search

amonapp / amon

Amon is a modern server monitoring platform.
https://docs.amon.cx
GNU Affero General Public License v3.0
1.33k stars 108 forks source link

Debian install not working from apt repository #198

Closed jamestombs closed 6 years ago

jamestombs commented 6 years ago

Running the install script from the apt-get update I get the following errors:

Err http://packages.amon.cx amon/contrib i386 Packages

Err http://packages.amon.cx amon/contrib amd64 Packages

Err http://packages.amon.cx amon/contrib i386 Packages

Err http://packages.amon.cx amon/contrib amd64 Packages

Err http://packages.amon.cx amon/contrib i386 Packages

Err http://packages.amon.cx amon/contrib amd64 Packages

Err http://packages.amon.cx amon/contrib i386 Packages

Err http://packages.amon.cx amon/contrib amd64 Packages
  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Err http://packages.amon.cx amon/contrib i386 Packages
  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Ign http://packages.amon.cx amon/contrib Translation-en_GB
Ign http://packages.amon.cx amon/contrib Translation-en
W: Failed to fetch http://packages.amon.cx/repo/dists/amon/contrib/binary-amd64/Packages  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

W: Failed to fetch http://packages.amon.cx/repo/dists/amon/contrib/binary-i386/Packages  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

E: Some index files failed to download. They have been ignored, or old ones used instead.

This worked early last week without issue. I have noted that the SSL certificate for packages.amon.cx was updated on the 29th November 2017.

I've made sure that ca-certificates is up to date on the server. 

#lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 14.04.5 LTS
Release:        14.04
Codename:       trusty
martinrusev commented 6 years ago

@jamestombs Can you update the url in /etc/apt/sources.list.d/amon.list from http to https

jamestombs commented 6 years ago

Skipped the initial errors but still getting the verification failure.

Err https://packages.amon.cx amon/contrib amd64 Packages
  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Ign http://software.virtualmin.com virtualmin-universal/main Translation-en_US
Ign http://software.virtualmin.com virtualmin-universal/main Translation-en
Err https://packages.amon.cx amon/contrib i386 Packages
  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Ign http://software.virtualmin.com virtualmin-universal/main Translation-en_GB
Ign https://packages.amon.cx amon/contrib Translation-en_US
Ign https://packages.amon.cx amon/contrib Translation-en
Ign https://packages.amon.cx amon/contrib Translation-en_GB
W: Failed to fetch https://packages.amon.cx/repo/dists/amon/contrib/binary-amd64/Packages  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

W: Failed to fetch https://packages.amon.cx/repo/dists/amon/contrib/binary-i386/Packages  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

E: Some index files failed to download. They have been ignored, or old ones used instead.
martinrusev commented 6 years ago

@jamestombs I did update the repositories. Can you try again and see if you have any issues?

jamestombs commented 6 years ago

Still same issue on multiple 14.04 LTS servers.

The sources.list file has the following:

deb https://packages.amon.cx/repo amon contrib

bensbox commented 6 years ago

Working for Ubuntu 16.04. I guess your system is not recognizing the Certificate Authority, which certified the SSL cert of the amon server. Is the "apt-transport-https" package installed? This is necessary for https apt repositories. You might want to try to reinstall the ca-certificates package as well: apt-get install --reinstall ca-certificates

On the other hand it makes no sense to provide the apt repository as HTTPs only, since the whole content is public anyway and it does not add any security, when properly signing the packages.

martinrusev commented 6 years ago

@jamestombs Can you check it out again, when you have a couple of minutes. I reverted the Cloudfront settings to the ones I used last week. When reading through their docs realized that using the latest available TLS option (TLS_1.2) might not be the best idea when it comes to repositories.

jamestombs commented 6 years ago

Still getting the same.

# openssl s_client -showcerts -connect packages.amon.cx:443
CONNECTED(00000003)
139736361395872:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:770:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 295 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
# openssl s_client -showcerts -tls1_2 -connect packages.amon.cx:443
CONNECTED(00000003)
140082906130080:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1263:SSL alert number 40
140082906130080:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:599:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1512725662
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
martinrusev commented 6 years ago

@jamestombs Thanks for the continued help. Really appreciate it. Disabled the https redirect. Now both http and https work.

jamestombs commented 6 years ago

OK, making progress. Download from the repo is fine but there's an issue with the install.

Preparing to unpack .../amonagent_1%3a0.7.5.1_amd64.deb ...
Unpacking amonagent (1:0.7.5.1) ...
Setting up amonagent (1:0.7.5.1) ...
cp: cannot stat ‘/opt/amonagent/scripts//init.sh’: No such file or directory
chmod: cannot access ‘/etc/init.d/amonagent’: No such file or directory
### You can start amonagent by executing

 sudo service amonagent start

###
update-rc.d: /etc/init.d/amonagent: file does not exist
invoke-rc.d: unknown initscript, /etc/init.d/amonagent not found.

Which is then followed by the usual text to say where config is and how to restart the agent etc.

The init.d script doesn't exist so I can't start/stop the agent.

I can run amonagent -testand it successfully sends data to the amon server.

The uninstall with apt-get remove amonagent doesn't work as the init.d script isn't there. I manually created an empty file and it claimed to be removed without error but install gets the same error again.

martinrusev commented 6 years ago

@jamestombs Updated the repository, was a problem with my build pipeline and this file missing for sysinv distros. The issue is fixed in the latest update - 0.7.5.2

You can also download (curl) the file to /opt/amonagent/scripts/init.sh from here as a temporary solution if this particular machine is somewhat stuck https://github.com/amonapp/amonagent/blob/master/packaging/init.sh

jamestombs commented 6 years ago

Creating that file manually and doing a --reinstall worked.

New Ubuntu 14 instances are installing correctly.

Thanks