search

StreisandEffect / streisand

Streisand sets up a new server running your choice of WireGuard, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, or a Tor bridge. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.
https://twitter.com/streisandvpn
Other
23.17k stars 1.99k forks source link

[PATCH] openvpn apt repository uses Valid-Until date in 2038 #477

Closed fghorow closed 7 years ago

fghorow commented 7 years ago

A date that far out causes something reject it, which in-turn causes the "apt-get update" to throw an error, which in turn breaks the install [Git-commit 5e91de4ba6].

My workaround was this patch:

diff --git a/playbooks/roles/openvpn/tasks/main.yml b/playbooks/roles/openvpn/tasks/main.yml
index 0957a0a..f936ff8 100644
--- a/playbooks/roles/openvpn/tasks/main.yml
+++ b/playbooks/roles/openvpn/tasks/main.yml
@@ -7,7 +7,7 @@

 - name: Add the official OpenVPN repository
   apt_repository:
-    repo: 'deb https://swupdate.openvpn.net/apt {{ ansible_lsb.codename }} main'
+    repo: 'deb https://build.openvpn.net/debian/openvpn/release/2.4 {{ ansible_lsb.codename }} main'
     state: present

 - name: Install OpenVPN and its dependencies from APT

and then to remove the old apt config file from /etc/apt/sources.list.d/

Please evaluate whether the openvpn version upgrade meets your criteria, and if so consider applying this change. (Specifying 2.3 instead of 2.4 gets the older version, I think, but I have not tested that...)

jlund commented 7 years ago

On what provider did you see this failure? I can't reproduce it. Either way, it seems like a good idea to adopt the repo you identified because it is more up-to-date and is also what the official installation documentation now recommends.

Using stable instead of release/2.4 will avoid pulling in alphas, betas, and RCs. I'll make the switch after I test some 2.3 clients against 2.4. Although we won't be able to adopt some of the cool features that are in 2.4 until Tunnelblick and the iOS client are updated, we should still be able to use 2.4 on the server.

fghorow commented 7 years ago

Sorry, I forgot to specify. This was with a freshly installed xenial VPS on BudgetVM using the playbooks/streisand.yml as specified in the README on the home page. That is, I did NOT use one of the canned providers, but my own rented VPS.

fghorow commented 7 years ago

Hmmm. I just looked at the Valid-Until dates in both the stable and the release/2.4 versions of openvpn and both of those ALSO have 2038 dates. The only difference I can see is that the swupdate version has Valid-Until: Tue, 30 Nov 2038 00:00:00 JST while the others have Valid-Until: Tue, 30 Nov 2038 00:00:00 UTC

Maybe it's the UTC vs the JST that's confusing apt???

Or maybe it's the year 2038 problem in disguise?

(And, why the hell does a security sensitive piece of software like openvpn use dates in 2038 anyway?)

jlund commented 7 years ago

Did you happen to see the system time on the server when it launched? Perhaps its clock was off and NTP brought it back in line?

I will have a commit pushed soon that should fix this for you and other BudgetVM users by switching to the new repo.

I have verified that an OpenVPN 2.4 server still works perfectly with 2.3-based clients on Linux, iOS (OpenVPN Connect), and OS X (Tunnelblick and Viscosity).

fghorow commented 7 years ago

Here's the text demonstrating the problem (ip numbers obfuscated) from my terminal buffer (still available, phew!) as I logged in to check that Xenial was updated:

Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-59-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Jan 12 19:27:25 UTC 2017

  System load:  0.42               Processes:           98
  Usage of /:   19.9% of 19.56GB   Users logged in:     1
  Memory usage: 22%                IP address for eth0: xxx.xxx.xxx.xxx
  Swap usage:   0%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

0 packages can be updated.
0 updates are security updates.

Last login: Thu Jan 12 19:25:18 2017 from xxx.xxx.xxx.xxx
root@hostname:~# dpkg --configure -a
root@hostname:~# apt-get update
Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [102 kB]
Hit:2 http://archive.ubuntu.com/ubuntu xenial InRelease
Hit:3 http://archive.ubuntu.com/ubuntu xenial-updates InRelease
Get:4 http://archive.ubuntu.com/ubuntu xenial-backports InRelease [102 kB]
Ign:5 https://swupdate.openvpn.net/apt xenial InRelease
Get:7 https://swupdate.openvpn.net/apt xenial Release.gpg [490 B]
Fetched 205 kB in 1s (170 kB/s)
Reading package lists... Done
E: Failed to fetch https://swupdate.openvpn.net/apt/dists/xenial/Release  Invalid 'Valid-Until' entry in Release file /var/lib/apt/lists/partial/swupdate.openvpn.net_apt_dists_xenial_Release
E: Some index files failed to download. They have been ignored, or old ones used instead.

From reading the ansible error message, that's what tripped up the install. Apparently, there was no clock skew...

jlund commented 7 years ago

Thanks for the bug report!