Re: [Savannah-hackers-public] Unreachable https and rsync mirrors

[Bob Proulx]

Ian Kelling wrote:
> Related, on https://savannah.gnu.org/maintenance/Mirmon/ there is a
> broken link, which also has a bad cert
> 
> $ curl https://dl.sv.gnu.org/releases-noredirect/00_MIRRORS.html
> curl: (51) SSL: no alternative certificate subject name matches target host 
> name 'dl.sv.gnu.org'

dl.sv is a shortcut DNS name.  There are so many of those!  Take all
of the combination of gnu and nongnu, of savannah and sv, of dl and
download, and then do that for all of the systems since most have
short typing aid names, and there are a lot of names!  I didn't have
them all on download.

I have updated the certificates to include these.  These have been
missing since February 10, 2020 when things were converted from
Certbot to Dehydrated.

  dl.savannah.gnu.org
  dl.savannah.nongnu.org
  dl.sv.gnu.org
  dl.sv.nongnu.org

Those now have been issued certificates and should be working for
https now.

> I manually curled 2 of the bad mirrors listed here
> https://download.savannah.gnu.org/mirmon/allgnu/, and there is a cert
> error. I'm pretty sure, the issue is that the ca-certs needs updating on
> the machine running mirmorn. The os itself could use an update too. Bob,
> you there?

You are correct.  Which becomes a motivation to get off the fallen out
of support OS on download0 and over to the newer OS on the new
download1 system soonest.

I tried simply upgrading the ca-certificates individally but there is
a dependency upon a newer openssl.  At which point I stopped because
that would open a can of worms of dependencies.  Time better spent
working on getting onto the newer system.

> Thérèse Godefroy <godef.th@free.fr> writes:
> > 8 have been reported off-line for 6 days:
> > https://www.singleboersen.com (http OK)
> > https://mirror.checkdomain.de (http OK)
> > https://www.gutscheinrausch.de (http OK)
> > https://ftp.wrz.de (http OK)
> > https://mirrors.nav.ro (http OK)
> > http://mirror.lihnidos.org
> > https://mirror.us-midwest-1.nexcess.net (http OK)
> > https://mirrors.syringanetworks.net (http OK)

All of those seem to be the outdated CA list and openssl on
download0.  All but one of the above were issued by Comodo.  Which is
the mostly common thread among them.  They apparently have a newly
issued trust anchor.

> > One for 6.8 days:
> > rsync://mirror2.evolution-host.com::gnu
> > One for nearly 99 days:
> > rsync://mirrors.syringanetworks.net/gnu

I don't know.  I didn't have time to look at the rsync mirrors.  I need to dig 
more.

> > What's strange is that I can reach all of them from France, except
> > http://mirror.lihnidos.org.

That system is simply down.  Can't ping it or get any other life from it.

> > Several rsync mirrors (not only these 2) have been wrongly reported
> > off-line since January 2019, occasionally or almost constantly. But this
> > is the first time I see so many https URLs being unreachable for Mirmon,
> > while they are fine for me.

The CA Certificate Authority trust anchors they are now using are
newer than the files available on download0 to validate.

> > Since these https URLs are supposedly off-line, they are not taken into
> > account by the multiplexer. So the load on the other mirrors increases.
> > Right?

There are many mirrors however.  The collection of all of them is
therefore resilient to a small number of them being offline.  At the
time I look there are 13 listed offline out of 223 total.  That is 6%
which leaves 94% of the mirrors online.

> > Is there a way to fix this?

The real answer is the OS upgrade to get the newer openssl and newer
ca-certificates package.  Ian and I started on this back at
LibrePlanet in March.  But then other prioritites distracted me.  I'll
get back on the task again.

Bob