Ubuntu Trunk Checksum failed

reflexxion

@george1421

Tom Elliott

@reflexxion said:

advice.

What’s your server’s time?

reflexxion

@Tom-Elliott the servers time and date are correct +/- 2 mins

10:55 am EST
3/21/2016

Tom Elliott

@reflexxion Can you ensure they’re correct?

This can be done with

sudo ntpdate pool.ntp.org or sudo service ntp restart

Of course NTP and/or the ntpdate utility will need to be installed.

reflexxion

@Tom-Elliott ran and verified.

Tom Elliott

@reflexxion Now can you try: curl -ko "checksums" https://fogproject.org/inits/index.php

reflexxion

@Tom-Elliott same output as before.

Tom Elliott

@reflexxion Then I don’t know.

Something is wrong with your system. Are you sure it’s supposed to be EST and not EDT? EDT means one hour ahead. That should still be in the write timing for the ssl stuff to work, but I don’t know what’s going on with your system/network.

Something indeed is wrong, but it’s not coming from FOG at all.

reflexxion

Let me do a little more digging on my end and see what I can find out… If I come up with anything I’ll be sure to post it here.

Thanks for all the troubleshooting.

reflexxion

@Tom-Elliott hey Tom, I just re-ran that curl command again without the “https” and it returned data… does that mean it’s an ssl issue?

Tom Elliott

@reflexxion It’s ssl related, but not from FOG’s perspective. Something on your system is blocking ssl requests (or transforming it on reception)

Sebastian Roth

@reflexxion Try openssl s_client -connect fogproject.org:443 (just hit Ctrl-c to get back to the shell) and post the fully output you see here…

reflexxion

@Sebastian-Roth

root@FogWest:~/svn/trunk/bin# openssl s_client -connect fogproject.org:443
CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Domain Validation CA - SHA256 - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = www.fogproject.org
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=www.fogproject.org
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
 2 s:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGHzCCBQegAwIBAgISESEX9Cbj3NHROwUOEHFlfU6JMA0GCSqGSIb3DQEBCwUA
MGAxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTYwNAYD
VQQDEy1HbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0g
RzIwHhcNMTUwNTEyMjAzNzUyWhcNMTYwNTEyMjAzNzUyWjBAMSEwHwYDVQQLExhE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxGzAZBgNVBAMTEnd3dy5mb2dwcm9qZWN0
Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMMuzuXvvvV4q2W8
AzmzpOFS0O4DIoI6CfPTORZBGKqqC8FGdo1y52wXM+UplDR11rd0QdVX8ejmGfwt
8dX7X1saj+zS5saeddBnZB/YjLwNc0mU5KkcTaECLTFYtdvpk2TYDRBTHbAxjU6o
IFyUCeFt4gzddBfytzVdGxmZ3PqQNEqXb7/Oq4V0T6aSECb5EXXgqLEgU+JJPDvl
8qLgGC4Mavx6/4GYBS+mF4ByetsaBL1EcJmDCEggTXRK5nHmiqIsThfmJjGhqTY2
+AP3tu7A0z4Zm0gXt4WwvT/MUGBR7l/tmNJR+BCRGsjdCUKXvZhFwnfqgP2D69iJ
4E1dqsECAwEAAaOCAvEwggLtMA4GA1UdDwEB/wQEAwIFoDBJBgNVHSAEQjBAMD4G
BmeBDAECATA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNv
bS9yZXBvc2l0b3J5LzCCAUgGA1UdEQSCAT8wggE7ghJ3d3cuZm9ncHJvamVjdC5v
cmeCE2Jsb2cuZm9ncHJvamVjdC5vcmeCE2RlbW8uZm9ncHJvamVjdC5vcmeCEmRl
di5mb2dwcm9qZWN0Lm9yZ4IUZmlsZXMuZm9ncHJvamVjdC5vcmeCFWZvcnVtcy5m
b2dwcm9qZWN0Lm9yZ4ISZ2l0LmZvZ3Byb2plY3Qub3JnghVtaXJyb3IuZm9ncHJv
amVjdC5vcmeCE25ld3MuZm9ncHJvamVjdC5vcmeCFXBvcnRhbC5mb2dwcm9qZWN0
Lm9yZ4IWcHJldmlldy5mb2dwcm9qZWN0Lm9yZ4ITdGVzdC5mb2dwcm9qZWN0Lm9y
Z4IRdm0uZm9ncHJvamVjdC5vcmeCE3dpa2kuZm9ncHJvamVjdC5vcmeCDmZvZ3By
b2plY3Qub3JnMAkGA1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20v
Z3MvZ3Nkb21haW52YWxzaGEyZzIuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDBHBggr
BgEFBQcwAoY7aHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvZ3Nk
b21haW52YWxzaGEyZzJyMS5jcnQwOQYIKwYBBQUHMAGGLWh0dHA6Ly9vY3NwMi5n
bG9iYWxzaWduLmNvbS9nc2RvbWFpbnZhbHNoYTJnMjAdBgNVHQ4EFgQUcRo84Nto
hT9tDrVEUVfsg74fgUUwHwYDVR0jBBgwFoAU6k581IAt5RWBhiaMgm3AmKTPlw8w
DQYJKoZIhvcNAQELBQADggEBAAa4CLixH0WBSV7S5pk0HPTklIK1IuKXseVlcGU7
j3xXHnQKdXpmH/iBDUYgHrMxdxxGTP8B0ZyajB6UNX/Qie/2LOFjo8VCsFlQ/2G0
8bRltd9kuf0GvaJByqTiGf3o2dNNbcmvWbl537ohd8Iry0O9GfiTel7+TShYx80j
egBf/ob3BfTms1K0uFhenisfyOYPIvjFC41bDMhJpf1cc7K+S4RSjdqtL+cxTe1s
9as//voRxtCjAB3zdi9sXEORTcON3pexRF4xNIcUBOYwf5J6ylJYfFDhGbx3V9SF
V7Q+yRhKgjwR7QQTl9yZfdVikcHag14y6sndYKHLj0RuU68=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=www.fogproject.org
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4268 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 3D9E36636E42207F6A4725680FE0318953437B0C138AC009E40AC77D993A254E
    Session-ID-ctx: 
    Master-Key: 3D99DF9630DCE2E4B51EBA407AAA491F771EA67EDF61C1448756E64C38A09B8129B9C729EEE576420DA2227766A8F850
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 0c 1b 69 ce e2 db 66 10-f5 a9 81 82 76 9a 7c 34   ..i...f.....v.|4
    0010 - 6f 03 24 99 72 2d c4 0f-0d 8b bb 5d 17 1b 1e 81   o.$.r-.....]....
    0020 - e0 3d c0 28 3d ea 7d b9-0d 3c e5 bb e8 70 08 63   .=.(=.}..<...p.c
    0030 - 20 3e 62 8f a2 ef 5f 8e-54 69 bf de 75 41 c4 e2    >b..._.Ti..uA..
    0040 - c5 72 7b 8d 38 3b 49 b5-d9 24 8f 88 22 a7 54 46   .r{.8;I..$..".TF
    0050 - 9e 77 73 cc 00 3a 34 39-03 88 61 2d 3c d9 36 14   .ws..:49..a-<.6.
    0060 - 75 45 ad 41 da ee 1a 7e-67 57 39 a0 bc d5 fe 69   uE.A...~gW9....i
    0070 - 71 b8 93 16 20 de 65 56-2c be 32 80 9c cf 4a 19   q... .eV,.2...J.
    0080 - 9c 28 35 67 96 f6 3d 2f-0d 6f bb 7a 55 18 ff e7   .(5g..=/.o.zU...
    0090 - 8e 68 58 af 41 9e dd 07-5e f7 f7 4b d9 f8 44 33   .hX.A...^..K..D3
    00a0 - ab 71 aa e6 4c ad cb f2-e1 6f ae e6 6e 2c 9b 71   .q..L....o..n,.q

