Bug #13614
ssl certificate issues from download.ceph.com on trusty
0%
Description
This was a similar issue for wheezy, but trusty suffers from the same problem:
[node1][WARNIN] W: Failed to fetch https://download.ceph.com/debian-hammer/dists/trusty/main/binary-amd64/Packages server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none [node1][WARNIN] [node1][WARNIN] W: Failed to fetch https://download.ceph.com/debian-hammer/dists/trusty/main/binary-i386/Packages server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none [node1][WARNIN] [node1][WARNIN] E: Some index files failed to download. They have been ignored, or old ones used instead. [node1][ERROR ] RuntimeError: command returned non-zero exit status: 100 [ceph_deploy][ERROR ] RuntimeError: Failed to execute command: env DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get --assume-yes -q update
In the case of wheezy, ceph-deploy uses http. After making changes to use http for trusty when getting download.ceph.com packages it all worked again.
History
#1 Updated by Alfredo Deza over 8 years ago
Related pull request that demonstrated the issue with wheezy: https://github.com/ceph/ceph-deploy/pull/364
#2 Updated by Alfredo Deza over 8 years ago
Reinstalling certificates or attempting to get the newest ones possible didn't fix the issue:
sudo apt-get install --reinstall ca-certificates
#3 Updated by Ken Dreyer over 8 years ago
I wish I knew what was happening here. The web server is sending the full certificate chain:
$ openssl s_client -connect download.ceph.com:443 < /dev/null 2>&1 | perl -0777 -nle 'print for m/(Certificate chain.*?)---/s' Certificate chain 0 s:/OU=Domain Control Validated/OU=Provided by New Dream Network, LLC/OU=DreamHost Basic SSL/CN=download.ceph.com i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
And curl on Trusty can validate the certificate fine:
ubuntu@kdreyer-trusty:~$ curl -v -I https://download.ceph.com * Rebuilt URL to: https://download.ceph.com/ * Hostname was NOT found in DNS cache * Trying 173.236.253.173... * Connected to download.ceph.com (173.236.253.173) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using ECDHE-RSA-AES256-GCM-SHA384 * Server certificate: * subject: OU=Domain Control Validated; OU=Provided by New Dream Network, LLC; OU=DreamHost Basic SSL; CN=download.ceph.com * start date: 2015-09-18 00:00:00 GMT * expire date: 2016-09-17 23:59:59 GMT * subjectAltName: download.ceph.com matched * issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Domain Validation Secure Server CA * SSL certificate verify ok. > HEAD / HTTP/1.1 > User-Agent: curl/7.35.0 > Host: download.ceph.com > Accept: */* > < HTTP/1.1 200 OK HTTP/1.1 200 OK < Date: Tue, 27 Oct 2015 14:00:17 GMT Date: Tue, 27 Oct 2015 14:00:17 GMT * Server Apache/2.4.7 (Ubuntu) is not blacklisted < Server: Apache/2.4.7 (Ubuntu) Server: Apache/2.4.7 (Ubuntu) < Content-Type: text/html;charset=UTF-8 Content-Type: text/html;charset=UTF-8 < * Connection #0 to host download.ceph.com left intact
Here are my versions:
$ dpkg -s curl | grep Version Version: 7.35.0-1ubuntu2.5 $ dpkg -s openssl | grep Version Version: 1.0.1f-1ubuntu2.15 $ dpkg -s ca-certificates | grep Version Version: 20141019ubuntu0.14.04.1
#4 Updated by Ken Dreyer over 8 years ago
- Status changed from New to Resolved
- Assignee changed from Alfredo Deza to Ken Dreyer
The problem was that download.ceph.com was sending a certificate chain that Trusty's apt-get was unable to fully verify.
On download.ceph.com, I edited /etc/ssl/certs/comodo.pem
and replaced its contents with the contents from "comodo-rsa-domain-validation-sha-2-intermediates.ca-bundle (4.07 KB)" from https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/979/108/domain-validation-sha-2 (which was linked from https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/620/1/ , under "ComodoSSL" and "COMODO RSA Domain Validation Secure Server CA" ) .
This fixed the cert validation issue for apt-get in my experiment with Trusty.
Please re-open if you still see HTTPS certificate problems on Trusty.