Bug#995448: apt-listbugs: fails to connect to the BTS - certificate expired

2021-10-06 Thread Antonio Terceiro 
Control: reassign -1 ruby-httpclient
Control: retitle -1 ruby-httpclient: uses stale copy of CA certificates
Control: severity -1 serious
Control: forwarded -1 https://github.com/nahi/httpclient/issues/445

On Tue, Oct 05, 2021 at 06:45:39PM +0200, Francesco Poli wrote:
> On Tue, 05 Oct 2021 11:55:25 +0200 Diederik de Haas wrote:
> 
> [...]
> > I ran 
> > 'reportbug apt-listbugs' and so I found this bug. It also shows 995432.
> > (I usually use the web interface to see whether 'my' issue has already been 
> > found, but it doesn't show up there)
> 
> For the record, this bug report is not currently assigned to
> apt-listbugs, it only affects apt-listbugs.
> 
> That's why it does not show up on
> 
> 
> However, it shows up on
> 

This is caused by ruby-httpclient having a stale copy of CA
certificates:

https://github.com/nahi/httpclient/issues/445

I have confirmed this locally, and have a fix I will get out soon.


signature.asc
Description: PGP signature

Bug#995448: apt-listbugs: fails to connect to the BTS - certificate expired

2021-10-05 Thread Diederik de Haas 
On Tuesday, 5 October 2021 18:45:39 CEST Francesco Poli wrote:
> > I ran 'reportbug apt-listbugs' and so I found this bug. It also shows
> > 995432. (I usually use the web interface to see whether 'my' issue has
> > already been found, but it doesn't show up there)
> 
> For the record, this bug report is not currently assigned to
> apt-listbugs, it only affects apt-listbugs.
> 
> That's why it does not show up on
>  ugs>
> 
> However, it shows up on
> https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=apt-listbugs;dist=unstable

Thanks.
My starting point is always https://tracker.debian.org/pkg/ and then you
get the former URL. When I don't see a bug for my new issue, I start reportbug.
Due to this bug I noticed a/the difference and I hadn't realized that before.
I wasn't aware of the latter URL, which seems more useful for my use case :-)

Cheers,
  Diederik

signature.asc
Description: This is a digitally signed message part.

Bug#995448: apt-listbugs: fails to connect to the BTS - certificate expired

2021-10-05 Thread Francesco Poli 
On Tue, 05 Oct 2021 11:55:25 +0200 Diederik de Haas wrote:

[...]
> I ran 
> 'reportbug apt-listbugs' and so I found this bug. It also shows 995432.
> (I usually use the web interface to see whether 'my' issue has already been 
> found, but it doesn't show up there)

For the record, this bug report is not currently assigned to
apt-listbugs, it only affects apt-listbugs.

That's why it does not show up on


However, it shows up on



-- 
 http://www.inventati.org/frx/
 There's not a second to spare! To the laboratory!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgphVwItrUEQW.pgp
Description: PGP signature

Bug#995448: apt-listbugs: fails to connect to the BTS - certificate expired

2021-10-05 Thread Diederik de Haas 
On Fri, 1 Oct 2021 15:19:48 -0300 Antonio Terceiro  
wrote:
> On Fri, Oct 01, 2021 at 07:43:35PM +0200, Michael Biebl wrote:
> > Am 01.10.21 um 19:27 schrieb Antonio Terceiro:
> > > I tracked this down to an issue between apt-listbugs (or ruby-soap4r, or
> > > something else below that) and apt-cacher-ng. If I disable
> > > apt-cacher-ng, apt-listbugs works fine. However trying to make other
> > > clients go for bugs.debian.org through apt-cacher-ng work fine (e.g.
> > > curl), so maybe this is not even caused by apt-cacher-ng itself.
> > 
> > I'm seeing the same issue and I'm also running apt-cacher-ng
> 
> FWIW for now I'm working around this issue like this:
> 
> ───┬───
>│ File: /etc/apt/apt.conf.d/apt-listbugs-noproxy.conf
> ───┼───
>1   │ # FIXME
>2   │ Acquire::http::Proxy::bugs.debian.org DIRECT;
> ───┴───

I've been having this issue too and I'm also using apt-cacher-ng.

