Bug#863740: pagekite: Fail to connect to pagekite, claim invalid ssl cert

[Petter Reinholdtsen]

I asked upstream about this.  Bjarni suggested it perhaps was related to
the use of StartSSL certificates and pointed me to
http://pagekite.net/2016-11-22/Pagekite_py_0_5_9,_CA_trust_issue >.

I tested by using the StartCom/StartSSL CA certificates, and it did
indeed solve the problem.  I guess Debian removed the relevant
certificates from Stretch?  This changelog from ca-certificates seem
relevant, but I do not quite understand what the effect of the change
is:

ca-certificates (20161130+nmu1) unstable; urgency=medium

  * Non-maintainer upload.
  * Add StartCom and WoSign certificates to mozilla/blacklist.txt as they are
now untrusted by the major browser vendors. Closes: #858539

 -- Chris Lamb   Fri, 19 May 2017 16:53:16 +0200

I am not quite sure exactly which certificate is used, but this is the
change I implemented to solve the problem.

diff --git a/pagekite.d/20_frontends.rc b/pagekite.d/20_frontends.rc
index d0604ae..39c9556 100644
--- a/pagekite.d/20_frontends.rc
+++ b/pagekite.d/20_frontends.rc
@@ -7,6 +7,7 @@
 
 # Use the pagekite.net service defaults.
 defaults
+ca_certs=/etc/pagekite.d/cacert-startssl.pem
 
 # If you want to use your own, use something like:
 # frontend = hostname:port
diff --git a/pagekite.d/cacert-startssl.pem b/pagekite.d/cacert-startssl.pem
new file mode 100644
index 000..6cd55c7
--- /dev/null
+++ b/pagekite.d/cacert-startssl.pem
@@ -0,0 +1,142 @@
+##
+## Bundle of CA Root Certificates
+##
+## Certificate data from Mozilla as of: Wed Jan 18 04:12:05 2017 GMT
+##
+## This is a bundle of X.509 certificates of public Certificate Authorities
+## (CA). These were automatically extracted from Mozilla's root certificates
+## file (certdata.txt).  This file can be found in the mozilla source tree:
+## 
https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
+##
+## It contains the certificates in PEM format and therefore
+## can be directly used with curl / libcurl / php_curl, or with
+## an Apache+mod_ssl webserver for SSL client authentication.
+## Just configure this file as the SSLCACertificateFile.
+##
+## Conversion done with mk-ca-bundle.pl version 1.27.
+## SHA256: dffa79e6aa993f558e82884abf7bb54bf440ab66ee91d82a27a627f6f2a4ace4
+##
+
+StartCom Certification Authority
+
+-BEGIN CERTIFICATE-
+MIIHyTCCBbGgAwIBAgIBATANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEWMBQGA1UEChMN
+U3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmlu
+ZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDYwOTE3MTk0
+NjM2WhcNMzYwOTE3MTk0NjM2WjB9MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRk
+LjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMg
+U3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
+ggIKAoICAQDBiNsJvGxGfHiflXu1M5DycmLWwTYgIiRezul38kMKogZkpMyONvg45iPwbm2xPN1y
+o4UcodM9tDMr0y+v/uqwQVlntsQGfQqedIXWeUyAN3rfOQVSWff0G0ZDpNKFhdLDcfN1YjS6LIp/
+Ho/u7TTQEceWzVI9ujPW3U3eCztKS5/CJi/6tRYccjV3yjxd5srhJosaNnZcAdt0FCX+7bWgiA/d
+eMotHweXMAEtcnn6RtYTKqi5pquDSR3l8u/d5AGOGAqPY1MWhWKpDhk6zLVmpsJrdAfkK+F2PrRt
+2PZE4XNiHzvEvqBTViVsUQn3qqvKv3b9bZvzndu/PWa8DFaqr5hIlTpL36dYUNk4dalb6kMMAv+Z
+6+hsTXBbKWWc3apdzK8BMewM69KN6Oqce+Zu9ydmDBpI125C4z/eIT574Q1w+2OqqGwaVLRcJXrJ
+osmLFqa7LH4XXgVNWG4SHQHuEhANxjJ/GP/89PrNbpHoNkm+Gkhpi8KWTRoSsmkXwQqQ1vp5Iki/
+untp+HDH+no32NgN0nZPV/+Qt+OR0t3vwmC3Zzrd/qqc8NSLf3Iizsafl7b4r4qgEKjZ+xjGtrVc
+UjyJthkqcwEKDwOzEmDyei+B26Nu/yYwl/WL3YlXtq09s68rxbd2AvCl1iuahhQqcvbjM4xdCUsT
+37uMdBNSSwIDAQABo4ICUjCCAk4wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAa4wHQYDVR0OBBYE
+FE4L7xqkQFulF2mHMMo0aEPQQa7yMGQGA1UdHwRdMFswLKAqoCiGJmh0dHA6Ly9jZXJ0LnN0YXJ0
+Y29tLm9yZy9zZnNjYS1jcmwuY3JsMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0Y29tLm9yZy9zZnNj
+YS1jcmwuY3JsMIIBXQYDVR0gBIIBVDCCAVAwggFMBgsrBgEEAYG1NwEBATCCATswLwYIKwYBBQUH
+AgEWI2h0dHA6Ly9jZXJ0LnN0YXJ0Y29tLm9yZy9wb2xpY3kucGRmMDUGCCsGAQUFBwIBFilodHRw
+Oi8vY2VydC5zdGFydGNvbS5vcmcvaW50ZXJtZWRpYXRlLnBkZjCB0AYIKwYBBQUHAgIwgcMwJxYg
+U3RhcnQgQ29tbWVyY2lhbCAoU3RhcnRDb20pIEx0ZC4wAwIBARqBl0xpbWl0ZWQgTGlhYmlsaXR5
+LCByZWFkIHRoZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENl
+cnRpZmljYXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFpbGFibGUgYXQgaHR0cDovL2NlcnQuc3Rh
+cnRjb20ub3JnL3BvbGljeS5wZGYwEQYJYIZIAYb4QgEBBAQDAgAHMDgGCWCGSAGG+EIBDQQrFilT
+dGFydENvbSBGcmVlIFNTTCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTANBgkqhkiG9w0BAQUFAAOC
+AgEAFmyZ9GYMNPXQhV59CuzaEE44HF7fpiUFS5Eyweg78T3dRAlbB0mKKctmArexmvclmAk8jhvh
+3TaHK0u7aNM5Zj2gJsfyOZEdUauCe37Vzlrk4gNXcGmXCPleWKYK34wGmkUWFjgKXlf2Ysd6AgXm
+vB618p70qSmD+LIU424oh0TDkBreOKk8rENNZEXO3SipXPJzewT4F+irsfMuXGRuczE6Eri8sxHk
+fY+BUZo7jYn0TZNmezwD7dOaHZrzZVD1oNB1ny+v8OqCQ5j4aZyJecRDjkZy42Q2Eq/3JR44iZB3
+fsNrarnDy0RLrHiQi+fHLB5LEUTINFInzQpdn4XBidUaePKVEFMy3YCEZnXZtWgo+2EuvoSoOMCZ
+EoalHmdkrQYuL6lwhceWD3yJZfWOQ1QOq92lgDmUYMA0yZZwLKMS9R9Ie70cfmu3nZD0Ijuu+Pwq
+yvqCUqDvr0tVk+vBtfAii6w0TiYiBKGHLHVKt+V9E9e4DGTANtLJL4YSjCMJwRuCO3NJo2pXh5Tl
+1njFmUNj403gdy3hZZlyaQQaRwnmDwFWJPsfvw55qVguucQJAX6V

