:: Re: [DNG] deb.devuan.org - bad cert…
Forside
Slet denne besked
Besvar denne besked
Skribent: Dan Purgert
Dato:  
Til: dng
Emne: Re: [DNG] deb.devuan.org - bad certificate?
On Aug 30, 2024, onefang wrote:
> On 2024-08-29 14:05:04, Dan Purgert via Dng wrote:
> > On Aug 28, 2024, R A Montante, Ph.D. via Dng wrote:
> > > Hello all,
> > >
> > > I'm having an issue  doing "sudo apt update" --- it runs very slowly and
> > > gives the results below.  Does anyone know what's going on?  (There's a 2nd
> > > copy-paste after this one, BTW).
> > >
> > >
> > > Tried from my school just now (I've highlighted the first lines in red
> > > because they're so surprising):
> > >
> > > > Err:5 http://deb.devuan.org/merged daedalus InRelease
> > > > Err:6 http://deb.devuan.org/merged daedalus-security InRelease
> > > > Err:7 http://deb.devuan.org/merged daedalus-updates InRelease
> > > >  Temporary failure resolving 'deb.devuan.org'
> >
> > Your DNS resolver doesn't like deb.devuan.org for some reason or other.
> >
> > > So I tried/browsing/ to "deb.rr.devuan.org" (the CNAME) and got this error
> > > message (I highlighted the certificate problem in red):
> > >
> > > >
> > > > Warning: Potential Security Risk Ahead
> > > >
> > > > Firefox detected a potential security threat and did not continue to
> > > > *deb.rr.devuan.org*. If you visit this site, attackers could try to
> > > > steal information like your passwords, emails, or credit card details.
> >
> > Testing with FF here causes FF to whine because it's http:// not
> > https:// (which is a non-issue for repos anyway, as packages are checked
> > against GPG-signed hashes).
> >
> > IN OTHER WORDS -->> the big scary warning is fallout from the "HTTPS
> > Everywhere" movement pushed by Google et. al. about a decade ago. Well,
> > at least I think that was what people were calling it; quick check at
> > wikipedia says it was just a plugin for browsers pushed by the EFF.
> >
> > If I force https:// ; then I get a cert error for a LE cert applied for
> > various "rrq.au" domains. I'd assume it's just apache falling through
> > to whatever cert it has available, rather than any malice.
>
> deb.devuan.org is a DNS round robin (DNS-RR), mirror.rrq.au was recently
> added to it. So sometimes you'll get the IPs of rrq's mirror when you
> ask for deb.devuan.org, sometimes you'll get one of the other mirrors.
>
> deb.devuan.org can't have a HTTPS cert, coz it would have to be shared
> with all the package mirrors in the DNS-RR.


I seem to have edited out quite a bit more than I had intended to with
regards to *why* the cname hosts wouldn't have certs for deb.devuan.org
either (oops :( ).

> Last I checked rrq's mirror doesn't support HTTPS, but he may have
> changed that.


Well, it "works" (or at least falls through and presents the cert with a
bunch of his other domains anyway :) )

>
> > Pretty sure 'rrq' is a semi-frequent commenter here, so perhaps he'll
> > see it and chime in.
>
> rrq is one of our Devuan developers, and does indeed comment here.


I thought he did something like that; but made a similar mistake with
someone else using a 3-letter nickname on IRC a few weeks ago (oops)

--
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860