Ubuntu
clamav package

getcvd: Can't download daily.cvd from https://database.clamav.net/daily.cvd despite correct connection to https://database.clamav.net when symlinks are used for configuration and/or database folders

Bug #1920615 reported by jean-christophe manciot
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
clamav (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Ubuntu 21.04
clamav-freshclam: 0.103.0+dfsg-3.1

/etc/clamav/freshclam.conf:
--------------------------
DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug true
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 30
TestDatabases yes
ScriptedUpdates yes
CompressLocalDatabase no
SafeBrowsing true
Bytecode true
NotifyClamd /etc/clamav/clamd.conf
# Check for new database 24 times a day
Checks 24
DatabaseMirror db.fr.clamav.net
DatabaseMirror database.clamav.net

Commands executed as root:
# systemctl stop clamav-freshclam
# freshclam --debug --verbose
Sat Mar 20 16:00:21 2021 -> ClamAV update process started at Sat Mar 20 16:00:21 2021
Sat Mar 20 16:00:21 2021 -> *Current working dir is /var/lib/clamav/
Sat Mar 20 16:00:21 2021 -> *Querying current.cvd.clamav.net
Sat Mar 20 16:00:21 2021 -> *TTL: 1623
Sat Mar 20 16:00:21 2021 -> *fc_dns_query_update_info: Software version from DNS: 0.103.1
Sat Mar 20 16:00:21 2021 -> *Current working dir is /var/lib/clamav/
Sat Mar 20 16:00:21 2021 -> *check_for_new_database_version: No local copy of "daily" database.
Sat Mar 20 16:00:21 2021 -> *query_remote_database_version: daily.cvd version from DNS: 26115
Sat Mar 20 16:00:21 2021 -> daily database available for download (remote version: 26115)
Sat Mar 20 16:00:21 2021 -> *Retrieving https://database.clamav.net/daily.cvd
Sat Mar 20 16:00:21 2021 -> *downloadFile: Download source: https://database.clamav.net/daily.cvd
Sat Mar 20 16:00:21 2021 -> *downloadFile: Download destination: /var/lib/clamav/tmp.5ee08cf0a0/clamav-746b5f842a022ff02206be76e0c77fe8.tmp
* Trying 104.16.219.84:443...
* Connected to database.clamav.net (104.16.219.84) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* error setting certificate verify locations: CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs
* Closing connection 0
Sat Mar 20 16:00:21 2021 -> ^Download failed (77) Sat Mar 20 16:00:21 2021 -> ^ Message: Problem with the SSL CA cert (path? access rights?)
Sat Mar 20 16:00:21 2021 -> ^getcvd: Can't download daily.cvd from https://database.clamav.net/daily.cvd
Sat Mar 20 16:00:21 2021 -> Trying again in 5 secs...

The alleged "error setting certificate verify locations" is false:
# sudo -u clamav -EH ls -al /etc/ssl/certs/ca-certificates.crt
-rw-r--r-- 1 root root 186336 Mar 15 08:45 /etc/ssl/certs/ca-certificates.crt
# sudo -u clamav -EH ls -al /etc/ssl/certs
total 556
drwxr-xr-x 3 root root 12288 Mar 15 08:45 .
...

Also, it is possible to contact the website as clamav user, meaning there is no CA access issue for that user:
# sudo -u clamav -EH wget https://database.clamav.net
--2021-03-20 16:21:12-- https://database.clamav.net/
Resolving database.clamav.net (database.clamav.net)... 104.16.219.84, 104.16.218.84, 2606:4700::6810:da54, ...
Connecting to database.clamav.net (database.clamav.net)|104.16.219.84|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’

index.html [ <=> ] 1.14K --.-KB/s in 0s

2021-03-20 16:21:12 (21.3 MB/s) - ‘index.html’ saved [1166]

