Unable to update from Passenger repo on Ubuntu 14.04

[dhe...@gmail.com]

Anyone know how to fix this? My passenger updates are failing on all my Ubuntu 14.04 hosts. The internet thought it may be related to git so I recompiled git but still get the error. 

Ign https://oss-binaries.phusionpassenger.com trusty/main Translation-en                                                                                                                                          
Err https://oss-binaries.phusionpassenger.com trusty/main amd64 Packages                                                                                                                                          
  gnutls_handshake() failed: A TLS packet with unexpected length was received.
Err https://oss-binaries.phusionpassenger.com trusty/main i386 Packages                                                                                                                                            
  gnutls_handshake() failed: A TLS packet with unexpected length was received.
Fetched 3232 kB in 13s (237 kB/s)                                                                                                                                                                                  
W: Failed to fetch https://oss-binaries.phusionpassenger.com/apt/passenger/dists/trusty/main/binary-amd64/Packages: gnutls_handshake() failed: A TLS packet with unexpected length was received.
W: Failed to fetch https://oss-binaries.phusionpassenger.com/apt/passenger/dists/trusty/main/binary-i386/Packages: gnutls_handshake() failed: A TLS packet with unexpected length was received.
E: Some index files failed to download. They have been ignored, or old ones used instead.
E: Couldn't rebuild package cache

[Daniel Knoppel]

Git is not used for installing/updating, so it's not related.

It looks like you are updating through apt, which also uses openssl. You should verify that your install matches what the official guide describes: www.phusionpassenger.com/library/install/install/

It could also be something like a bad web proxy / firewall setting.

- Daniel

[dhe...@gmail.com]

On Monday, September 19, 2016 at 10:32:02 AM UTC-5, Daniel Knoppel wrote:

Git is not used for installing/updating, so it's not related.

It looks like you are updating through apt, which also uses openssl. You should verify that your install matches what the official guide describes: www.phusionpassenger.com/library/install/install/

It could also be something like a bad web proxy / firewall setting.

- Daniel

 
EDIT2: Nevermind... The apt repo is telling it to go to https://oss-binaries.phusionpassenger.com/apt/passenger which is correct on the cert. I thought the DNS PTR and A records had to match for HTTPS to work correctly but that's not the case. Noooo idea where this TLS error is coming from.

EDIT: 
*facepalm* my mistake on the IP (of course it doesn't match the hostname). I had also tried "juvia-helper.phusion.nl" which is what I get from DNS for that IP.  

Quite sure I've installed to the letter per the directions at the link above.  I ran conntrack to see where apt was going when it hit https://oss-binaries.phusionpassenger.com/apt/passenger and found it was trying to contact 109.107.35.58. When I connect to that IP using HTTPS in Firefox, I get a cert warning "SSL_ERROR_BAD_CERT_DOMAIN".  Would transparent proxying cause this error?  Even with HTTPS?
 

[Daniel Knoppel]

Yeah, going by IP isn't supposed to work. 

So you can go to https://oss-binaries.phusionpassenger.com/apt/passenger with Firefox and no error, right? And are you using a proxy or not (e.g. in /etc/apt/apt.conf)? Have you tried to clean apt (sudo apt-get clean; sudo apt-get update)?

- Daniel

[dhe...@gmail.com]

On Tuesday, September 20, 2016 at 4:58:43 AM UTC-5, Daniel Knoppel wrote:

Yeah, going by IP isn't supposed to work. 

So you can go to https://oss-binaries.phusionpassenger.com/apt/passenger with Firefox and no error, right? And are you using a proxy or not (e.g. in /etc/apt/apt.conf)? Have you tried to clean apt (sudo apt-get clean; sudo apt-get update)?

Correct. Firefox loads the page at https://oss-binaries.phusionpassenger.com/apt/passenger just fine. I have tried apt-clean (completes normally fwiw) but apt-get update throws the original TLS packet error. I've attached a tcpdump of the session while trying apt-get update. I have never seen a problem like this before, but there are many issues on the internet concerning this "unexpected length" error with gnutls. I'm just not sure where mine is coming from since git is not involved. 

Hrm.. Is there an apt repo for  passenger using HTTP instead of HTTPS?  That would help immensely.

[Daniel Knoppel]

You still haven't confirmed whether you're using a proxy or not....?

There is no HTTP access because that would be very insecure, anyone 'in the middle' could use that to install malicious software on your system.

- Daniel

[dhe...@gmail.com]

On Tuesday, September 20, 2016 at 8:37:07 AM UTC-5, Daniel Knoppel wrote:

You still haven't confirmed whether you're using a proxy or not....?

There is no HTTP access because that would be very insecure, anyone 'in the middle' could use that to install malicious software on your system.

Doesn't the key signing/verification process mitigate any package install tampering? Apologies for not clarifying - I am not using any HTTP proxies. There was an upgrade to some firewall equipment a few weeks ago (upstream/corporate) but I am not certain what was done. I am going to try routing my server out through a different internet connection and see if that helps.

[dhe...@gmail.com]

On Tuesday, September 20, 2016 at 8:37:07 AM UTC-5, Daniel Knoppel wrote:

You still haven't confirmed whether you're using a proxy or not....?

There is no HTTP access because that would be very insecure, anyone 'in the middle' could use that to install malicious software on your system.

Just tried Chrome and it seems to show some sort of problem involving SHA1 in the web certificate. Strange that Firefox didn't catch it. https://blog.qualys.com/ssllabs/2014/09/09/sha1-deprecation-what-you-need-to-know

[Daniel Knoppel]

Yes, we know about the SHA1 signature, but that's only a warning and not related to your TLS issue AFAIK (my Ubuntu 14.04 can update just fine).

This particular cert is/was necessary because old Passenger versions are locked to it (we'll deprecate it sometime in the near future).

- Daniel

[dhe...@gmail.com]

I've emailed our NOC a couple days ago to ask if they are running any kind of process that may be breaking this but haven't heard back yet.  In the meantime, I tested upstream by routing the server out through a wi-fi connection from a laptop and it worked. Baffling. I can get firefox and chrome to connect to the passenger site just fine; albeit with warnings. As soon as apt goes to connect there, the connection looks like it gets cut (looking at tcpdump). Possibly an upstream browser header + cert inspection going on at my gateway. I don't know.  If it's working fine on 14.04 for you then may as well mark this as complete. Thanks for all your input.