AppCenter cache update does not work through proxy - Downloading the App archive via zsync failed
Problem:
When performing a UCS upgrade or Update the Appcenter Cache, the process is delayed or blocked for 20 minutes or longer when a proxy is in place that only allows HTTPS traffic. The issue occurs during the app blocking check (univention-app update-check) because the App Center cache update cannot complete successfully throuth proxy.
Hint:
In this case, the Server is an external RHEL System which is used as Proxy Server for the whole domain.
Observed Behavior:
Running the following command leads to a timeout:
time univention-app update-check --ucs-version 5.1
Output:
Unable to cache apps
Unable to cache apps
The update to 5.1 is currently not possible,
because the following Apps are not available for UCS 5.1:
real 15m7,137s
user 0m2,128s
sys 0m0,507s
/var/log/univention/appcenter.log
21409 actions.update-check 25-08-19 12:22:33 [ DEBUG]: Calling update-check
21409 actions.update-check.progress 25-08-19 12:22:33 [ DEBUG]: 0
21409 update-check 25-08-19 12:22:33 [ DEBUG]: Calling update
21409 actions.update.progress 25-08-19 12:22:33 [ DEBUG]: 0
21409 update-check 25-08-19 12:22:33 [ INFO]: Downloading "https://appcenter.software-univention.de/meta-inf/app-categories.ini"...
21409 update-check 25-08-19 12:22:33 [ DEBUG]: ... Not Modified
21409 update-check 25-08-19 12:22:33 [ INFO]: Downloading "https://appcenter.software-univention.de/meta-inf/rating.ini"...
21409 update-check 25-08-19 12:22:33 [ DEBUG]: ... Not Modified
21409 update-check 25-08-19 12:22:33 [ INFO]: Downloading "https://appcenter.software-univention.de/meta-inf/license_types.ini"...
21409 update-check 25-08-19 12:22:33 [ DEBUG]: ... Not Modified
21409 update-check 25-08-19 12:22:33 [ INFO]: Downloading "https://appcenter.software-univention.de/meta-inf/ucs.ini"...
21409 update-check 25-08-19 12:22:33 [ DEBUG]: ... Not Modified
21409 update-check 25-08-19 12:22:33 [ INFO]: Downloading "https://appcenter.software-univention.de/meta-inf/suggestions.json"...
21409 update-check 25-08-19 12:22:33 [ DEBUG]: ... Not Modified
21409 update-check 25-08-19 12:22:33 [ INFO]: Downloading "https://appcenter.software-univention.de/meta-inf/5.0/all.tar.gpg"...
21409 update-check 25-08-19 12:22:34 [ DEBUG]: ... Not Modified
21409 update-check 25-08-19 12:22:34 [ INFO]: Downloading "https://appcenter.software-univention.de/meta-inf/4.4/all.tar.gpg"...
21409 update-check 25-08-19 12:22:34 [ DEBUG]: ... Not Modified
21409 update-check 25-08-19 12:22:34 [ INFO]: Downloading "https://appcenter.software-univention.de/meta-inf/4.3/all.tar.gpg"...
21409 update-check 25-08-19 12:22:34 [ DEBUG]: ... Not Modified
21409 actions.update.progress 25-08-19 12:22:34 [ DEBUG]: 100
21409 update-check 25-08-19 12:22:34 [ DEBUG]: Calling update
21409 actions.update.progress 25-08-19 12:22:34 [ DEBUG]: 0
21409 update-check 25-08-19 12:22:34 [ INFO]: Downloading "https://appcenter.software-univention.de/meta-inf/app-categories.ini"...
21409 update-check 25-08-19 12:22:34 [ DEBUG]: ... Not Modified
21409 update-check 25-08-19 12:22:34 [ INFO]: Downloading "https://appcenter.software-univention.de/meta-inf/rating.ini"...
21409 update-check 25-08-19 12:22:34 [ DEBUG]: ... Not Modified
21409 update-check 25-08-19 12:22:34 [ INFO]: Downloading "https://appcenter.software-univention.de/meta-inf/license_types.ini"...
21409 update-check 25-08-19 12:22:34 [ DEBUG]: ... Not Modified
21409 update-check 25-08-19 12:22:34 [ INFO]: Downloading "https://appcenter.software-univention.de/meta-inf/ucs.ini"...
