tickets #61789
closedmirrorbrain.org - certificate problem in asn_get_routeviews
100%
Description
Since 25/9/2019, I see a daily email to admin-auto complaining about
IOError: [Errno socket error] [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)
mirrorbrain.org is using Lets Encrypt certificates, that ought to be fine. Are we somehow missing a root CA ? Trying to retrieve manually with wget also fails, same problem.
Files
Updated by pjessen over 4 years ago
a manual wget on my own machine (running 42.3) also fails. From a browser, it works fine.
Updated by pjessen about 4 years ago
Even running "asn_get_routeviews" on my ancient 10.3 machine - works fine.
Updated by pjessen about 4 years ago
I guess we are (somehow) missing the root CA from Lets Encrypt - DST Root CA X3 ?
Updated by pjessen about 4 years ago
pjessen wrote:
Even running "asn_get_routeviews" on my ancient 10.3 machine - works fine.
This works because I have the Lets Encrypt X3 CA installed. I'll try that on pontifex too.
Updated by pjessen about 4 years ago
- Status changed from New to In Progress
I have retrieved https://letsencrypt.org/certs/trustid-x3-root.pem.txt, but this is identical to DST_Root_CA_X3.pem, which is already in place.
I have also compared our DST_Root_CA_X3.pem to the built-in CA in Firefox (exported) and they also match.
Updated by pjessen about 4 years ago
Running wget with strace, it looks like it's trying to look up a hash that doesn't exist:
/var/lib/ca-certificates/openssl/4f06f81d.0
We have two locations .
/var/lib/ca-certificates/openssl/
/var/lib/ca-certificates/pem
/etc/ssl/certs -> /var/lib/ca-certificates/pem/
Well, I won't pretend to understand what is going on, but I will install the Lets Encrypted X3 cross-signed (that works on my own systems).
Updated by pjessen about 4 years ago
Michael Stroeder found out that it is really mirrorbrain.org that is misconfigured.
Another problem, but in asn_import. See https://progress.opensuse.org/issues/62678
Updated by pjessen about 4 years ago
- Status changed from In Progress to Resolved
- Assignee set to pjessen
- % Done changed from 0 to 100
Although mirrorbrain still has a configuration problem, we can't do much about it. I'm closing.
Updated by pjessen about 4 years ago
- Status changed from Resolved to New
As of 6/2, the certificate problem has reappeared, probably also on olaf. I guess we had an update installed the previous day.
What might the correct procedure be for adding a local override ? Saltifying?
Updated by lrupp about 4 years ago
If this is triggered by an updated package, we should try to identify the package and fix this instead.
Using Salt would be a workaround only. Another workaround would be another package that inherits the content of the broken package and includes the fixes/workarounds you need. OBS is ideal for that (as the new package will get triggered automatically if there is an update in the original package).
But, again: I would prefer to get this fixed in the real package. A bug report might be needed to analyze this further together with the packager.
Updated by lrupp over 2 years ago
- Status changed from New to Closed
Hi there - and a Happy and Healthy 2022!
I'm currently closing old tickets which did not see much change.
If the main concern still exists and should be handled, please re-open by just replying to this Email.
Thanks in advance,
Lars
Updated by pjessen over 2 years ago
- Related to tickets #90176: mirrorbrain - no region assigned to three new Chinese mirrors? added
Updated by pjessen over 2 years ago
- Status changed from Closed to In Progress
I am reopening. Although the general belief seems to be "that is stuff is handled by mod_maxminddb", that isn't actually true.
mirrorbrain uses e.g. pfx2asn when creating or updating mirror entries. I have looked at updating pfx2asn when we import new data from maxmind, but I don't think it is actually possible, the data is simply not available. See #90176.
The issue in this ticket is mostly the certificate problem wrt mirrorbrain.org, which appears to have been resolved. I have re-enabled the cronjob.
I do wonder about how long the data will continue to be available at mirrorbrain.org?
Updated by pjessen over 2 years ago
- % Done changed from 50 to 100
Well, the certificate issue has been resolved, but the cron job did not quite work this morning:
Downloading https://mirrorbrain.org/routeviews/oix-full-snapshot-latest.dat.bz2
Traceback (most recent call last):
File "/usr/bin/asn_import", line 27, in <module>
connection = mb.conn.Conn(config.dbconfig)
TypeError: __init__() takes at least 3 arguments (2 given)
Downloading https://mirrorbrain.org/routeviews/ipv6-rib-snapshot-latest.txt.bz2
[Errno 32] Broken pipe
I ran the cronjob as mirrorbrain only yesterday, it worked fine.
Updated by pjessen over 2 years ago
- File asn_import.patch asn_import.patch added
pjessen wrote:
Well, the certificate issue has been resolved, but the cron job did not quite work this morning:
Selber schuld.
/usr/bin/asn_import (from apache2-mod_asn-tools) needs updating [1] and I forgot I had an updated version in /home/mirrorbrain.
The cronjob just did not use this "improved" version.
[1] mb/conn.py (from python-mb) was updated to require three parameters for class Conn. /usr/bin/asn_import was not updated.
Updated by pjessen about 2 years ago
- Status changed from In Progress to Resolved
Closing as resolved.
Updated by pjessen over 1 year ago
- Status changed from Resolved to New
- Assignee deleted (
pjessen)
This problem seems to have re-appeared as of 23 June.
Downloading https://mirrorbrain.org/routeviews/oix-full-snapshot-latest.dat.bz2
Traceback (most recent call last):
File "/usr/bin/asn_import", line 27, in <module>
connection = mb.conn.Conn(config.dbconfig)
TypeError: __init__() takes at least 3 arguments (2 given)
Downloading https://mirrorbrain.org/routeviews/ipv6-rib-snapshot-latest.txt.bz2
[Errno 32] Broken pipe
Obviously, I forgot to submit a PR with my patch.
I don't know the current state of mirrorbrain vs mirrorcache, so I'll leave it to Andrii to sort out.
Updated by pjessen over 1 year ago
pjessen wrote:
Obviously, I forgot to submit a PR with my patch.
For the time being, I have applied my patch above to /usr/bin/asn_import.
Updated by pjessen 11 months ago
crameleon wrote:
What's the status of this? Do we still maintain a patch inside /usr/bin/? As far as I know, we no longer use MirrorBrain anywhere and I suggest dropping this.
Quoting myself from above: "mirrorbrain uses e.g. pfx2asn when creating or updating mirror entries. ". I have no idea what is and what isn't being used any more.
If nobody cares, I guess we can close.