# more index.html
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html; charset=ISO-8859-1"
 http-equiv="content-type">
  <meta content="15;url=http://www.clamav.net" http-equiv="Refresh">
  <title>ClamAV database mirror</title>
</head>
<body>
<div style="text-align: center;">
<big>
<img style="width: 125px; height: 102px;" alt="ClamAV logo"
 src="//www.clamav.net/assets/clamav-trademark.png">
</big>
<br>
</div>
<br>
<br>
You reached one of ClamAV virus database mirrors: <a
 style="font-style: italic;" href="http://database.clamav.net">database.clamav.net</a>
is a round robin record that tries to equally balance the traffic
between all the database mirrors.<br>
For a complete list of our mirrors visit <a
 href="http://www.clamav.net/mirrors.html">http://www.clamav.net/mirrors.html</a><br>
<br>
<br>
You'll be redirected to ClamAV home page (<a
 href="http://www.clamav.net">http://www.clamav.net</a>) in 15
seconds...<br>
<br>
<br>
<hr style="width: 100%; height: 2px;"><small style="font-weight: bold;">This
mirror is sponsored by </small><br>
<br>
<img alt="Sponsor Logo" src="local_logo.png"><br>
<br>
</body>
</html>

This is a very strange issue.
Any suggestion on how to debug/workaround that issue?

See original description
Revision history for this message
jean-christophe manciot (manciot-jeanchristophe) wrote :

There is no such issue on another Ubuntu device with the **exact** same SSL and freshclam configurations and located on the same private network as the failing device sharing the same IP public address.

Is it possible that cloudflare enforces a limit on the number of devices which are allowed to download from https://database.clamav.net/daily.cvd?

jean-christophe manciot (manciot-jeanchristophe)
description: updated
Revision history for this message
jean-christophe manciot (manciot-jeanchristophe) wrote :

I have found the cause of the issue: clamav does not support symlinks for any of the following:
- /etc/clamav
- /etc/ssl
- /etc/ssl/certs
- /var/lib/clamav

If I make sure there is no symlink anymore for any of the above folders, then the issue is worked around:
# freshclam --debug --verbose
...
* Trying 104.16.219.84:443...
* Connected to database.clamav.net (104.16.219.84) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
* start date: Aug 15 00:00:00 2020 GMT
* expire date: Aug 15 12:00:00 2021 GMT
* subjectAltName: host "database.clamav.net" matched cert's "database.clamav.net"
* issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55631ca7a1e0)
> GET /safebrowsing.cvd HTTP/2
 Host: database.clamav.net
user-agent: ClamAV/0.103.0 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
accept: */*

I'm not sure whether this symlink sensitivity is by design or a bug.

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Thank you for taking the time to file a bug report.

None of the mentioned packages create a link to the certificates directory (/etc/ssl/certs), so I believe you made some kind of manual intervention. And IMO this "symlink sensitivity" is an upstream design decision and not a bug, if you believe this is a bug please go ahead and file an upstream bug.

Since it seems likely to me that this is a local configuration problem,
rather than a bug in Ubuntu, I am marking this bug as 'Incomplete'.

However, if you believe that this is really a bug in Ubuntu, then we would
be grateful if you would provide a more complete description of the problem
with steps to reproduce, explain why you believe this is a bug in Ubuntu
rather than a problem specific to your system, and then change the bug
status back to "New".

For local configuration issues, you can find assistance here:
http://www.ubuntu.com/support/community

Changed in clamav (Ubuntu):
status: New → Incomplete
Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

FWIW, this indeed looks like a local issue. I tried to further reproduce this in a hirsute VM and couldn't.

# rm /var/lib/daily.cvd
# systemctl stop clamav-freshclam
# freshclam --debug --verbose

...which worked fine and I didn't see any errors like you did.

Revision history for this message
jean-christophe manciot (manciot-jeanchristophe) wrote :
Download full text (3.3 KiB)

@Lucas Kanashiro (lucaskanashiro)
Thanks for taking the time to read and answer it.

You're right, it is not a bug per se, more a serious shortcoming.
If we install the required packages, everything works fine.

However, if we modify one of the aforementioned folders to a symlink which points to another folder with the same contents, then the issue described in this thread pops up.

This is the first time I encounter this strange "symlink sensitivity" by any Ubuntu package and I believe this should never happen on Linux.

I understand that clamav is also implemented on Windows and this could explain this undesired behavior on Linux.

I have already posted a "feature request" on the <email address hidden> mailing list, but there is no response so far.

