Project

General

Profile

Bug #13614

ssl certificate issues from download.ceph.com on trusty

Added by Alfredo Deza over 8 years ago. Updated over 8 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Target version:
-
% Done:

0%

Source:
other
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Crash signature (v1):
Crash signature (v2):

Description

This was a similar issue for wheezy, but trusty suffers from the same problem:

[node1][WARNIN] W: Failed to fetch https://download.ceph.com/debian-hammer/dists/trusty/main/binary-amd64/Packages  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
[node1][WARNIN]
[node1][WARNIN] W: Failed to fetch https://download.ceph.com/debian-hammer/dists/trusty/main/binary-i386/Packages  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
[node1][WARNIN]
[node1][WARNIN] E: Some index files failed to download. They have been ignored, or old ones used instead.
[node1][ERROR ] RuntimeError: command returned non-zero exit status: 100
[ceph_deploy][ERROR ] RuntimeError: Failed to execute command: env DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get --assume-yes -q update

In the case of wheezy, ceph-deploy uses http. After making changes to use http for trusty when getting download.ceph.com packages it all worked again.

History

#1 Updated by Alfredo Deza over 8 years ago

Related pull request that demonstrated the issue with wheezy: https://github.com/ceph/ceph-deploy/pull/364

#2 Updated by Alfredo Deza over 8 years ago

Reinstalling certificates or attempting to get the newest ones possible didn't fix the issue:

sudo apt-get install --reinstall ca-certificates

#3 Updated by Ken Dreyer over 8 years ago

I wish I knew what was happening here. The web server is sending the full certificate chain:

$ openssl s_client -connect download.ceph.com:443 < /dev/null 2>&1 | perl -0777 -nle 'print for m/(Certificate chain.*?)---/s'
Certificate chain
 0 s:/OU=Domain Control Validated/OU=Provided by New Dream Network, LLC/OU=DreamHost Basic SSL/CN=download.ceph.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority

And curl on Trusty can validate the certificate fine:

ubuntu@kdreyer-trusty:~$ curl -v -I https://download.ceph.com
* Rebuilt URL to: https://download.ceph.com/
* Hostname was NOT found in DNS cache
*   Trying 173.236.253.173...
* Connected to download.ceph.com (173.236.253.173) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
*      subject: OU=Domain Control Validated; OU=Provided by New Dream Network, LLC; OU=DreamHost Basic SSL; CN=download.ceph.com
*      start date: 2015-09-18 00:00:00 GMT
*      expire date: 2016-09-17 23:59:59 GMT
*      subjectAltName: download.ceph.com matched
*      issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Domain Validation Secure Server CA
*      SSL certificate verify ok.
> HEAD / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: download.ceph.com
> Accept: */*
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Tue, 27 Oct 2015 14:00:17 GMT
Date: Tue, 27 Oct 2015 14:00:17 GMT
* Server Apache/2.4.7 (Ubuntu) is not blacklisted
< Server: Apache/2.4.7 (Ubuntu)
Server: Apache/2.4.7 (Ubuntu)
< Content-Type: text/html;charset=UTF-8
Content-Type: text/html;charset=UTF-8

< 
* Connection #0 to host download.ceph.com left intact

Here are my versions:

$ dpkg -s curl | grep Version
Version: 7.35.0-1ubuntu2.5
$ dpkg -s openssl | grep Version
Version: 1.0.1f-1ubuntu2.15
$ dpkg -s ca-certificates | grep Version
Version: 20141019ubuntu0.14.04.1

#4 Updated by Ken Dreyer over 8 years ago

  • Status changed from New to Resolved
  • Assignee changed from Alfredo Deza to Ken Dreyer

The problem was that download.ceph.com was sending a certificate chain that Trusty's apt-get was unable to fully verify.

On download.ceph.com, I edited /etc/ssl/certs/comodo.pem and replaced its contents with the contents from "comodo-rsa-domain-validation-sha-2-intermediates.ca-bundle (4.07 KB)" from https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/979/108/domain-validation-sha-2 (which was linked from https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/620/1/ , under "ComodoSSL" and "COMODO RSA Domain Validation Secure Server CA" ) .

This fixed the cert validation issue for apt-get in my experiment with Trusty.

Please re-open if you still see HTTPS certificate problems on Trusty.

Also available in: Atom PDF