FS#28259 - https://aur.archlinux.org/ no longer loads
Attached to Project:
AUR web interface
Opened by cfr (cfr42) - Sunday, 05 February 2012, 02:57 GMT
Last edited by Lukas Fleischer (lfleischer) - Thursday, 01 November 2012, 00:03 GMT
Opened by cfr (cfr42) - Sunday, 05 February 2012, 02:57 GMT
Last edited by Lukas Fleischer (lfleischer) - Thursday, 01 November 2012, 00:03 GMT
|
Details
For the past few days, I've gotten errors anytime I tried to
access, view or search
https://aur.archlinux.org/. I discovered this because it breaks aurget but the
problem is much more general e.g. Firefox is unable to load
the page.
This is specific to this site as far as I can tell. I can access AUR over http. I can also load other SSL pages just fine e.g. https://bugs.archlinux.org/newtask/proj2. I've been through my logs and can't even see an acknowledgement of the error. (I tried running aurget and looking for something matching the time.) With aurget, I get the following error from curl: curl: (35) Unknown SSL protocol error in connection to aur.archlinux.org:443 With Firefox, I get an error printed in Welsh. I use Welsh because I'm trying to learn it which isn't maximally useful in this case, but my Welsh can manage most of this and I've a dictionary to hand so here's an attempted translation: Cafodd y cysylltiad ei darfu - The connection was "scattered". (That's what my dictionary says for 'tarfu' which is mutated to 'darfu' here.) I guess "interrupted" or "broken" might be about right.) Cafodd cysylltiad â aur.archlinux.org ei darfu wrth i'r dudalen lwytho. - The connection with aur.archlinux.org was interrupted/scattered as the page loaded. Efallai bod y wefan yn brysur neu nad yw ar gael dros dro. Ceisiwch eto ymhen ychydig. - Perhaps the site is busy or not available temporarily. Try again in a little while. Os nad ydych yn gallu llwytho unrhyw dudalennau, gwiriwch gysylltiad rhwydwaith eich cyfrifiadur. - If you cannot load any pages, verify your computer's network connection. Os yw eich cyfrifiadur neu rwydwaith wedi ei ddiogelu gan fur cadarn neu ddirprwy, gwnewch yn siŵr fod gan Firefox hawl i fynediad i'r we. - If your computer or network is protected by a firewall or proxy, make sure that Firefox has a right to connect to the web. ('mur cadarn' isn't the term I know for 'firewall' but it literally means 'strong wall' so I think that must be what's meant; 'dirprwy' is another new word which literally means 'delegate' or 'proxy' according to the dictionary so I think it must be 'proxy'.) |
This task depends upon
Closed by Lukas Fleischer (lfleischer)
Thursday, 01 November 2012, 00:03 GMT
Reason for closing: Fixed
Additional comments about closing: The AUR has been moved to a new server which fixed the issue. Please reopen if the problem persists.
Thursday, 01 November 2012, 00:03 GMT
Reason for closing: Fixed
Additional comments about closing: The AUR has been moved to a new server which fixed the issue. Please reopen if the problem persists.
[03:03:22.541] GET https://aur.archlinux.org/ [undefined 20561ms]
aria2: "[SocketCore.cc:915] errorCode=1 SSL initialization failed: The TLS connection was non-properly terminated."
wget: "... connected. Unable to establish SSL connection."
Firefox (-nightly): "The connection was interrupted"
Chromium (-dev): "Error 107 (net::ERR_SSL_PROTOCOL_ERROR)"
(Testing repos enabled)
I tried downgrading ca-certificates, openssl, the kernel, glibc (although only one at a time) without succes. Then reinstalled those packages, still without success. Firefox depends only on nss, which as i found don't depend on openssl, so I don't understand how can both fail.
Then I tried an Ubuntu 11.10 live cd and curl worked.
I'm back home now and I'm back to the same error.
I thought maybe it was interface related because I used a wired connection to check on campus and almost always use wireless at home. But that's not it. I get the same error with a wired connection at home as I do with wireless.
As others have said, the problem is peculiar to AUR over a secure link. (At least, I've yet to find the same problem with other sites.) I can get AUR insecurely. I can get regular arch, bugs etc. securely. I can get other SSL sites and non-SSL sites.
http://www.archlinux.de/ is fine. So is https://www.archlinux.de/, https://www.archlinux.de/?page=Packages etc. But, then, these are OK on the main site as well. It is only AUR over SSL which is affected.
Is this man-in-the-middle attack plausible? I don't know much about how they work but...
So on the one hand, how can it be my machine when it works on campus?
