View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0008859Kali LinuxKali Package Bugpublic2024-08-09 06:402024-08-09 06:40
ReporterskyperTHC Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
Summary0008859: 302 Location Redirect to mirrors before fetching updated ca-certificates
Description

It's a chicken and egg problem. Mirrors constantly renew and update their certificates (as they should be).

On a brand new Kali docker instance, let the very first command be apt update. It connects to http.kali.org/kali/dists/kali-last-snapshot/InRelease
Every once in a while, the Kali Server sends a "301 Location Redirect" to a mirror near to the origin (as it should be).

However, this creates a chicken and egg problem if the ca-certificate is outdated (as it is on kalilinux/kali-last-release).

Example

docker run --rm -v $(pwd):/src -it kalilinux/kali-last-release
apt -oDebug::pkgDPkgPM=true -o Debug::Acquire::http=true update

1 out of 10 times gets a "301 Location Redirect" to mirror.johnnybegood.fr or mirror.pyratelan.org but both of these mirrors are using certificates that are not trusted by the kalinux/kali-last-release's ca-certificates bundle and thus the output is:

Answer for: http://http.kali.org/kali/dists/kali-last-snapshot/InRelease
HTTP/1.1 302 Found
Server: nginx
Date: Fri, 09 Aug 2024 06:20:48 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-cache
Link: <http://kali.download/kali/dists/kali-last-snapshot/InRelease>; rel=duplicate; pri=1; geo=ae
Link: <http://mirror.pyratelan.org/kali/dists/kali-last-snapshot/InRelease>; rel=duplicate; pri=2; geo=de
Link: <http://ftp.halifax.rwth-aachen.de/kali/dists/kali-last-snapshot/InRelease>; rel=duplicate; pri=3; geo=de
Link: <http://mirror.netcologne.de/kali/dists/kali-last-snapshot/InRelease>; rel=duplicate; pri=4; geo=de
Location: http://mirror.johnnybegood.fr/kali/dists/kali-last-snapshot/InRelease
GET /kali/dists/kali-last-snapshot/InRelease HTTP/1.1
Host: mirror.johnnybegood.fr
Cache-Control: max-age=0
Accept: text/*
User-Agent: Debian APT-HTTP/1.3 (2.9.2)

Answer for: http://mirror.johnnybegood.fr/kali/dists/kali-last-snapshot/InRelease
HTTP/1.1 301 Moved Permanently
Date: Fri, 09 Aug 2024 06:20:48 GMT
Server: Apache
Location: https://mirror.johnnybegood.fr/kali/dists/kali-last-snapshot/InRelease
Content-Length: 278
Content-Type: text/html; charset=iso-8859-1

Ign:1 https://mirror.johnnybegood.fr/kali kali-last-snapshot InRelease
Ign:1 https://mirror.johnnybegood.fr/kali kali-last-snapshot InRelease
Ign:1 https://mirror.johnnybegood.fr/kali kali-last-snapshot InRelease
Err:1 https://mirror.johnnybegood.fr/kali kali-last-snapshot InRelease
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 136.243.89.31 443]
All packages are up to date.
Warning: http://http.kali.org/kali/dists/kali-last-snapshot/InRelease: No system certificates available. Try installing ca-certificates.
Warning: http://http.kali.org/kali/dists/kali-last-snapshot/InRelease: No system certificates available. Try installing ca-certificates.
Warning: http://http.kali.org/kali/dists/kali-last-snapshot/InRelease: No system certificates available. Try installing ca-certificates.
Warning: http://http.kali.org/kali/dists/kali-last-snapshot/InRelease: No system certificates available. Try installing ca-certificates.
Warning: Failed to fetch http://http.kali.org/kali/dists/kali-last-snapshot/InRelease  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 136.243.89.31 443]
Warning: Some index files failed to download. They have been ignored, or old ones used instead.

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2024-08-09 06:40 skyperTHC New Issue