Bug#1070270: riseup-vpn: client no longer works due to cert verification problem
On Wed, May 15, 2024 at 01:01:06PM -0700, Matt Taggart wrote: > > On 5/10/24 07:26, Nilesh Patra wrote: > > > Going for an upload to unstable followed by an s-p-u. > > > > > > [2]: https://people.debian.org/~nilesh/riseup-vpn-stable/ > > I was finally able to install 0.21.11+ds1-5+deb12u1 from the above on my > bookworm test system and it fixed things and the vpn is working again! > An upload to s-p-u would be great. Uploaded already to s-p-u filed https://bugs.debian.org/1070856 for approval. Also uploaded new version to backports-new. Best, Nilesh signature.asc Description: PGP signature
Bug#1070270: riseup-vpn: client no longer works due to cert verification problem
On 5/10/24 07:26, Nilesh Patra wrote: Going for an upload to unstable followed by an s-p-u. [2]: https://people.debian.org/~nilesh/riseup-vpn-stable/ I was finally able to install 0.21.11+ds1-5+deb12u1 from the above on my bookworm test system and it fixed things and the vpn is working again! An upload to s-p-u would be great. Thanks, -- Matt Taggart m...@lackof.org
Bug#1070270: riseup-vpn: client no longer works due to cert verification problem
On Sun, May 05, 2024 at 09:47:40PM +0530, Nilesh Patra wrote: > On Sat, May 04, 2024 at 08:59:19PM +0530, Nilesh Patra wrote: > > Hi Matt, > > > > Quoting Matt Taggart: > > > Package: riseup-vpn > > > Version: 0.21.11+ds1-5+b1 > > > Severity: grave > > > > > > When attempting to run the bookworm riseup-vpn package, it fails to > > > connect to riseup's servers and gives the following output: > > > > > > 2024/05/01 18:21:23 Error fetching eip v3 > > > json:https://api.black.riseup.net/3/config/eip-service.json > > > > > > My understanding is that this is due to the package failing to be able > > > to verify the current LetsEncrypt cert that host is using. More details > > > at > > > > > > https://0xacab.org/leap/bitmask-vpn/-/issues/768 > > > > > > (supposedly the current upstream snap has this fixed, but I haven't > > > tried it) > > > > > > As this breaks what the package is supposed to do (at least when using > > > riseup as provider, maybe there is a way to point it elsewhere?) I think > > > this is grave. Also I think it might be a good candidate for being fixed > > > in a stable release update. > > > > If I am not mistaken, as per the said, issue, it is fixed in the commit > > referenced here, right? > > > > > > https://0xacab.org/leap/bitmask-vpn/-/commit/14cf64b10a97c29688f252a7d9d3481c8484aa1d > > > > I tried this in my testing system and it seems I am able to connect to the > > VPN > > with this patch applied. Can you confirm? > > I tried with this commit using my stable `.deb` in a fresh stable VM and it > seems things are working. I got more extensive testing done. This definitely fixes the issue as it helps verify the letsencrypt certificate. > > Consequently, I also did some work to cherry-pick this and prepare a > > stable-p-u > > upload (not yet uploaded, will do after confirmation) and pushed my changes > > at[1]. I have also compiled the `.deb` for stable and it is ready to be > > consumed[2]. Do you think you could ask someone to check the same? > > > > Other than that, I also tried to update the package in unstable to the > > latest > > version to fixup this properly. I was able to build it, pushed my changes > > here[3] and the `.deb` is available here[4]. Again, if you/someone else > > could > > try this, it'd be great. It is working for me on my debian/testing system. > > I asked a friend to check on their testing system and it seems to be working > as > well. I will proceed to upload these in a week or so. Until then I am awaiting > your response. OK, so now the time is up and I've got some spare time now - I am going ahead with an upload. This look fine and the package works. > > I would have attemped the update much sooner but unfortunately an update > > with > > 0xacab's gitlab broke my d/watch file and I did not notice a new version is > > out > > there sooner. > > > > I was thinking to go ahead with an upload, but there are a few things that I > > would like to clarify before I do so (btw thanks to the maintainers for > > committing a patch to use with qt6.4): To be clear: these questions do not apply to the stable update. Only to the unstable one. > > 1. Why is the default provider set to "provider = bitmask" in > > providers/vendor.conf? This leads to building the binary called bitmask-vpn > > instead of riseup-vpn. Is there a thought of changing the binary name? > > > > In current stage it points to just dummy APIs and hence I overrode it in > > d/rules > > to build riseup-vpn instead. I am keeping this as is. > > 2. In the vendor/gitlab.com/yawning/obfs4.git/ package, there are 3 license. > > BSD-2-Clause, BSD-3-Clause and also GPL-3 for > > vendor/gitlab.com/yawning/obfs4.git/internal/x25519ell2/x25519ell2.go - so > > what > > exactly is the exact license? Is it redistributable under all the three? (I > > don't think so?) I found a comment from yawning and added the internal/* under GPL. Going for an upload to unstable followed by an s-p-u. > > [1]: > > https://salsa.debian.org/go-team/packages/riseup-vpn/-/tree/debian/bookworm-pu?ref_type=heads > > [2]: https://people.debian.org/~nilesh/riseup-vpn-stable/ > > [3]: > > https://salsa.debian.org/go-team/packages/riseup-vpn/-/tree/debian/sid?ref_type=heads > > [4]: https://people.debian.org/~nilesh/riseup-vpn-0.24.5/ [5]: https://gitlab.com/yawning/obfs4/-/issues/5 Best, Nilesh signature.asc Description: PGP signature
Bug#1070270: riseup-vpn: client no longer works due to cert verification problem
On Sat, May 04, 2024 at 08:59:19PM +0530, Nilesh Patra wrote: > Hi Matt, > > Quoting Matt Taggart: > > Package: riseup-vpn > > Version: 0.21.11+ds1-5+b1 > > Severity: grave > > > > When attempting to run the bookworm riseup-vpn package, it fails to > > connect to riseup's servers and gives the following output: > > > > 2024/05/01 18:21:23 Error fetching eip v3 > > json:https://api.black.riseup.net/3/config/eip-service.json > > > > My understanding is that this is due to the package failing to be able > > to verify the current LetsEncrypt cert that host is using. More details at > > > > https://0xacab.org/leap/bitmask-vpn/-/issues/768 > > > > (supposedly the current upstream snap has this fixed, but I haven't > > tried it) > > > > As this breaks what the package is supposed to do (at least when using > > riseup as provider, maybe there is a way to point it elsewhere?) I think > > this is grave. Also I think it might be a good candidate for being fixed > > in a stable release update. > > If I am not mistaken, as per the said, issue, it is fixed in the commit > referenced here, right? > > > https://0xacab.org/leap/bitmask-vpn/-/commit/14cf64b10a97c29688f252a7d9d3481c8484aa1d > > I tried this in my testing system and it seems I am able to connect to the VPN > with this patch applied. Can you confirm? I tried with this commit using my stable `.deb` in a fresh stable VM and it seems things are working. > Consequently, I also did some work to cherry-pick this and prepare a > stable-p-u > upload (not yet uploaded, will do after confirmation) and pushed my changes > at[1]. I have also compiled the `.deb` for stable and it is ready to be > consumed[2]. Do you think you could ask someone to check the same? > > Other than that, I also tried to update the package in unstable to the latest > version to fixup this properly. I was able to build it, pushed my changes > here[3] and the `.deb` is available here[4]. Again, if you/someone else could > try this, it'd be great. It is working for me on my debian/testing system. I asked a friend to check on their testing system and it seems to be working as well. I will proceed to upload these in a week or so. Until then I am awaiting your response. > I would have attemped the update much sooner but unfortunately an update with > 0xacab's gitlab broke my d/watch file and I did not notice a new version is > out > there sooner. > > I was thinking to go ahead with an upload, but there are a few things that I > would like to clarify before I do so (btw thanks to the maintainers for > committing a patch to use with qt6.4): > > 1. Why is the default provider set to "provider = bitmask" in > providers/vendor.conf? This leads to building the binary called bitmask-vpn > instead of riseup-vpn. Is there a thought of changing the binary name? > > In current stage it points to just dummy APIs and hence I overrode it in > d/rules > to build riseup-vpn instead. > > 2. In the vendor/gitlab.com/yawning/obfs4.git/ package, there are 3 license. > BSD-2-Clause, BSD-3-Clause and also GPL-3 for > vendor/gitlab.com/yawning/obfs4.git/internal/x25519ell2/x25519ell2.go - so > what > exactly is the exact license? Is it redistributable under all the three? (I > don't think so?) > > [1]: > https://salsa.debian.org/go-team/packages/riseup-vpn/-/tree/debian/bookworm-pu?ref_type=heads > [2]: https://people.debian.org/~nilesh/riseup-vpn-stable/ > [3]: > https://salsa.debian.org/go-team/packages/riseup-vpn/-/tree/debian/sid?ref_type=heads > [4]: https://people.debian.org/~nilesh/riseup-vpn-0.24.5/ > > Best, > Nilesh Best, Nilesh signature.asc Description: PGP signature