Bug#863740: pagekite: Fail to connect to pagekite, claim invalid ssl cert

[Petter Reinholdtsen]

Package: pagekite
Version: 0.5.9.0-1

My pagekite instance on my Debian Stretch based Freedombox fail to
connect to the pagekite service.  This is the log messages I get, notice
the 'certificate verify failed' part:

root@freedombox:~# tail -20 /var/log/pagekite/pagekite.log
ts=592dc614; t=2017-05-30T19:20:52; ll=4d; debug=TunnelManager: problem=2, 
connecting=2
ts=592dc62a; t=2017-05-30T19:21:14; ll=4e; debug=Pinged 180.235.133.100:443: 
0.426222 [win=3, uuid=012343e74daca97d7ae1eed90ddd65afe78cbda6]
ts=592dc62a; t=2017-05-30T19:21:14; ll=4f; debug=Pinged 180.235.133.100:443: 
0.429669 [win=3, uuid=012343e74daca97d7ae1eed90ddd65afe78cbda6]
ts=592dc62a; t=2017-05-30T19:21:14; ll=50; debug=Pinged 180.235.133.100:443: 
0.439536 [win=3, uuid=012343e74daca97d7ae1eed90ddd65afe78cbda6]
ts=592dc62a; t=2017-05-30T19:21:14; ll=51; debug=Pinged 88.198.106.222:443: 
1.093084 [win=3, uuid=d77a1308f7feac3a16af832d527c81bb2c456d33]
ts=592dc62a; t=2017-05-30T19:21:14; ll=52; debug=Pinged 52.58.49.54:443: 
0.176134 [win=3, uuid=cb7deaf9bb554a389053dee2e10b0bcd2c6dee6d]
ts=592dc62a; t=2017-05-30T19:21:14; ll=53; debug=Pinged 54.84.55.54:443: 
0.313137 [win=3, uuid=89a1cca99ea351eb6ee95462663935db2b3f196c]
ts=592dc62a; t=2017-05-30T19:21:14; ll=54; debug=Pinged 54.183.178.65:443: 
0.396083 [win=3, uuid=fd864320481f56b934b221839c7f56f8940dd4e4]
ts=592dc62a; t=2017-05-30T19:21:14; ll=55; debug=Pinged 13.54.10.122:443: 
0.654999 [win=3, uuid=e47cbe5a922cc80a16868616f0eb43fa85924e6e]
ts=592dc62a; t=2017-05-30T19:21:14; ll=56; debug=Pinged 139.162.5.63:443: 
0.752239 [win=3, uuid=6dfce8e23ed66554ab59a190471a2c0e0e3718b8]
ts=592dc62a; t=2017-05-30T19:21:14; ll=57; debug=Preferred: 52.58.49.54:443
ts=592dc62a; t=2017-05-30T19:21:14; ll=58; debug=Connecting to 52.58.49.54:443; 
id=s4
ts=592dc62a; t=2017-05-30T19:21:14; ll=59; debug=Connecting to 
180.235.133.100:443; id=s5
ts=592dc62b; t=2017-05-30T19:21:15; ll=5a; err=Error in connect: Traceback 
(most recent call last):   File 
"/usr/lib/python2.7/dist-packages/pagekite/proto/conns.py", line 471, in 
_BackEnd data, parse = self._Connect(server, conns)   File 
"/usr/lib/python2.7/dist-packages/pagekite/proto/conns.py", line 331, in 
_Connect self.fd.connect((sspec[0], int(sspec[1])))   File 
"/usr/lib/python2.7/dist-packages/sockschain/__init__.py", line 1017, in 
connect anonymous=(proxy[P_TYPE] == PROXY_TYPE_SSL_ANON))   File 
"/usr/lib/python2.7/dist-packages/sockschain/__init__.py", line 929, in 
__negotiatessl connected=True, verify_names=want_hosts)   File 
"/usr/lib/python2.7/dist-packages/sockschain/__init__.py", line 118, in 
SSL_Connect if verify_names: nsock.do_handshake()   File 
"/usr/lib/python2.7/dist-packages/OpenSSL/SSL.py", line 1426, in do_handshake   
  self._raise_ssl_error(self._ssl, result)   File 
"/usr/lib/python2.7/dist-packages/OpenSSL/SSL.py", line 1174, in 
_raise_ssl_error _raise_current_error()   File 
"/usr/lib/python2.7/dist-packages/OpenSSL/_util.py", line 48, in 
exception_from_error_queue raise exception_type(errors) Error: [('SSL 
routines', 'tls_process_server_certificate', 'certificate verify failed')]
ts=592dc62b; t=2017-05-30T19:21:15; ll=5b; err=Server response parsing failed: 
[('SSL routines', 'tls_process_server_certificate', 'certificate verify 
failed')]; id=s4
ts=592dc62b; t=2017-05-30T19:21:15; ll=5c; eof=1; id=s4
ts=592dc62b; t=2017-05-30T19:21:15; ll=5d; err=Error in connect: Traceback 
(most recent call last):   File 
"/usr/lib/python2.7/dist-packages/pagekite/proto/conns.py", line 471, in 
_BackEnd data, parse = self._Connect(server, conns)   File 
"/usr/lib/python2.7/dist-packages/pagekite/proto/conns.py", line 331, in 
_Connect self.fd.connect((sspec[0], int(sspec[1])))   File 
"/usr/lib/python2.7/dist-packages/sockschain/__init__.py", line 1017, in 
connect anonymous=(proxy[P_TYPE] == PROXY_TYPE_SSL_ANON))   File 
"/usr/lib/python2.7/dist-packages/sockschain/__init__.py", line 929, in 
__negotiatessl connected=True, verify_names=want_hosts)   File 
"/usr/lib/python2.7/dist-packages/sockschain/__init__.py", line 118, in 
SSL_Connect if verify_names: nsock.do_handshake()   File 
"/usr/lib/python2.7/dist-packages/OpenSSL/SSL.py", line 1426, in do_handshake   
  self._raise_ssl_error(self._ssl, result)   File 
"/usr/lib/python2.7/dist-packages/OpenSSL/SSL.py", line 1174, in 
_raise_ssl_error _raise_current_error()   File 
"/usr/lib/python2.7/dist-packages/OpenSSL/_util.py", line 48, in 
exception_from_error_queue raise exception_type(errors) Error: [('SSL 
routines', 'tls_process_server_certificate', 'certificate verify failed')]
ts=592dc62b; t=2017-05-30T19:21:15; ll=5e; err=Server response parsing failed: 
[('SSL routines', 'tls_process_server_certificate', 'certificate verify 
failed')]; id=s5
ts=592dc62b; t=2017-05-30T19:21:15; ll=5f; eof=1; id=s5
ts=592dc62b; t=2017-05-30T19:21:15; ll=60; debug=TunnelManager: problem=2, 
connecting=2
root@freedombox:~#

I found a messa