Closed jindamvani closed 1 year ago
Don't run nested proot inside proot-distro. Use this instead:
PROOT_VERBOSE=9 proot-distro login void -- xbps-install -Su > proot-log.txt 2>&1
And attach the proot-log.txt
file here as it would be long.
Don't run nested proot inside proot-distro. Use this instead:
PROOT_VERBOSE=9 proot-distro login void -- xbps-install -Su > proot-log.txt 2>&1
And attach the
proot-log.txt
file here as it would be long.
Done. Output of proot -v 9 proot-distro login void -- xbps-install -Su > /sdcard/proot-log.txt 2>&1
proot-log.txt
I did some testing upon abby suggestion voidlinux irc:
inside void
-bash-5.1# openssl s_client -connect repo-default.voidlinux.org:443 -verify_return_error
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=20:unable to get local issuer certificate
3885879520:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1919:
---
no peer certificate available
---
No client certificate CA names sent
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4033 bytes and written 335 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
-bash-5.1#
termux output
~ $ openssl s_client -connect repo-default.voidlinux.org:443 -verify_return_error CONNECTED(00000003) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = *.voidlinux.org verify return:1 --- Certificate chain 0 s:CN = *.voidlinux.org i:C = US, O = Let's Encrypt, CN = R3 a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256 v:NotBefore: Mar 18 23:07:00 2023 GMT; NotAfter: Jun 16 23:06:59 2023 GMT 1 s:C = US, O = Let's Encrypt, CN = R3 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Sep 4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1 i:O = Digital Signature Trust Co., CN = DST Root CA X3 a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256 v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT --- Server certificate -----BEGIN CERTIFICATE----- MIIEbTCCA1WgAwIBAgISBNFMiEZDh9PI8b6WoXahYkHJMA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD EwJSMzAeFw0yMzAzMTgyMzA3MDBaFw0yMzA2MTYyMzA2NTlaMBoxGDAWBgNVBAMM Dyoudm9pZGxpbnV4Lm9yZzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJ5jsN/W 8dLGli9m1LhG0YUNQRmLi8WzfX5e4rX78RXwRrml2hGo5CmJQvb62+7Sh8icRV8t MFO4gwX2c2RxHMmjggJeMIICWjAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYI KwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFKdh+XOi PcYg44lXOrkdHAjDTgfMMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJQOYfr52LFMLG MFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iu b3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcvMC0GA1UdEQQm MCSCESoucy52b2lkbGludXgub3Jngg8qLnZvaWRsaW51eC5vcmcwTAYDVR0gBEUw QzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDov L2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwB6 MoxU2LcttiDqOOBSHumEFnAyE4VNO9IrwTpXo1LrUgAAAYb3MOD2AAAEAwBIMEYC IQC2zibEsuW/cEsaPTPPLk9k6+URuEiZOQtLsgUoSEMtngIhAMs0ojW3r89btCtW OOYmZSoR8c86eckXrDsBzgx/dhx1AHYA6D7Q2j71BjUy51covIlryQPTy9ERa+zr aeF3fW0GvW4AAAGG9zDg3AAABAMARzBFAiEA6FK7CHQMxswIUVr9TExqhyuYqYRm jX1zYuPq4hQtptMCIAInUtbBq6f6fHWqbrq+VJfayh+i16wqgeRvQr68uCsJMA0G CSqGSIb3DQEBCwUAA4IBAQCdEVXWy1SzX3X5wiVCj+GFHeSyR2p8XquOh7Hg4Rhb 8saoSEnWQKgLG1CR7EtGdhUrHhMMoaqRI6BV6ADjtkTTKaui6mXqe8wyi+KKw0wR DRAZagzxaVMUohEv+wd5KCjxn5LTa+wYUAxlMFWcakEkqFAxyeEEnaCH0V+gKgvM eD+/YKRI/D723BvEXP1NzLlALvQC6IPDM1zWMzwSvOce9Ofj0Ej7EpT/R6viyPjn biv/aY/9qfHUWKE2dyUVj3GvrmrwCd4ycLa6uNh4B8gw+Q1HDHLbaNBWmLfCH6pR ITI+7sKBOrWUQxdws2+yGb5gf7T60HyZerwrIanw7V// -----END CERTIFICATE----- subject=CN = *.voidlinux.org issuer=C = US, O = Let's Encrypt, CN = R3 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: ECDSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 4208 bytes and written 408 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 256 bit This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: A8AF1842F29DE35C5C9C195CA439B501A17DA13B59D5CBEF9B85FD618C73DB21 