Assuming it was actually caused by ca-certificates, I responded to a bug there:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995432#20

I _think_ that my 'dpkg-reconfigure ca-certificates' and manually deselecting 
"mozilla/DST_Root_CA_X3.crt" already does what an update to the ca-certificates 
package will do. I did that action on my PC.
Assuming there was more to it than an update to ca-certificates, I ran 
'reportbug apt-listbugs' and so I found this bug. It also shows 995432.
(I usually use the web interface to see whether 'my' issue has already been 
found, but it doesn't show up there)

Seeing that apt-cacher-ng (CC-ed) was a common factor, I did 'dpkg-reconfigure 
ca-certificates' on the machine that's running apt-cacher-ng for my LAN. 
Restarted the apt-cacher-ng service and updated another machine in my LAN 
(with apt-listbugs installed) and got the issue there too.
Then I disabled the use of apt-cacher-ng on that machine and installed a 
package and that succeeded.
Then enabled the use of apt-cacher-ng again and also applied Antonio's 
workaround and installed a new package and that succeeded as well.

IOW: +1 on the existence of this bug and +1 on Antonio's analyses.

HTH,
  Diederik

signature.asc
Description: This is a digitally signed message part.

Bug#995448: apt-listbugs: fails to connect to the BTS - certificate expired

2021-10-01 Thread Antonio Terceiro 
On Fri, Oct 01, 2021 at 07:43:35PM +0200, Michael Biebl wrote:
> Am 01.10.21 um 19:27 schrieb Antonio Terceiro:
> > I tracked this down to an issue between apt-listbugs (or ruby-soap4r, or
> > something else below that) and apt-cacher-ng. If I disable
> > apt-cacher-ng, apt-listbugs works fine. However trying to make other
> > clients go for bugs.debian.org through apt-cacher-ng work fine (e.g.
> > curl), so maybe this is not even caused by apt-cacher-ng itself.
> 
> I'm seeing the same issue and I'm also running apt-cacher-ng

FWIW for now I'm working around this issue like this:

───┬───
   │ File: /etc/apt/apt.conf.d/apt-listbugs-noproxy.conf
───┼───
   1   │ # FIXME
   2   │ Acquire::http::Proxy::bugs.debian.org DIRECT;
───┴───


signature.asc
Description: PGP signature

Bug#995448: apt-listbugs: fails to connect to the BTS - certificate expired

2021-10-01 Thread Antonio Terceiro 
On Fri, Oct 01, 2021 at 05:42:32PM +0200, Francesco Poli wrote:
> > Versions of packages apt-listbugs depends on:
> > ii  apt 2.3.9
> > ii  ruby1:2.7+2
> > pn  ruby-debian 
> > pn  ruby-gettext
> > ii  ruby-soap4r 2.0.5-5
> > pn  ruby-unicode
> > pn  ruby-xmlparser  
> [...]
> 
> By the way, is this information accurate?
> Do you really miss some of the dependencies of apt-listbugs on your
> system (which would be a broken system)? Or is it just that you purged
> apt-listbugs, before filing the bug report?

BTW, no, this must be a bug in reporbug. I have:

$ dpkg-query --show apt ruby ruby-debian ruby-gettext ruby-soap4r ruby-unicode 
ruby-xmlparser
apt 2.3.9
ruby1:2.7+2
ruby-debian 0.3.10+b4
ruby-gettext3.3.3-2
ruby-soap4r 2.0.5-5
ruby-unicode0.4.4.4-1+b1
ruby-xmlparser:amd640.7.3-4


signature.asc
Description: PGP signature

Bug#995448: apt-listbugs: fails to connect to the BTS - certificate expired

2021-10-01 Thread Michael Biebl 

Am 01.10.21 um 19:27 schrieb Antonio Terceiro:

I tracked this down to an issue between apt-listbugs (or ruby-soap4r, or
something else below that) and apt-cacher-ng. If I disable
apt-cacher-ng, apt-listbugs works fine. However trying to make other
clients go for bugs.debian.org through apt-cacher-ng work fine (e.g.
curl), so maybe this is not even caused by apt-cacher-ng itself.


I'm seeing the same issue and I'm also running apt-cacher-ng





OpenPGP_signature
Description: OpenPGP digital signature

Bug#995448: apt-listbugs: fails to connect to the BTS - certificate expired

2021-10-01 Thread Antonio Terceiro 
Control: affects -1 apt-listbugs

On Fri, Oct 01, 2021 at 05:42:32PM +0200, Francesco Poli wrote:
> Control: severity -1 important
> Control: tags -1 + unreproducible
> Control: reassign -1 ruby-soap4r 2.0.5-5
> 
> On Fri, 1 Oct 2021 09:23:10 -0300 Antonio Terceiro wrote:
> 
> > Package: apt-listbugs
> > Version: 0.1.35
> > Severity: grave
> > Justification: renders package unusable
> > 
> > Dear Maintainer,
> 
> Hello Antonio!
> Thanks for your bug report.
> 
> > 
> > The old Let's Encrypt root certificate expired recently. Let's Encrypt
> > has moved on from that certificate a long time ago, and in principle
> > only old devices who don't get their CA store updated should be
> > affected.
> > 
> > https://techcrunch.com/2021/09/21/lets-encrypt-root-expiry/
> > 
> > However, apt-listbugs fails due to a expired certificate, while curl and
> > my web browser can access the BTS just fine:
> > 
> > 8<8<8<-
> > ~$ apt-listbugs list apt-listbugs
> > Retrieving bug reports... 0% Fail
> > Error retrieving bug reports from the server with the following error 
> > message:
> > E: SSL_connect returned=1 errno=0 state=error: certificate verify failed 
> > (certificate has expired)
> > It could be because your network is down, or because of broken proxy 
> > servers, or the BTS server itself is down. Check network configuration and 
> > try again
> > Retry downloading bug information? [Y/n] n
> > Continue the installation anyway? [y/N] n
> > E: Exiting with error
> [...]
> > 8<8<8<-
> > 
> > I can also reproduce this on a clean unstable system.
> 
> I cannot reproduce this issue on my testing systems:
> 
>   $ apt-listbugs list apt-listbugs
>   Retrieving bug reports... Done
>   Parsing Found/Fixed information... Done
>   grave bugs of apt-listbugs (→ ) 
>b1 - #995448 - apt-listbugs: fails to connect to the BTS - certificate 
> expired
>   Summary:
>apt-listbugs(1 bug)
> 
> I have just tried on my unstable chroot, as well.
> It works there, too...
> 
> 
> Some points worth noticing:
> 
>  * apt-listbugs does _not_ handle the HTTP connection directly, it uses
>the ruby-soap4r library (which, in its turn, uses some underlying
>library to handle the HTTP connection): I am reassigning this bug
>report down the chain
> 
>  * apt-listbugs does _not_ explicitly force the use of SSL (I am waiting
>for openssl 3.0.0 to be in unstable for that: see [#792639] for the
>long story): it just passes an http:// URL to the SOAP library;
>there must be something else (on your system, or on the network path
>between your system and the Debian BTS) that switches the connection
>to HTTPS, otherwise I really do not know what's going on!

I tracked this down to an issue between apt-listbugs (or ruby-soap4r, or
something else below that) and apt-cacher-ng. If I disable
apt-cacher-ng, apt-listbugs works fine. However trying to make other
clients go for bugs.debian.org through apt-cacher-ng work fine (e.g.
curl), so maybe this is not even caused by apt-cacher-ng itself.


signature.asc
Description: PGP signature

Bug#995448: apt-listbugs: fails to connect to the BTS - certificate expired

2021-10-01 Thread Francesco Poli 
Control: affects -1 + apt-listbugs

I forgot...


-- 
 http://www.inventati.org/frx/
 There's not a second to spare! To the laboratory!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpko8ZXPtEF7.pgp
Description: PGP signature

Bug#995448: apt-listbugs: fails to connect to the BTS - certificate expired

2021-10-01 Thread Francesco Poli 
Control: severity -1 important
Control: tags -1 + unreproducible
Control: reassign -1 ruby-soap4r 2.0.5-5

On Fri, 1 Oct 2021 09:23:10 -0300 Antonio Terceiro wrote:

> Package: apt-listbugs
> Version: 0.1.35
> Severity: grave
> Justification: renders package unusable
> 
> Dear Maintainer,

Hello Antonio!
Thanks for your bug report.

> 
> The old Let's Encrypt root certificate expired recently. Let's Encrypt
> has moved on from that certificate a long time ago, and in principle
> only old devices who don't get their CA store updated should be
> affected.
> 
> https://techcrunch.com/2021/09/21/lets-encrypt-root-expiry/
> 
> However, apt-listbugs fails due to a expired certificate, while curl and
> my web browser can access the BTS just fine:
> 
> 8<8<8<-
> ~$ apt-listbugs list apt-listbugs
> Retrieving bug reports... 0% Fail
> Error retrieving bug reports from the server with the following error message:
> E: SSL_connect returned=1 errno=0 state=error: certificate verify failed 
> (certificate has expired)
> It could be because your network is down, or because of broken proxy servers, 
> or the BTS server itself is down. Check network configuration and try again
> Retry downloading bug information? [Y/n] n
> Continue the installation anyway? [y/N] n
> E: Exiting with error
[...]
> 8<8<8<-
> 
> I can also reproduce this on a clean unstable system.

