do-release-upgrade fails with TLS inspecting proxy (if CA is not installed system wide)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
update-manager (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Problem: do-release-upgrade fails with TLS inspecting proxy (if CA is not installed system wide)
Solution: patch provided below (at least for the detection)
Related bug that might be fixed by the attached patch:
https:/
Affected package (Bionic and package main branch also does not fix it):
Package: python3-
Architecture: all
Version: 1:18.04.11.13
Priority: standard
Section: python
Source: update-manager
Origin: Ubuntu
Maintainer: Ubuntu Developers <email address hidden>
Bugs: https:/
Problem description details:
Company environment with HTTP-proxy required to connect to the internet.
The proxy inspects HTTPS traffic and changes HTTPS server's certificate.
The proxy's CA is not installed/trusted system wide.
APT is configured to use additional CA certificate file via "Acquire:
After I created the patch I learned about:
```
/usr/lib/
Using proxy '' for URL 'https:/
```
but that command does not output proxy or CA information for me. This might be another bug?
I've provided a patch that applies to python3-
And allows do-release-upgrade to detect / use the correct certificate while not breaking existing setups (as far as I can tell).
System details:
1) lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.5 LTS
Release: 18.04
Codename: bionic
2) apt-cache policy python3-
python3-
Installed: 1:20.04.10.1
Candidate: 1:20.04.10.1
Version table:
*** 1:20.04.10.1 500
500 http://
100 /var/lib/
1:20.04.9 500
500 http://
3) Expectation: do-release-upgrade works and picks up working apt configuration
4) Actual: do-release-upgrade reports no updates (stuck on Bionic)
Solution:
Note that an apt miss-configuration does only output an error/warning, but then the attempt to check for upgrades is continued (without TLS-config or proxy).
So the proxy and default trust store is used to access the https URL.
Additionally if that fails due to certificate mismatch that error is now reported.
As well as timeouts or BadStatusLine errors - just to understand the root cause of the problem.
```
$ do-release-upgrade
Error failed to read '/etc/ssl/
Checking for a new Ubuntu release
Failed to connect to https:/
Reason: [SSL: CERTIFICATE_
To upgrade to the latest non-LTS development release
set Prompt=normal in /etc/update-
```
Example /etc/apt/
```
Acquire:
Acquire:
Acquire:
```
The successful update with debug information now looks like this (while it failed before):
```
$ DEBUG_UPDATE_
Checking for a new Ubuntu release
MetaRelease.
/etc/update-
/etc/update-
/etc/update-
/etc/update-
metarelease-uri: https:/
MetaRelease.
have self.metareleas
MetaRelease.parse()
current dist name: 'bionic'
found distro name: 'dapper'
found distro name: 'hardy'
found distro name: 'lucid'
found distro name: 'precise'
found distro name: 'trusty'
found distro name: 'xenial'
found distro name: 'bionic'
found distro name: 'focal'
new dist: <UpdateManager.
Please install all available updates for your release before upgrading.
```
The attachment "fix-ubuntu_ python3- update- manager_ add-https- proxy-support. patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]