Certificate error when trying to install MSYS2 packages on Windows server

Question

I installed MSYS2-64bits on my Windows Server 2016 to support some Linux librairies, such as OpenSSL, which I need in my Ruby on Rails development. MSYS2 has been partially installed with Ruby 2.7, but did not complete due to certificates error messages.

I first downloaded and install msys2-x86_64-20210725.exe. It took a very long time and finished after a few messages about Updating the trust database:

==> Generating pacman master key. This may take some time.

==> Updating trust database...

==> Appending keys from msys2.gpg...

==> Locally signing trusted keys in keyring...

  -> Locally signed 6 keys.
==> Importing owner trust values...

==> Disabling revoked keys in keyring...

  -> Disabled 1 keys.
==> Updating trust database...

It stayed about 10 minutes at this stage, but finally declared a successful installation.

Then I tried to update the existing software by running pacman -Syuu. I restarted MSYS2 as requested, typed the statement, and got lots of errors such as the following, repeatedly:

$ pacman -Syuu
:: Synchronizing package databases...
 mingw32.db failed to download
 mingw64.db failed to download
 ucrt64.db failed to download
 clang64.db failed to download
 msys.db failed to download
error: failed retrieving file 'mingw32.db' from mirror.msys2.org : SSL certificate problem: self signed certificate in certificate chain
error: failed retrieving file 'mingw64.db' from mirror.msys2.org : SSL certificate problem: self signed certificate in certificate chain
error: failed retrieving file 'ucrt64.db' from mirror.msys2.org : SSL certificate problem: self signed certificate in certificate chain
warning: too many errors from mirror.msys2.org, skipping for the remainder of this transaction

I am afraid that the corporate proxy could refuse self-signed certificates. Is there a way to obtain correctly signed certificates and finalise the installation of all the packages?

Thanks for your help!

Answer 1

Great question, but it's not exactly the corporate proxy refusing self-signed certificates; it's pacman's SSL agent.

In your browser, go to repo.msys2.org to find which certificates are being used:

Open details:

You'll need to export all certificates individually, but don't need the lowest one for repo.msys2.org:

Save to a local file:

Export using Base-64 encoding:

Can save directly to the trust source anchors folder. Things move around from time to time, but as of now, that's C:\msys64\etc\pki\ca-trust\source\anchors\<anyfilename>.cer

Go through the same steps to import the top-level root certificate. Save in the same path, different file name.

$ update-ca-trust
## Done.
$ pacman -Syu

Answer 2

My screen did not look exactly as the screenshots above and I did not have a choice of saving the Certificate with the .cer extension; I could only do it with a .der extension. It worked the same way, though. Here's how my screen looked like when I clicked on the padlock icon:

Answer 3

If your computer is managed by an organization, they may MITM all of your TLS connections and install their own custom CA certificate on your machine, causing MITM connections to be reported as secure. Because OpenSSL in MSYS2 presently does not interface with the Windows system CA store and so is unaware of your organization's unique certificates, you must manually add and trust them.

https://www.msys2.org/docs/faq/

Here, it is mentioned how to add your organization's CA certificate to the trusted certificates of MSYS2 and register them.