@Utkarsh Gupta (utkarsh)
Try this:
# sudo systemctl stop clamav-daemon
# sudo systemctl stop clamav-freshclam
# sudo mv -f /etc/clamav /etc/clamav.sav
# sudo ln -fsv /etc/clamav.sav /etc/clamav
'/etc/clamav' -> '/etc/clamav.sav'
# sudo systemctl restart clamav-daemon
# sudo systemctl restart clamav-freshclam
# sudo systemctl status clamav-freshclam
● clamav-freshclam.service - ClamAV virus database updater
     Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Tue 2021-03-23 18:45:15 CET; 5s ago
       Docs: man:freshclam(1)
             man:freshclam.conf(5)
             https://www.clamav.net/documents
    Process: 2460871 ExecStart=/usr/bin/freshclam -d --foreground=true (code=exited, status=2)
   Main PID: 2460871 (code=exited, status=2)

Mar 23 18:45:15 host systemd[1]: Started ClamAV virus database updater.
Mar 23 18:45:15 host freshclam[2460871]: ERROR: Can't open/parse the config file /etc/clamav/freshclam.conf
Mar 23 18:45:15 host systemd[1]: clamav-freshclam.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Mar 23 18:45:15 host systemd[1]: clamav-freshclam.service: Failed with result 'exit-code'.

Then back to normal:
# sudo rm -f /etc/clamav
# sudo mv -f /etc/clamav.sav /etc/clamav
# sudo systemctl restart clamav-daemon
# sudo systemctl restart clamav-freshclam
# sudo systemctl status clamav-freshclam
● clamav-freshclam.service - ClamAV virus database updater
     Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2021-03-23 18:55:53 CET; 5s ago
       Docs: man:freshclam(1)
             man:freshclam.conf(5)
             https://www.clamav.net/documents
   Main PID: 2511510 (freshclam)
      Tasks: 1 (limit: 18975)
     Memory: 2.1M
     CGroup: /system.slice/clamav-freshclam.service
             └─2511510 /usr/bin/freshclam -d --foreground=true

Mar 23 18:55:53 host systemd[1]: Started ClamAV virus database updater.
Mar 23 18:55:53 host freshclam[2511510]: Tue Mar 23 18:55:53 2021 -> ClamAV update process started at Tue Mar 23 18:55:53 2021
Mar 23 18:55:53 host freshclam[2511510]: Tue Mar 23 18:55:53 2021 -> daily.cld database is up to date (version: 26118, sigs: 3965203, f-level: 63,>
Mar 23 18:55:53 host freshclam[2511510]: Tue Mar 23 18:55:53 2021 -> main.cld database is up to date ...

Read more...

jean-christophe manciot (manciot-jeanchristophe)
summary: getcvd: Can't download daily.cvd from
https://database.clamav.net/daily.cvd despite correct connection to
- https://database.clamav.net
+ https://database.clamav.net when symlinks are used for configuration
+ and/or database folders
Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Hi Jean-Christophe,

> Try this:
> [...]

Oh yeah, thanks, I could reproduce the symlinking issue now, but...

> However, if we modify one of the aforementioned folders to a symlink
> which points to another folder with the same contents, then the
> issue described in this thread pops up.

..yeah, probably this isn't supported by upstream and as you've figured correctly, this isn't a bug here. So for now, I am marking this bug as "invalid" but should you feel differently, please feel free to change to what's more appropriate and let me know the reasoning of change.

> I understand that clamav is also implemented on Windows and this
> could explain this undesired behavior on Linux.

Ooh, likely. That said...

> I have already posted a "feature request" on the
> <email address hidden> mailing list, but there is no
> response so far.

...let me ping Micah and see if he can take a look at this.

That said, thanks for helping me reproduce the issue and taking your time to file a comprehensive report here and forwarding this to upstream as well! \o/

Changed in clamav (Ubuntu):
status: Incomplete → Invalid
Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Status update: Micah confirmed that the problem is at the upstream's end and that he'll reply to your mail soon. So yay! :)

Revision history for this message
jean-christophe manciot (manciot-jeanchristophe) wrote :

Thnaks for your backchannel with the upstream. :-)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.