21409 update-check 25-08-19 12:22:34 [ DEBUG]: ... Not Modified
21409 update-check 25-08-19 12:22:34 [ INFO]: Downloading "https://appcenter.software-univention.de/meta-inf/suggestions.json"...
21409 update-check 25-08-19 12:22:34 [ DEBUG]: ... Not Modified
21409 update-check 25-08-19 12:22:34 [ INFO]: Downloading "https://appcenter.software-univention.de/meta-inf/5.1/all.tar.gpg"...
21409 update-check 25-08-19 12:22:35 [ INFO]: Downloading "http://appcenter.software-univention.de/meta-inf/5.1/all.tar.zsync"...
21409 update-check 25-08-19 12:22:35 [ DEBUG]: Calling in /tmp/tmpcz9nnbv1:
21409 update-check 25-08-19 12:22:35 [ DEBUG]: Calling zsync http://appcenter.software-univention.de/meta-inf/5.1/all.tar.zsync -q -o /tmp/tmpcz9nnbv1/.tmp.tar -i /tmp/tmpcz9nnbv1/.all.tar
21409 update-check 25-08-19 12:22:36 [ WARNING]: open: No such file or directory
21409 update-check 25-08-19 12:22:36 [ WARNING]: not using seed file /tmp/tmpcz9nnbv1/.all.tar
21409 update-check 25-08-19 12:37:37 [ WARNING]: bad status code 504
21409 update-check 25-08-19 12:37:37 [ WARNING]: failed to retrieve from http://appcenter.software-univention.de/meta-inf/5.1/all.tar.gz
21409 update-check 25-08-19 12:37:37 [ WARNING]: Aborting, download available in /tmp/tmpcz9nnbv1/.tmp.tar.part
21409 update-check 25-08-19 12:37:37 [ WARNING]: Downloading the App archive via zsync failed. Falling back to download it directly.
21409 update-check 25-08-19 12:37:37 [ WARNING]: For better performance, try to make zsync work for "http://appcenter.software-univention.de/meta-inf/5.1/all.tar.zsync". The error may be caused by a proxy altering HTTP requests
The App Center log (/var/log/univention/appcenter.log) shows that the update-check process is initiated, runs for approximately 15 minutes, and eventually times out.
Root Cause
This issue is related to Bug 52308.
The zsync tool is used to download App Center metadata files (e.g., all.tar.zsync). However, the original zsync implementation does not support HTTPS because it lacks integration with libraries like OpenSSL or GnuTLS. When UCS is behind a proxy that enforces HTTPS-only communication, zsync fails to retrieve the control file and causes a timeout:
failed on url https://appcenter.software-univention.de/meta-inf/5.1/all.tar.zsync
could not read control file from URL https://appcenter.software-univention.de/meta-inf/5.1/all.tar.zsync
This leads to:
bad status code 504
Downloading the App archive via zsync failed. Falling back to download it directly.
Workaround:
If the Proxy Server is an UCS system and univention-squid is installed, the UCR variable proxy/no_proxy can be used to define exceptions for direct connections.
proxy/no_proxy: <empty>
A comma-separated list of domain names for which the proxy should not be consulted. An exception for a domain like univention.de also applies to a subdomain like apt.univention.de.
Categories: system-network
Default: (not set)
Type: list[str,]
Example configuration:
ucr set proxy/no_proxy="updates.univention.de,appcenter.univention.de"systemctl restart squid.service univention-firewall.service
This allows zsync to bypass the proxy for the specified domains and complete the App Center update-check successfully.
After applying this workaround, rerun:
univention-app update-check --ucs-version 5.x
The blocking check should now complete without significant delay, allowing the UCS upgrade to proceed.
Optional:
Alternatively, you can adjust the target direction on a UCS standard proxy.
Example:
ucr set proxy/ftp=http://10.128.9.30:80
ucr set proxy/http=http://10.142.223.12:3128
ucr set proxy/https=http://10.142.223.12:3128
ucr set proxy/no_proxy=localhost,127.0.0.1,.univent.de,ucs-sso.univen.tion.de
Additional Notes
- This issue is triggered by the fallback to
zsyncfor metadata synchronization. - The timeout (approximately 15 minutes) results from repeated failed attempts before the fallback download begins.