Crypt-SSLeay can't verify hostnames

[sannsio]

Hi,

I'm using PVE behind a proxy. In pveam.log I can find the following error:

Dec 31 05:44:02 start download http://releases.turnkeylinux.org/pve/aplinfo.dat.asc
Dec 31 05:44:03 download failed: 500 Can't connect to releases.turnkeylinux.org:443 (Crypt-SSLeay can't verify hostnames)
Dec 31 05:44:03 update failed - no signature file '/var/lib/pve-manager/apl-info/pveam-releases.turnkeylinux.org.tmp.14027.asc'

Seems that https connection is not possible. Any ideas how to solve this?

Thanks,
Sandra

 

[Richard]

Hi,

I'm using PVE behind a proxy. In pveam.log I can find the following error:

Dec 31 05:44:02 start download http://releases.turnkeylinux.org/pve/aplinfo.dat.asc
Dec 31 05:44:03 download failed: 500 Can't connect to releases.turnkeylinux.org:443 (Crypt-SSLeay can't verify hostnames)
Dec 31 05:44:03 update failed - no signature file '/var/lib/pve-manager/apl-info/pveam-releases.turnkeylinux.org.tmp.14027.asc'

Seems that https connection is not possible. Any ideas how to solve this?

What happen when you perform the following on Proxmox´s command line:

https://releases.turnkeylinux.org/pve/aplinfo.dat.asc

 

[sannsio]

Hi Richard,
thank you for your reply. But I don't get what you mean by this:

What happen when you perform the following on Proxmox´s command line:

This is just an URL an nothing that can be executed:

https://releases.turnkeylinux.org/pve/aplinfo.dat.asc

Or did you want me to try do use wget or curl for testing if the connection works generally?

Thank you!
Sandra

 

[Q-wulf]

Or did you want me to try do use wget or curl for testing if the connection works generally?

Thank you!
Sandra

that is what i'd do

 

[sannsio]

Ok, thanks.
Of course I have tried to fetch the URL directly. This works as it should. The problem seems to be something else.

The download/update is initiated in this file: /usr/share/perl5/PVE/APLInfo.pm

The URLs are defined here:

sub get_apl_sources {
  my $urls = [];
  push @$urls, "http://download.proxmox.com/images";
  push @$urls, "http://releases.turnkeylinux.org/pve";

  return $urls;
}

The first URL is not causing problems, because it's plain http.
The second is redirected to https. And here comes the trouble. Our proxy is being used for the https connection. You can see this in the following "sub update" method:

  if ($proxy) {
  $ua->proxy(['http', 'https'], $proxy);
  } else {
  $ua->env_proxy;
  }

I guess that this is some Perl issue. Maybe a missing Lib or something else.

Sandra

 

[wbumiller]

Maybe your proxy is configured to bump the ssl connection.
Eg. http://wiki.squid-cache.org/Features/SslPeekAndSplice
Also see https://bugzilla.proxmox.com/show_bug.cgi?id=838 for a related feature request.
Perhaps this needs to be made optional to deal with different proxy environments accordingly.

 

[sannsio]

Thank you Wolfgang!
I am not aware of the configuration of our proxy in detail, but I have not experienced other problems with https/proxy.
APT and all the other tools don't have issues with https.

We are running this version:
# pveversion
pve-manager/4.1-2/78c5f4a2 (running kernel: 4.2.6-1-pve)


Thanks,
Sandra

 

[Mario Pérez]

Sorry for necroing thread but I havent seen an answer yet on the forums for this. As it took me a couple hours to solve, I thought I should share the workaround.

This is caused by proxys that replace the https certificates so the IT Security dept. can decrypt your SSL traffic going in and out. The certificate that proxy offers doesnt match the hostname of the website.

The workaround is setting the options of LWP::Useragent to not verify this:

Search /usr/share/perl5/PVE/APLInfo.pm for this two lines:

APLInfo.pm: my $ua = LWP::UserAgent->new;
APLInfo.pm: $ua->agent("PVE/1.0");

Add this one to set options of LWP::UserAgent to ignore verify hostname.

APLInfo.pm: $ua->ssl_opts( verify_hostname => 0, SSL_verify_mode => 0x00);

after you add this, execute pveam update

Hope it saves time to someone.

Best Regards