I cannot reproduce this issue on my testing systems:

  $ apt-listbugs list apt-listbugs
  Retrieving bug reports... Done
  Parsing Found/Fixed information... Done
  grave bugs of apt-listbugs (→ ) 
   b1 - #995448 - apt-listbugs: fails to connect to the BTS - certificate 
expired
  Summary:
   apt-listbugs(1 bug)

I have just tried on my unstable chroot, as well.
It works there, too...


Some points worth noticing:

 * apt-listbugs does _not_ handle the HTTP connection directly, it uses
   the ruby-soap4r library (which, in its turn, uses some underlying
   library to handle the HTTP connection): I am reassigning this bug
   report down the chain

 * apt-listbugs does _not_ explicitly force the use of SSL (I am waiting
   for openssl 3.0.0 to be in unstable for that: see [#792639] for the
   long story): it just passes an http:// URL to the SOAP library;
   there must be something else (on your system, or on the network path
   between your system and the Debian BTS) that switches the connection
   to HTTPS, otherwise I really do not know what's going on!

[#792639]: 

[...]
> Versions of packages apt-listbugs depends on:
> ii  apt 2.3.9
> ii  ruby1:2.7+2
> pn  ruby-debian 
> pn  ruby-gettext
> ii  ruby-soap4r 2.0.5-5
> pn  ruby-unicode
> pn  ruby-xmlparser  
[...]

By the way, is this information accurate?
Do you really miss some of the dependencies of apt-listbugs on your
system (which would be a broken system)? Or is it just that you purged
apt-listbugs, before filing the bug report?


-- 
 http://www.inventati.org/frx/
 There's not a second to spare! To the laboratory!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpKZVu0csUUG.pgp
Description: PGP signature

Bug#995448: apt-listbugs: fails to connect to the BTS - certificate expired

2021-10-01 Thread Antonio Terceiro 
Package: apt-listbugs
Version: 0.1.35
Severity: grave
Justification: renders package unusable

Dear Maintainer,

The old Let's Encrypt root certificate expired recently. Let's Encrypt
has moved on from that certificate a long time ago, and in principle
only old devices who don't get their CA store updated should be
affected.

https://techcrunch.com/2021/09/21/lets-encrypt-root-expiry/

However, apt-listbugs fails due to a expired certificate, while curl and
my web browser can access the BTS just fine:

8<8<8<-
~$ apt-listbugs list apt-listbugs
Retrieving bug reports... 0% Fail
Error retrieving bug reports from the server with the following error message:
E: SSL_connect returned=1 errno=0 state=error: certificate verify failed 
(certificate has expired)
It could be because your network is down, or because of broken proxy servers, 
or the BTS server itself is down. Check network configuration and try again
Retry downloading bug information? [Y/n] n
Continue the installation anyway? [y/N] n
E: Exiting with error
~[1]$ curl -I https://bugs.debian.org/src:apt-listbugs
HTTP/2 302
date: Fri, 01 Oct 2021 12:12:14 GMT
server: Apache
x-content-type-options: nosniff
x-frame-options: sameorigin
referrer-policy: no-referrer
x-xss-protection: 1
permissions-policy: interest-cohort=()
strict-transport-security: max-age=15552000
location: https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=apt-listbugs
content-type: text/html; charset=iso-8859-1
8<8<8<-

I can also reproduce this on a clean unstable system.


-- System Information:
Debian Release: bookworm/sid
  APT prefers testing-debug
  APT policy: (900, 'testing-debug'), (900, 'testing'), (500, 
'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.14.0-1-amd64 (SMP w/4 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to 
C.UTF-8), LANGUAGE=C.UTF-8
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apt-listbugs depends on:
ii  apt 2.3.9
ii  ruby1:2.7+2
pn  ruby-debian 
pn  ruby-gettext
ii  ruby-soap4r 2.0.5-5
pn  ruby-unicode
pn  ruby-xmlparser  

Versions of packages apt-listbugs recommends:
ii  ruby-httpclient  2.8.3-3

Versions of packages apt-listbugs suggests:
ii  chromium [www-browser]  93.0.4577.82-1
ii  firefox [www-browser]   92.0-1
ii  reportbug   11.0.0
ii  sensible-utils  0.0.17
ii  w3m [www-browser]   0.5.3+git20210102-6
ii  xdg-utils   1.1.3-4.1

-- no debconf information


signature.asc
Description: PGP signature