Closed fghorow closed 7 years ago
On what provider did you see this failure? I can't reproduce it. Either way, it seems like a good idea to adopt the repo you identified because it is more up-to-date and is also what the official installation documentation now recommends.
Using stable
instead of release/2.4
will avoid pulling in alphas, betas, and RCs. I'll make the switch after I test some 2.3 clients against 2.4. Although we won't be able to adopt some of the cool features that are in 2.4 until Tunnelblick and the iOS client are updated, we should still be able to use 2.4 on the server.
Sorry, I forgot to specify. This was with a freshly installed xenial VPS on BudgetVM using the playbooks/streisand.yml as specified in the README on the home page. That is, I did NOT use one of the canned providers, but my own rented VPS.
Hmmm. I just looked at the Valid-Until dates in both the stable
and the release/2.4
versions of openvpn and both of those ALSO have 2038 dates. The only difference I can see is that the swupdate
version has
Valid-Until: Tue, 30 Nov 2038 00:00:00 JST
while the others have
Valid-Until: Tue, 30 Nov 2038 00:00:00 UTC
Maybe it's the UTC vs the JST that's confusing apt???
Or maybe it's the year 2038 problem in disguise?
(And, why the hell does a security sensitive piece of software like openvpn
use dates in 2038 anyway?)
Did you happen to see the system time on the server when it launched? Perhaps its clock was off and NTP brought it back in line?
I will have a commit pushed soon that should fix this for you and other BudgetVM users by switching to the new repo.
I have verified that an OpenVPN 2.4 server still works perfectly with 2.3-based clients on Linux, iOS (OpenVPN Connect), and OS X (Tunnelblick and Viscosity).
Here's the text demonstrating the problem (ip numbers obfuscated) from my terminal buffer (still available, phew!) as I logged in to check that Xenial was updated:
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-59-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu Jan 12 19:27:25 UTC 2017
System load: 0.42 Processes: 98
Usage of /: 19.9% of 19.56GB Users logged in: 1
Memory usage: 22% IP address for eth0: xxx.xxx.xxx.xxx
Swap usage: 0%
Graph this data and manage this system at:
https://landscape.canonical.com/
0 packages can be updated.
0 updates are security updates.
Last login: Thu Jan 12 19:25:18 2017 from xxx.xxx.xxx.xxx
root@hostname:~# dpkg --configure -a
root@hostname:~# apt-get update
Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [102 kB]
Hit:2 http://archive.ubuntu.com/ubuntu xenial InRelease
Hit:3 http://archive.ubuntu.com/ubuntu xenial-updates InRelease
Get:4 http://archive.ubuntu.com/ubuntu xenial-backports InRelease [102 kB]
Ign:5 https://swupdate.openvpn.net/apt xenial InRelease
Get:7 https://swupdate.openvpn.net/apt xenial Release.gpg [490 B]
Fetched 205 kB in 1s (170 kB/s)
Reading package lists... Done
E: Failed to fetch https://swupdate.openvpn.net/apt/dists/xenial/Release Invalid 'Valid-Until' entry in Release file /var/lib/apt/lists/partial/swupdate.openvpn.net_apt_dists_xenial_Release
E: Some index files failed to download. They have been ignored, or old ones used instead.
From reading the ansible
error message, that's what tripped up the install. Apparently, there was no clock skew...
Thanks for the bug report!
A date that far out causes something reject it, which in-turn causes the "apt-get update" to throw an error, which in turn breaks the install [Git-commit 5e91de4ba6].
My workaround was this patch:
and then to remove the old apt config file from /etc/apt/sources.list.d/
Please evaluate whether the openvpn version upgrade meets your criteria, and if so consider applying this change. (Specifying 2.3 instead of 2.4 gets the older version, I think, but I have not tested that...)