Search code examples
windowssslinstallationemscripten

emsdk install fails with urlopen error [SSL: CERTIFICATE_VERIFY_FAILED]

I'm trying to install emsdk under Windows according to instructions there. I use Windows (10.0.19045.2728 freshly installed and updated, in a VM with open internet access). I install Python 3.11.3 (as admin with "Add python.exe to PATH"), download emsdk 2023-04-03 and unzip that to an emsdk folder, and in a cmd.exe prompt do

> emsdk install latest
Resolving SDK alias 'latest' to '3.1.35'
Resolving SDK version '3.1.35' to 'sdk-releases-671550b5bdceee7bdb21493714f9a815aa5149a9-64bit'
Installing SDK 'sdk-releases-671550b5bdceee7bdb21493714f9a815aa5149a9-64bit'..
Installing tool 'node-14.18.2-64bit'..
Error: Downloading URL 'https://storage.googleapis.com/webassembly/emscripten-releases-builds/deps/node-v14.18.2-win-x64.zip': <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1002)>
Warning: Possibly SSL/TLS issue. Update or install Python SSL root certificates (2048-bit or greater) supplied in Python folder or https://pypi.org/project/certifi/ and try again.
error: installation failed!

What am I missing?

I tried

  • pip install certifi (that succeeds, but does not cure it)
  • python emsdk.py install latest (no change)
  • using Python 3.9.13 (no change)
  • under a Mint 21.1 VM with the same network access (it worked)

Ugly workaround: I successfully inserted this kludge in emsdk.py at start of download_file

    if url.startswith("https://storage.googleapis.com/"): # TODO fix/remove me
      url = "http"+url[5:]    # change https to http      # TODO fix/remove me
Solution

  • Kudos to yolw: running their powershell script fixes it for good! Slightly edited:

    # This seems to update the machine cert store so that python can download the files as required by emscripten's install
$WebsiteURL="storage.googleapis.com"
Try {
    $Conn = New-Object System.Net.Sockets.TcpClient($WebsiteURL,443) 
  
    Try {
        $Stream = New-Object System.Net.Security.SslStream($Conn.GetStream())
        $Stream.AuthenticateAsClient($WebsiteURL) 
        $Cert = $Stream.Get_RemoteCertificate()
        $ValidTo = [datetime]::Parse($Cert.GetExpirationDatestring())
   
        Write-Host "`nConnection Successfull" -ForegroundColor DarkGreen
        Write-Host "Website: $WebsiteURL"
        Write-Host "ValidTo: $ValidTo"
    }
    Catch { Throw $_ }
    Finally { $Conn.close() }
}
Catch {
    Write-Host "`nError occurred connecting to $($WebsiteURL)" -ForegroundColor Yellow
    Write-Host "Website: $WebsiteURL"
    Write-Host "Status:" $_.exception.innerexception.message -ForegroundColor Yellow
    Write-Host ""
}

    To get this saved as update-machine-certs.ps1 running, I needed to issue

    Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser

    that I undid with

    Set-ExecutionPolicy -ExecutionPolicy Undefined    -Scope CurrentUser

    The output was

    Connection Successfull
Website: storage.googleapis.com
ValidTo: 06/12/2023 10:29:06