[DRE-maint] Bug#995448: apt-listbugs: fails to connect to the BTS - certificate expired
Francesco Poli
invernomuto at paranoici.org
Fri Oct 1 16:42:32 BST 2021
Control: severity -1 important
Control: tags -1 + unreproducible
Control: reassign -1 ruby-soap4r 2.0.5-5
On Fri, 1 Oct 2021 09:23:10 -0300 Antonio Terceiro wrote:
> Package: apt-listbugs
> Version: 0.1.35
> Severity: grave
> Justification: renders package unusable
>
> Dear Maintainer,
Hello Antonio!
Thanks for your bug report.
>
> The old Let's Encrypt root certificate expired recently. Let's Encrypt
> has moved on from that certificate a long time ago, and in principle
> only old devices who don't get their CA store updated should be
> affected.
>
> https://techcrunch.com/2021/09/21/lets-encrypt-root-expiry/
>
> However, apt-listbugs fails due to a expired certificate, while curl and
> my web browser can access the BTS just fine:
>
> ----------------8<----------------8<----------------8<-----------------
> ~$ apt-listbugs list apt-listbugs
> Retrieving bug reports... 0% Fail
> Error retrieving bug reports from the server with the following error message:
> E: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)
> It could be because your network is down, or because of broken proxy servers, or the BTS server itself is down. Check network configuration and try again
> Retry downloading bug information? [Y/n] n
> Continue the installation anyway? [y/N] n
> E: Exiting with error
[...]
> ----------------8<----------------8<----------------8<-----------------
>
> I can also reproduce this on a clean unstable system.
I cannot reproduce this issue on my testing systems:
$ apt-listbugs list apt-listbugs
Retrieving bug reports... Done
Parsing Found/Fixed information... Done
grave bugs of apt-listbugs (→ ) <Outstanding>
b1 - #995448 - apt-listbugs: fails to connect to the BTS - certificate expired
Summary:
apt-listbugs(1 bug)
I have just tried on my unstable chroot, as well.
It works there, too...
Some points worth noticing:
* apt-listbugs does _not_ handle the HTTP connection directly, it uses
the ruby-soap4r library (which, in its turn, uses some underlying
library to handle the HTTP connection): I am reassigning this bug
report down the chain
* apt-listbugs does _not_ explicitly force the use of SSL (I am waiting
for openssl 3.0.0 to be in unstable for that: see [#792639] for the
long story): it just passes an http:// URL to the SOAP library;
there must be something else (on your system, or on the network path
between your system and the Debian BTS) that switches the connection
to HTTPS, otherwise I really do not know what's going on!
[#792639]: <https://bugs.debian.org/792639>
[...]
> Versions of packages apt-listbugs depends on:
> ii apt 2.3.9
> ii ruby 1:2.7+2
> pn ruby-debian <none>
> pn ruby-gettext <none>
> ii ruby-soap4r 2.0.5-5
> pn ruby-unicode <none>
> pn ruby-xmlparser <none>
[...]
By the way, is this information accurate?
Do you really miss some of the dependencies of apt-listbugs on your
system (which would be a broken system)? Or is it just that you purged
apt-listbugs, before filing the bug report?
--
http://www.inventati.org/frx/
There's not a second to spare! To the laboratory!
..................................................... Francesco Poli .
GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-ruby-extras-maintainers/attachments/20211001/fc3ad098/attachment-0001.sig>
More information about the Pkg-ruby-extras-maintainers
mailing list