Re: [tor-relays] Debian is not allowing tor to update despite it being listed as a trusted respritory

To: "tor-relays" <tor-relays@xxxxxxxxxxxxxxxxxxxx>

Subject: Re: [tor-relays] Debian is not allowing tor to update despite it being listed as a trusted respritory

Date: Mon, 09 May 2022 08:40:12 +0100

Arc-authentication-results: i=1; mx.zohomail.eu; dkim=pass header.i=bentasker.co.uk; spf=pass smtp.mailfrom=ben@xxxxxxxxxxxxxxx; dmarc=pass header.from=<ben@xxxxxxxxxxxxxxx>

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.eu; s=zohoarc; t=1652082014; h=Content-Type:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=4lxC2EIr5xyRMIiOD23df2NG87uJBWXej9rVIaZcpH0=; b=QL5gm6vd51Kq2I4J+sCifkXjwJOiBTNLjahbE21iqFTYFFI/hd64XOXWDzoYTnWpf+wTflXmIcK2ZXAoDGK4yojBg9NzWtWMPPOss+GAVJYBY/PmQ9lBT3CBotEDTzcb1V//vOeFO/47g9KECo+D3v2thAudCr7Siq2IV4nX2zA=

Arc-seal: i=1; a=rsa-sha256; t=1652082014; cv=none; d=zohomail.eu; s=zohoarc; b=Td0gHGjSDW3KxblUDJzqm0CFwHASqpdbn6dk2Drv8HTaWuf6mmjAU2JwkXkOiHvBLupZgn6HIvSOQeQnlLX5T68B57+T/+jgyyJSie5GzRhgeIkWwkNBnfLVEmBpHs2uW7ZcWzAQ/cXMpqihsshNVIzZITKMIYkfPYls4TewJJo=

Delivered-to: archiver@xxxxxxxx

Delivery-date: Mon, 09 May 2022 03:53:49 -0400

Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1652082014; s=zohomail; d=bentasker.co.uk; i=ben@xxxxxxxxxxxxxxx; h=Date:From:From:To:To:Message-Id:Message-Id:In-Reply-To:References:Subject:Subject:MIME-Version:Content-Type:Reply-To:Cc; bh=4lxC2EIr5xyRMIiOD23df2NG87uJBWXej9rVIaZcpH0=; b=r0ZzDubIHB3pjy2+RykhMNNpFjpYDjyc3pbG6ebc7UsqA8MA+yNIyVk/BxA5yd86 d+aOvL+Ida2HoRHYT5mw+zYg1RU1eGUEL29Bi25kVG4Ts5KHy+Fe1VrIKY0+6+mJiB9 G5azNOGpAQLDPvop7BTb3EgHsjYRo8qT6OUdz2Xs=

Importance: Medium

In-reply-to: <CADqUGANQvQe37MwNbFce5ooFUsfHsV2BspCYStJ=mQMCT=Sxiw@mail.gmail.com>

List-archive: <http://lists.torproject.org/pipermail/tor-relays/>

List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>

List-id: "support and questions about running Tor relays $exit, non-exit, bridge$" <tor-relays.lists.torproject.org>

List-post: <mailto:tor-relays@lists.torproject.org>

List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>

List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>

References: <49747692-45DE-425C-868B-DC197B5C97E4@hxcore.ol> <5ef7cac0-c1dd-fa9c-7ffa-32463ddea3fa@wilkensteen.org> <CADqUGAMcKk6AVCMqzMotEHjQ7TKTxhASwHHKUW9-4+6JxGfO5w@mail.gmail.com> <2823954.Jk56qYd4fR@w530> <1809456a2e8.e78bebf8699839.5204102809950222869@bentasker.co.uk> <CADqUGAP0hVYLTvmg9CFZC-w6tVRBZ7=JOvUOjXKLDzGETkaALQ@mail.gmail.com> <CADqUGANmmXUKRG5r5wLuE_AxovMVnxazv5zi4Bfx5h1XcQ9QUw@mail.gmail.com> <CADqUGANQvQe37MwNbFce5ooFUsfHsV2BspCYStJ=mQMCT=Sxiw@mail.gmail.com>

Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx

Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

User-agent: Zoho Mail

Did the final curl complain about an expired certificate?

curl https://deb.torproject.org/torproject.org/

If so, that might indicate you've got OpenSSL 1.0, try

openssl version

If that's the case, then really you need to get that (and/or the underlying OS) updated.

In the short term, we can address this by commenting out the expired root in your trust store.

sudo -s

cp /etc/ca-certificates.conf ~/ca-certificates.conf.bkup

sed -i '/^mozilla\/DST_Root_CA_X3.crt$/ s/^/!/' /etc/ca-certificates.conf

update-ca-certificates

Then try the curl again

curl https://deb.torproject.org/torproject.org/

It should no longer complain about the certificate having expired. If it now complains that the certificate isn't trusted, then the X1 cert isn't properly installed and we'll have to look at that.

--
Ben Tasker
https://www.bentasker.co.uk

---- On Sun, 08 May 2022 15:49:18 +0100 Keifer Bly <keifer.bly@xxxxxxxxx> wrote ----

I have done all these and it still happens. Is there perhaps a tool that will set this up? Thanks.

--Keifer

On Sat, May 7, 2022, 10:54 AM Keifer Bly <keifer.bly@xxxxxxxxx> wrote:
I am running as the root user.

--Keifer

On Sat, May 7, 2022, 10:50 AM Keifer Bly <keifer.bly@xxxxxxxxx> wrote:
Ok will try these things. Does that it's an ovh debain have anything to do with it? Hosted by them and they may frown on tor.

--Keifer

On Thu, May 5, 2022, 8:41 AM ben <ben@xxxxxxxxxxxxxxx> wrote:
> Simply displays a message "no valid openpgp data found". My sources file

You'll see this because your system doesn't trust the cert chain.

You're not seeing a certificate warning because you've got output suppressed (the -q in wget's arguments)

If you run

    wget https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc

I suspect you'll see the certificate warning.

You need to fix that before anything suggested here is going to work - if the cert chain isn't trusted then apt isn't going to access the repository's indexes, and so won't even see what packages are there, much less install them.

As apt didn't grab an updated version for you (which may be due to other repo misconfigurations) you probably want to grab and install the cert manually

    # Verify that this gives a cert warning
    curl https://deb.torproject.org/torproject.org/

    curl -k --output "/tmp/ISRG_Root_X1.crt" "https://letsencrypt.org/certs/isrgrootx1.pem.txt"
    sudo mv /tmp/ISRG_Root_X1.crt /usr/local/share/ca-certificates/
    sudo update-ca-certificates

    # Now try again
    curl https://deb.torproject.org/torproject.org/

If that final curl now works, run apt-get update and you should find apt no longer complains about the tor repo

--
Ben Tasker
https://www.bentasker.co.uk

---- On Thu, 05 May 2022 13:21:22 +0100 <lists@xxxxxxxxxxxxxxx> wrote ----

On Thursday, May 5, 2022 5:17:23 AM CEST Keifer Bly wrote:
> Thank you. But running wget -qO-
> https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E88
> 6DDD89.asc
>
> gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null

Maybe copy paste error. It must be one line and you must be root or type
'sudo' in front of it. Maybe you can better copy from here:

3. Then add the gpg key ...
https://support.torproject.org/apt/

> Simply displays a message "no valid openpgp data found". My sources file

If this message appears again, install gpg:
sudo apt update && apt -y install gnupg

--
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays