[Freedombox-pkg-team] Bug#961984: pagekite: Embedded SSL certificate expired

Petter Reinholdtsen pere at hungry.com
Mon Jun 1 14:55:07 BST 2020 

Package: pagekite
Version: 0.5.6d-1
Severity: serious

Pagekite on my freedombox stopped working a few days ago.  After restart
I noticed this in the pagekite log from systemd:

mai 31 09:42:58 freedombox-betzy pagekite[3982]: ts=5ed36002; t=2020-05-31T07:42:58; ll=31; info=Failed to connect; FE=2a01:4f9:c010:ba1::1:443
mai 31 09:42:59 freedombox-betzy pagekite[3982]: ts=5ed36003; t=2020-05-31T07:42:59; ll=32; err=Error in connect: Traceback (most recent call last):   File "/usr/lib/python2.7/dist-packages/pagekite/proto/conns.py", line 475, in _BackEnd     data, parse = self._Connect(server, conns)   File "/usr/lib/python2.7/dist-packages/pagekite/proto/conns.py", line 335, in _Connect     self.fd.connect((sspec[0], int(sspec[1])))   File "/usr/lib/python2.7/dist-packages/sockschain/__init__.py", line 1017, in connect     anonymous=(proxy[P_TYPE] == PROXY_TYPE_SSL_ANON))   File "/usr/lib/python2.7/dist-packages/sockschain/__init__.py", line 929, in __negotiatessl     connected=True, verify_names=want_hosts)   File "/usr/lib/python2.7/dist-packages/sockschain/__init__.py", line 118, in SSL_Connect     if verify_names: nsock.do_handshake()   File "/usr/lib/python2.7/dist-packages/OpenSSL/SSL.py", line 1915, in do_handshake     self._raise_ssl_error(self._ssl, result)   File "/usr/lib/python2.7/dist-packages/OpenSSL/SSL.py", line 1647, in _raise_ssl_error     _raise_current_error()   File "/usr/lib/python2.7/dist-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue     raise exception_type(errors) Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')]
mai 31 09:42:59 freedombox-betzy pagekite[3982]: ts=5ed36003; t=2020-05-31T07:42:59; ll=33; err=Server response parsing failed: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')]; id=s1
mai 31 09:42:59 freedombox-betzy pagekite[3982]: ts=5ed36003; t=2020-05-31T07:42:59; ll=34; eof=1; id=s1
mai 31 09:42:59 freedombox-betzy pagekite[3982]: ts=5ed36003; t=2020-05-31T07:42:59; ll=35; info=Failed to connect; FE=95.216.158.189:443

I've been in contact with upstream, who pointed me to 
<URL: https://pagekite.wordpress.com/2020/05/30/tls-certificate-validation-issues/ >
explaining the situation.  Sunil is on the case to fix this.  A
workaround is to tell pagekite to use the Debian CA bundle.

I picked a very old version number, as this issue would be present also
in older Debian versions.  I ran into it using Buster (version
0.5.9.3-2), but it is also present in testing and unstable, and probably
every existing pagekite expect the latest upstream version.

Setting severity seriuos as this break the default installation of
pagekite.

-- 
Happy hacking
Petter Reinholdtsen

More information about the Freedombox-pkg-team mailing list