Session-ID-ctx: Resumption PSK: 1A7D892809CA1BBC88B71C5B4085C156A22951004CCEA10086DC29F84411410FABE9E299DCF0B138ACC042200382B0DB PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 86400 (seconds) TLS session ticket: 0000 - 91 bc 1f e5 bc f0 b8 a4-f3 da 87 4c 56 48 59 bb ...........LVHY. 0010 - 39 c5 ec 49 bb 69 07 20-91 aa 8c 31 88 43 08 3f 9..I.i. ...1.C.? Start Time: 1685515016 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 092DC083FD0C14C809C16F5B6CBA9B6E155FC8FCFEEE39FDF2E9C03F7EE52386 Session-ID-ctx: Resumption PSK: 5BBCC9365B605846819F8D41DB313DCD1C717F9B0E75F925040AD39A9D640DABC276036004795407AA823146D0F7AEBD PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 86400 (seconds) TLS session ticket: 0000 - 3b cd 74 83 83 a5 18 97-97 74 5a f0 b9 d7 5a 22 ;.t......tZ...Z" 0010 - bb 19 f9 f3 30 26 5e 85-fe ae 7a 21 71 24 92 b6 ....0&^...z!q$.. Start Time: 1685515016 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK
-bash-5.1# openssl s_client -connect repo-default.voidlinux.org:443 -verify_return_error CONNECTED(00000003) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = *.voidlinux.org verify return:1 --- Certificate chain 0 s:CN = *.voidlinux.org i:C = US, O = Let's Encrypt, CN = R3 1 s:C = US, O = Let's Encrypt, CN = R3 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1 i:O = Digital Signature Trust Co., CN = DST Root CA X3 --- Server certificate -----BEGIN CERTIFICATE----- MIIEbTCCA1WgAwIBAgISBNFMiEZDh9PI8b6WoXahYkHJMA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD EwJSMzAeFw0yMzAzMTgyMzA3MDBaFw0yMzA2MTYyMzA2NTlaMBoxGDAWBgNVBAMM Dyoudm9pZGxpbnV4Lm9yZzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJ5jsN/W 8dLGli9m1LhG0YUNQRmLi8WzfX5e4rX78RXwRrml2hGo5CmJQvb62+7Sh8icRV8t MFO4gwX2c2RxHMmjggJeMIICWjAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYI KwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFKdh+XOi PcYg44lXOrkdHAjDTgfMMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJQOYfr52LFMLG MFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iu b3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcvMC0GA1UdEQQm MCSCESoucy52b2lkbGludXgub3Jngg8qLnZvaWRsaW51eC5vcmcwTAYDVR0gBEUw QzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDov L2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwB6 MoxU2LcttiDqOOBSHumEFnAyE4VNO9IrwTpXo1LrUgAAAYb3MOD2AAAEAwBIMEYC IQC2zibEsuW/cEsaPTPPLk9k6+URuEiZOQtLsgUoSEMtngIhAMs0ojW3r89btCtW OOYmZSoR8c86eckXrDsBzgx/dhx1AHYA6D7Q2j71BjUy51covIlryQPTy9ERa+zr aeF3fW0GvW4AAAGG9zDg3AAABAMARzBFAiEA6FK7CHQMxswIUVr9TExqhyuYqYRm jX1zYuPq4hQtptMCIAInUtbBq6f6fHWqbrq+VJfayh+i16wqgeRvQr68uCsJMA0G CSqGSIb3DQEBCwUAA4IBAQCdEVXWy1SzX3X5wiVCj+GFHeSyR2p8XquOh7Hg4Rhb 8saoSEnWQKgLG1CR7EtGdhUrHhMMoaqRI6BV6ADjtkTTKaui6mXqe8wyi+KKw0wR DRAZagzxaVMUohEv+wd5KCjxn5LTa+wYUAxlMFWcakEkqFAxyeEEnaCH0V+gKgvM eD+/YKRI/D723BvEXP1NzLlALvQC6IPDM1zWMzwSvOce9Ofj0Ej7EpT/R6viyPjn biv/aY/9qfHUWKE2dyUVj3GvrmrwCd4ycLa6uNh4B8gw+Q1HDHLbaNBWmLfCH6pR ITI+7sKBOrWUQxdws2+yGb5gf7T60HyZerwrIanw7V// -----END CERTIFICATE----- subject=CN = *.voidlinux.org issuer=C = US, O = Let's Encrypt, CN = R3 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: ECDSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 4208 bytes and written 408 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 256 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 9530D1A35DD46BF630672C11CC9AE306B83728BA9F689B393CFE98F50F698ACF Session-ID-ctx: Resumption PSK: D52182FA2433F0926099C57A25A12E05E51074E26E2A061C2AF13257BE9F5CA66F229DCE081B67BBB450FFE908B774ED PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 86400 (seconds) TLS session ticket: 0000 - 5c 05 01 6b d8 c0 61 c5-e6 71 8a 92 d0 78 1e 15 \..k..a..q...x.. 0010 - d2 0c 8c 76 0d a8 55 70-ba 71 b4 9a 98 da 95 c7 ...v..Up.q...... Start Time: 1685516101 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: B7F515BA67E1B3C688C16C583D9762383DB8BA84B6C6EDEF076D11790FA124B6 Session-ID-ctx: Resumption PSK: 24AAC69CF111912AEDF3AC1970E41D30F7AA17949D491949A46135A6576ACA7EFDC6863EC827B5C97574714D6DEC74CC PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 86400 (seconds) TLS session ticket: 0000 - 56 ca ca b4 f1 07 99 b8-78 1d e8 85 4f 30 40 75 V.......x...O0@u 0010 - e7 b7 51 89 e5 18 01 06-03 9e f6 98 67 68 2f e4 ..Q.........gh/. Start Time: 1685516101 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK
voidlinux irc conversation, might be usefull for somebody
06:02:48 <jindam> is libressl mandatory for xbps-updates? i am trying to install and configure using proot-distro on android mobile device
06:03:54 <jindam> but when i try to xbps-install -Su and fails with Operation not permitted
06:04:26 <abby> libressl should not be installed
06:04:42 <jindam> i have reported both on proot & void-infrastructure
06:04:47 <abby> as void no longer uses it (openssl is used instead)
06:05:08 <abby> i asked that because it was a common issue at one point
06:05:10 <jindam> void issue: https://github.com/void-linux/void-infrastructure/issues/162
06:05:46 <jindam> proot issue: https://github.com/termux/proot/issues/274
06:06:50 <jindam> couple of issues suggested "SSL_NO_VERIFY_PEER=1"
06:07:28 <abby> if you go to https://repo-default.voidlinux.org on the host do you also have issues
06:07:32 <jindam> but i am strongly *against* it, inless there is someother kind of verification
06:07:46 <abby> or curl outside of proof in termux
06:07:46 <jindam> no
06:08:06 <abby> proot*
06:08:06 <jindam> i verified ssl cert. on ssllabs also
06:08:38 <jindam> cert expires in 2024
06:08:48 <abby> packages themselves are signed so it's perfectly fine to disable SSL verification
06:13:40 <jindam> $ curl -Is https://repo-default.voidlinux.org/ | head -n 1HTTP/2 200, ~ $ proot-distro login void -bash-5.1# curl -Is https://repo-default.voidlinux.org/ | head -n 1 HTTP/2 200
06:16:33 <abby> openssl s_client -connect repo-default.voidlinux.org:443 -verify_return_error
06:18:55 <jindam> inside proot https://paste.debian.net/1281546/
06:20:57 <abby> I would SSL_NO_VERIFY_PEER=1 xbps-install -Su ca-certificates
06:21:08 <abby> sounds like you don't have the right certs in the proot container
06:40:40 <jindam> excuse, abby ouput inside termux https://paste.debian.net/1281548/
06:41:12 <abby> did you try updating ca-certificates? SSL_NO_VERIFY_PEER=1 xbps-install -Su ca-certificates
06:51:49 <jindam> no, i will try now, just a minute
06:53:10 <jindam> abby, just now successfuly installed
06:53:50 <abby> try the openssl s_client command again
06:54:38 <jindam> "SSL_NO_VERIFY_PEER=1" option has become permanent
06:55:03 <abby> ?
06:56:15 <jindam> abby https://paste.debian.net/1281556/
06:56:40 <abby> is that in the proot?
07:06:01 <jindam> abby yes
07:06:28 <abby> then that's not ssl_no_verify_peer being permenant, that's it working
07:06:36 <abby> unless you exported no_verify_peer
07:06:50 <abby> if you just prepended it to the command, it would only apply to that command
07:06:57 <jindam> ok
07:19:57 <jindam> however installed both updates and ca-certs., abby do you think is there any issue still with proot?
07:20:06 <abby> probably
Problem description
Problem description
Unable to update installed void distribution
What steps will reproduce the bug?
$ pkg install proot-distro $ proot-distro login void
-bash-5.1# xbps-install -Su [*] Updating repository
https://repo-default.voidlinux.org/current/armv7l-repodata' ... Certificate verification failed for /C=US/O=Internet Security Research Group/CN=ISRG Root X1 SSL_connect returned 1 ERROR: [reposync] failed to fetch filehttps://repo-default.voidlinux.org/current/armv7l-repodata': Operation not permitted
What is the expected behavior?
Update distro
Additional information