    Start Time: 1458575172
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Sebastian Roth

@reflexxion Ok, and what about verbose curl output: curl -vvko "checksums" https://fogproject.org/inits/index.php

Maybe this is related: https://sourceforge.net/p/curl/bugs/1319/

reflexxion

@Sebastian-Roth

root@FogWest:~/svn/trunk/bin# curl -vvko "checksums" https://fogproject.org/inits/index.php
* Hostname was NOT found in DNS cache
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 162.213.199.177...
* Connected to fogproject.org (162.213.199.177) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Server hello (2):
{ [data not shown]
* SSLv3, TLS handshake, CERT (11):
{ [data not shown]
* SSLv3, TLS handshake, Server key exchange (12):
{ [data not shown]
* SSLv3, TLS handshake, Server finished (14):
{ [data not shown]
* SSLv3, TLS handshake, Client key exchange (16):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Finished (20):
} [data not shown]
* Unknown SSL protocol error in connection to fogproject.org:443 
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to fogproject.org:443 
root@FogWest:~/svn/trunk/bin# 

Sebastian Roth

@reflexxion Which version of curl and openssl? dpkg -l | grep -e " curl" -e " openssl"

reflexxion

@Sebastian-Roth

root@FogWest:~/svn/trunk/bin# dpkg -l | grep -e "curl" -e "openssl"
ii  curl                                                  7.35.0-1ubuntu2.6                                   i386         command line tool for transferring data with URL syntax
ii  libcurl3:i386                                         7.35.0-1ubuntu2.6                                   i386         easy-to-use client-side URL transfer library (OpenSSL flavour)
ii  libcurl3-gnutls:i386                                  7.35.0-1ubuntu2.6                                   i386         easy-to-use client-side URL transfer library (GnuTLS flavour)
ii  libcurl4-openssl-dev:i386                             7.35.0-1ubuntu2.6                                   i386         development files and documentation for libcurl (OpenSSL flavour)
ii  libgnutls-openssl27:i386                              2.12.23-12ubuntu2.5                                 i386         GNU TLS library - OpenSSL wrapper
ii  openssl                                               1.0.2g-1+deb.sury.org~trusty+1                      i386         Secure Sockets Layer toolkit - cryptographic utility
ii  php5-curl                                             5.6.19+dfsg-1+deb.sury.org~trusty+1                 i386         CURL module for php5
ii  python-openssl                                        0.13-2ubuntu6                                       i386         Python 2 wrapper around the OpenSSL library
ii  python3-pycurl                                        7.19.3-0ubuntu3                                     i386         Python 3 bindings to libcurl
root@FogWest:~/svn/trunk/bin# 

Sebastian Roth

@reflexxion Ok, I have: curl 7.35.0-1ubuntu2.6 but openssl 1.0.1f-1ubuntu2.18 on one of my test servers (curl downloading the checksums fine!)

reflexxion

@Sebastian-Roth do you know how I can downgrade to test?

Quazz

I have the same openssl version on my production system.