released (7 September 2021).
Maybe we can ask the author what's going on - would you be willing to file a report in Lynx? (Ref: https://lists.gnu.org/archive/html/lynx-dev)
It looks like someone asked a similar question just over a year ago: https://lists.gnu.org/archive/html/lynx-dev/2020-09/msg00005.html
And this was the author's reply: https://lists.gnu.org/archive/html/lynx-dev/2020-09/msg00006.html
Essentially, it looks like https support for Windows is not planned/being worked on at the moment. A workaround is to install it via WSL or Cygwin instead. ¯\_(ツ)_/¯
I see. However our issue is slightly different - that of difference in Windows OpenSSL versions. But that might very well be due to the author not being aware/having time to look at Windows builds. 😥
I can't even get the regular installer to work, it fails to install with the error that it 'Failed to copy msvcr120.dll'. That file is from the Visual C++ Redistributable Package for Visual Studio 2013 but even with both the 32bit and 64bit versions installed it still fails. 😢
I remember the installer worked when I tried it around a month ago, but yeah now all of them fail with the same error 😕
Sad times... I would be grateful if you could make a bug report about the installer on that mailing list, I'm not so comfortable posting my real name and email there!
I'll see to it if I get time, but I'm not sure.
I'm not so comfortable posting my real name and email there!
You don't have to use your real name/email 😉. It's just for communication, they're not going to verify you. 😏
Of course, but I couldn't see the option to leave my username - the button to reply to a thread opens your mail client to respond by email!