On the other hand, how can it be anything but my machine when a different machine on the same LAN works?
How about you? Do you use wicd? Does switching to NetworkManager helps like it did for me?
After
$> sudo ip link set wlan0 mtu 1500
aur works again.
If it makes sense for anyone, pls explain me why do you need to increase the mtu.
# ip link set wlan0 mtu 1500
fixes it (thanks Vandrus!). Also curious why this works.
Also, from home, the machine with Mint is also using wicd and that works OK. (NetworkManager caused problems so is disabled.)
I don't get it, though. Why doesn't my machine need the same fix on campus?
But thanks very much for figuring a work around! Presumably this won't be necessary once the server stuff is looked at and fixed but it is great for now.
I don't know if it's the servers fault. I hope someone who knows these things better can figure out what behaves incorrectly.
I don't know if this is really a wicd thing or not. wicd uses dhcpcd and dhcpcd seems to be set to respect the network MTU setting. However, netcfg and networkmanager also depend on dhcpcd so I'm not sure if they override that setting or if something else is going on.
But if that's right, it would explain some things e.g. why it might work for the same machine on different networks (home network might set MTU lower than campus? don't know why...) It would also explain why some people might not ever see the issue even if using wicd. But I'm not convinced I understand why it works on Mint on my home network unless Mint sets up dhcpcd differently?
I don't have a static ip on campus - I'm using dhcpd there to get an ip from the dhcp server. But if the network has a different default MTU setting, dhcpcd would set the setting to that and it might be OK.
I'm not sure if this behavior started with the latest dhcpcd update or the one of wicd a few days prior to it.
Is the server config for ssl AUR different from the config for other archlinux.org sites over ssl e.g. bugs.archlinux.org etc.? Because we are all happily (well, maybe not quite that) posting on https://bugs.archlinux.org/...
In my case that didn't help. Mtu on my router's admin page is set to 1500, still the dhcp server in my router sends 576 (I can see that in wireshark).
The example config on dhcpcd's webpage (http://roy.marples.name/projects/dhcpcd/wiki/DhcpcdConfig) tells that there are many routers with this problem.
The solution is to comment out the
#option interface_mtu
line in /etc/dhcpcd.conf. Which means that dhcpcd will no longer ask the dhcp server for the mtu. I used ping as described on http://muzso.hu/2009/05/17/how-to-determine-the-proper-mtu-size-with-icmp-pings to get the mtu that my ISP use. That was 1500 in my case.
If it's not 1500 you can set the mtu in dhcpcd.conf by changing the option interface_mtu line to:
static interface_mtu=1480
I tried to use the ping method to establish the appropriate mtu. The result I get is 548. That's smaller than dhcpcd is setting it anyway. In any case, I'm not sure I should set the static mtu line since I move between different networks which I think have different mtus...
But I'm not quite sure what I'm meant to do to the router so I didn't do anything which may be the problem...
Hopefully something will get changed in the config for aur in the meantime and I won't have to figure this out!
1) my ISP recommends an MTU of 1500;
2) my router does not alter the packets in any way so that it is up to the computers on the LAN to set the MTU.
But if that's so, I don't see where the 576 figure I'm seeing is coming from...
Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
When I try to access the site. ip -d link gives
4: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
so my mtu is 1500. I am unable to access the site using safari on my ipod touch as well so I don't think it is a configuration problem with my archlinux box.
wget https://aur.archlinux.org
--2012-03-06 16:16:05-- https://aur.archlinux.org/
Resolving aur.archlinux.org... 208.92.232.29
Connecting to aur.archlinux.org|208.92.232.29|:443... connected.
Unable to establish SSL connection.
Let me know if any other tests would be useful
Could this option in /etc/dhcpcd.conf have anything to do with it?
# Respect the network MTU.
option interface_mtu
When setting MTU to 1500 it works again.
but I now can access aur.archlinux.org with https. Thanks a lot!
BTW, when I was unable to connect, I tried some online proxy and got worked.
e.g
$ https_proxy="210006020247.ctinets.com:3128" curl "https://aur.archlinux.org"
This is dangerous as unknown proxy server snoops your request so do not try...
ip link set eth0 mtu 1500
cower, burp, aurphan are usable again. The problem first occured at 2012.06.07 here.
UPDATE: on the second thought, I switched ISP some days ago, that is most probably the reason.
To reiterate the problem, https://aur.archlinux.org is completely inaccessible, but the http site is fine.
SSL connection error
Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
Midori says 'SSL handshake failed', tried Firefox and also packer
Link: https://gist.github.com/3550261
Look at the output of ifconfig
So what was the problem?