Problem:
An upgrade of the UCS system is not possible and you receive the following error message during
univention-upgrade
root@dc0:~# univention-upgrade
Start univention-upgrade. Current UCS version is 5.0-3 errata718
Check for local repository: none
Failed to connect to repository server: Configuration error: [SSL: WRONG_VERSION_NUMBER] wrong version number
rsion number (_ssl.c:1056). Please check the repository configuration and network connection.
Also with a univention-app update
root@dc0:~# univention-app update
Downloading "https://appcenter.software-univention.de/meta-inf/app-categories.ini"...
There is a problem with the App Center Server certificate https://appcenter.software-univention.de. (
[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1056))
Solution:
At first I thought, it was a certificate problem, but watch out, the error message from univention-upgrade is on target.
Failed to connect to repository server: Configuration error
So ping the update-server from univention and looks good so far.
root@dc0:~# ping -c3 www.update.software-univention.de
PING www.update.software-univention.de (176.9.110.24) 56(84) bytes of data.
64 bytes from download2.software-univention.de (176.9.110.24): icmp_seq=1 ttl=55 time=15.6 ms
64 bytes from download2.software-univention.de (176.9.110.24): icmp_seq=2 ttl=55 time=15.6 ms
64 bytes from download2.software-univention.de (176.9.110.24): icmp_seq=3 ttl=55 time=15.7 ms
But the upgrade don’t work, so i did some network tests.
- Install telnet on your ucs system as
root
univention-install telnet
- Make a telnet to
updates.software-univention.deon port 80
telnet updates.software-univention.de 80
Trying 176.9.110.24...
Connected to updates.software-univention.de.
Escape character is '^]'.
- Now use a
GET/to get a http request
root@dc0:~# telnet updates.software-univention.de 80
Trying 176.9.110.24...
Connected to updates.software-univention.de.
Escape character is '^]'.
GET/
HTTP/1.1 400 Bad Request
Server: squid/4.6
Mime-Version: 1.0
Date: Fri, 30 Jun 2023 13:20:15 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3317
X-Squid-Error: ERR_PROTOCOL_UNKNOWN 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from dc0
X-Cache-Lookup: NONE from dc0:3128
Via: 1.1 dc0 (squid/4.6)
Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2018 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<style type="text/css"><!--
The output shows a line that a proxy/squid is used.
Server: squid/4.6
- I would like to take a closer look at this with
iptables
root@dc0:~# grep iptables /etc/security/packetfilter.d/20squid
iptables --wait -t nat -A OUTPUT -p tcp -m owner --uid-owner proxy -m tcp --dport 80 -j ACCEPT
iptables --wait -t nat -A OUTPUT -p tcp -m owner --uid-owner proxy -m tcp --dport 443 -j ACCEPT
iptables --wait -t nat -A PREROUTING -d 10.200.30.10/24 -p tcp -m tcp --dport 80 -j ACCEPT
iptables --wait -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
iptables --wait -t nat -A PREROUTING -d 10.200.30.10/24 -p tcp -m tcp --dport 443 -j ACCEPT
iptables --wait -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3128
iptables --wait -t nat -A PREROUTING -d 10.200.30.10/24 -p tcp -m tcp --dport 21 -j ACCEPT
iptables --wait -t nat -A PREROUTING -p tcp -m tcp --dport 21 -j REDIRECT --to-ports 3128
iptables --wait -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
iptables --wait -t nat -A OUTPUT -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3128
iptables --wait -t nat -A OUTPUT -p tcp -m tcp --dport 21 -j REDIRECT --to-ports 3128
As you can see, a redirect is executed on port 80.
- We have already seen above that squid is being used on the system, let’s have a look at how the UCRV is set up.
root@dc0:~# ucr info squid/transparentproxy
squid/transparentproxy: true
If this option is enabled, Squid runs as a transparent proxy, i.e. all web queries sent from a client ar
e automatically rerouted to and answered by the proxy server. The prerequisite for such a configuration i
s that the proxy server is configured as the standard gateway for the clients. If enabled, packet filter
rules are automatically included which redirect all queries for the ports specified in 'squid/webports' t
o the proxy server. After setting the variable Univention Firewall needs to be restarted.
Categories: service-webproxy
Default: (not set)
Type: bool
- Set the UCRV back to false so that the own system is not used to proxy and redirect.
root@dc0:~# ucr set squid/transparentproxy=false
Setting squid/transparentproxy
File: /etc/security/packetfilter.d/20squid
File: /etc/squid/squid.conf
- Restart the univention-firewall service as next, so the new settings are applied.
systemctl restart univention-firewall.service
- Try to upgrade your system again with
univention-upgradeor just test try aunivention-app updateto check it is fixed.
root@dc0:~# univention-app update
Downloading "https://appcenter.software-univention.de/meta-inf/app-categories.ini"...
Downloading "https://appcenter.software-univention.de/meta-inf/rating.ini"...
Downloading "https://appcenter.software-univention.de/meta-inf/license_types.ini"...
Downloading "https://appcenter.software-univention.de/meta-inf/ucs.ini"...
Downloading "https://appcenter.software-univention.de/meta-inf/suggestions.json"...
Downloading "https://appcenter.software-univention.de/meta-inf/5.0/all.tar.gpg"...
Downloading "https://appcenter.software-univention.de/meta-inf/4.4/all.tar.gpg"...
Downloading "https://appcenter.software-univention.de/meta-inf/4.3/all.tar.gpg"...