Launchpad itself

Mirror prober incorrectly reports an invalid SSL certificate

Bug #1885585 reported by NetActuate Ops
24
This bug affects 5 people
Affects Status Importance Assigned to Milestone
Launchpad itself
New
Undecided
Unassigned

Bug Description

We have been noticing a problem with the mirror probing where partway through the probe, it suddenly starts complaining about our mirror having an invalid certificate, which is absolutely not the case.

https://launchpad.net/ubuntu/+mirror/mirror1.cl.netactuate.com-archive
https://launchpad.net/ubuntu/+mirror/mirror1.cl.netactuate.com-release

Here are logs with the failures:
http://launchpadlibrarian.net/486354226/mirror1.cl.netactuate.com-archive-probe-logfile.txt
http://launchpadlibrarian.net/486330936/mirror1.cl.netactuate.com-release-probe-logfile.txt

As you can see from the logs, everything starts off fine, then suddenly one check claims there is an invalid HTTPS certificate, and everything else gets skipped.

You can also see here where everything worked fine:
http://launchpadlibrarian.net/486109160/mirror1.cl.netactuate.com-archive-probe-logfile.txt
http://launchpadlibrarian.net/486094033/mirror1.cl.netactuate.com-release-probe-logfile.txt

Nothing has changed with the certificate between these probes.

"Invalid SSL certificate" can also mean a lot of different things specifically, having more verbose logs of such a failure would be useful.

Tags: mirror
Revision history for this message
Luís Baker (luisbaker) wrote :

My mirror is having the same problem for months
http://launchpadlibrarian.net/590317372/ibakerserver-probe-logfile.txt

Revision history for this message
it4innovations (it4i) wrote :

Hi Team,

we have experienced same or similar error about invalid certificate as well but cert has been valid for some time and it expires in October this year-

I could not get newer logs as the prober history errs in timeout.

Br,

Ondrej Filip
IT4Innovations

http://launchpadlibrarian.net/660904400/mirror.it4i.cz-archive-probe-logfile.txt

Revision history for this message
Teresa Cancino (hostednode) wrote :

Same problem here,

because: Connection skipped because the server doesn't have a valid HTTPS certificate. It will be retried on the next probing run.

http://launchpadlibrarian.net/667961958/mirror.hnd.cl-archive-probe-logfile.txt

But our mirror have a valid and working certificate

https://mirror.hnd.cl/ubuntu/

% nmap --script ssl-cert -p 443 mirror.hnd.cl
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-25 23:21 -04
Nmap scan report for mirror.hnd.cl (138.186.10.35)
Host is up (0.0035s latency).
rDNS record for 138.186.10.35: 35.10.186.138.static.hostednode.net

PORT STATE SERVICE
443/tcp open https
| ssl-cert: Subject: commonName=mirror.hnd.cl
| Subject Alternative Name: DNS:mirror.hnd.cl
| Issuer: commonName=R3/organizationName=Let's Encrypt/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-04-15T23:36:34
| Not valid after: 2023-07-14T23:36:33
| MD5: 525fad578a5ecc3e5b0f2fd00cfc4399

nmap -6 --script ssl-cert -p 443 mirror.hnd.cl

Starting Nmap 6.40 ( http://nmap.org ) at 2023-05-25 23:23 -04
Nmap scan report for mirror.hnd.cl (2803:8240:50:1035::35)
Host is up (0.11s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-cert: Subject: commonName=mirror.hnd.cl
| Issuer: commonName=R3/organizationName=Let's Encrypt/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Not valid before: 2023-04-15T23:36:34+00:00
| Not valid after: 2023-07-14T23:36:33+00:00
| MD5: 525f ad57 8a5e cc3e 5b0f 2fd0 0cfc 4399
|_SHA-1: 6d05 e390 16c3 9321 547d fbcb 7298 72c7 8b17 d1b6

Nmap done: 1 IP address (1 host up) scanned in 1.51 seconds
|_SHA-1: 6d05e39016c39321547dfbcb729872c78b17d1b6

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.