Bug#1070270: riseup-vpn: client no longer works due to cert verification problem
Hi Matt, Quoting Matt Taggart: > Package: riseup-vpn > Version: 0.21.11+ds1-5+b1 > Severity: grave > > When attempting to run the bookworm riseup-vpn package, it fails to > connect to riseup's servers and gives the following output: > > 2024/05/01 18:21:23 Error fetching eip v3 > json:https://api.black.riseup.net/3/config/eip-service.json > > My understanding is that this is due to the package failing to be able > to verify the current LetsEncrypt cert that host is using. More details at > > https://0xacab.org/leap/bitmask-vpn/-/issues/768 > > (supposedly the current upstream snap has this fixed, but I haven't > tried it) > > As this breaks what the package is supposed to do (at least when using > riseup as provider, maybe there is a way to point it elsewhere?) I think > this is grave. Also I think it might be a good candidate for being fixed > in a stable release update. If I am not mistaken, as per the said, issue, it is fixed in the commit referenced here, right? https://0xacab.org/leap/bitmask-vpn/-/commit/14cf64b10a97c29688f252a7d9d3481c8484aa1d I tried this in my testing system and it seems I am able to connect to the VPN with this patch applied. Can you confirm? Consequently, I also did some work to cherry-pick this and prepare a stable-p-u upload (not yet uploaded, will do after confirmation) and pushed my changes at[1]. I have also compiled the `.deb` for stable and it is ready to be consumed[2]. Do you think you could ask someone to check the same? Other than that, I also tried to update the package in unstable to the latest version to fixup this properly. I was able to build it, pushed my changes here[3] and the `.deb` is available here[4]. Again, if you/someone else could try this, it'd be great. It is working for me on my debian/testing system. I would have attemped the update much sooner but unfortunately an update with 0xacab's gitlab broke my d/watch file and I did not notice a new version is out there sooner. I was thinking to go ahead with an upload, but there are a few things that I would like to clarify before I do so (btw thanks to the maintainers for committing a patch to use with qt6.4): 1. Why is the default provider set to "provider = bitmask" in providers/vendor.conf? This leads to building the binary called bitmask-vpn instead of riseup-vpn. Is there a thought of changing the binary name? In current stage it points to just dummy APIs and hence I overrode it in d/rules to build riseup-vpn instead. 2. In the vendor/gitlab.com/yawning/obfs4.git/ package, there are 3 license. BSD-2-Clause, BSD-3-Clause and also GPL-3 for vendor/gitlab.com/yawning/obfs4.git/internal/x25519ell2/x25519ell2.go - so what exactly is the exact license? Is it redistributable under all the three? (I don't think so?) [1]: https://salsa.debian.org/go-team/packages/riseup-vpn/-/tree/debian/bookworm-pu?ref_type=heads [2]: https://people.debian.org/~nilesh/riseup-vpn-stable/ [3]: https://salsa.debian.org/go-team/packages/riseup-vpn/-/tree/debian/sid?ref_type=heads [4]: https://people.debian.org/~nilesh/riseup-vpn-0.24.5/ Best, Nilesh signature.asc Description: PGP signature
Bug#1070270: riseup-vpn: client no longer works due to cert verification problem
Package: riseup-vpn Version: 0.21.11+ds1-5+b1 Severity: grave When attempting to run the bookworm riseup-vpn package, it fails to connect to riseup's servers and gives the following output: 2024/05/01 18:21:23 Error fetching eip v3 json:https://api.black.riseup.net/3/config/eip-service.json My understanding is that this is due to the package failing to be able to verify the current LetsEncrypt cert that host is using. More details at https://0xacab.org/leap/bitmask-vpn/-/issues/768 (supposedly the current upstream snap has this fixed, but I haven't tried it) As this breaks what the package is supposed to do (at least when using riseup as provider, maybe there is a way to point it elsewhere?) I think this is grave. Also I think it might be a good candidate for being fixed in a stable release update. Thanks, -- Matt Taggart m...@lackof.org
