Pamac fails to synchronise due unacceptable TLS certificate

One would expect some-kind of different error code from the server instead of something with an “Unacceptable TLS certificate”…
I think whoever is in control of that server, should recheck the config, because this is nutz…
Most likely the error page delivered when such a rate limiting happens, is just using a bad certificate which should be updated.
(eg. contact the CDN owners)

There are many servers involved. The error message doesn’t tell much.

The client expects a certificate bit maybe the sever already killed the connection?

Or the CDN has different endpoints (the main reason for a CDN) and one of them serves an outdated certificate.
At least Manjaro (is that @philm) should contact the CDN and ask about what’s going on.
Their dashboard should show an increased error rate.

Still happening intermittently for me. Between this, and the bug in Pamac preventing updating any multi-package pkgbuild, I’m starting to use pamac less and less.

Quick reply to say that I’ve encountered this issue intermittently for at least a couple of weeks, maybe as much as 2 months. It happens across multiple Manjaro machines in my household. Using VPN does appear to have any effect.

Sometimes a second run works, sometimes not; force-refresh does not appear to help particularly.

A “me too” here having this error since today, but I must say that is the first time ever I have seen it!
And pamac --force-refresh or regenerating the mirror-pool doesn’t help at all either…

This is not really a pamac issue but is caused by the CDN url for the aur package database.

You are - most likely - only seing this because you have opted to update custom pkgbuilds in the same run and - for reasons that should be obvious - this is not recommended.

Always sync official repo first - restart if required - then you can rebuild the custom packages.

Everybody agrees on this. The error message is not expressive enough. I guess it’s an invalid certificate because the server killed the connection before it even could have sent a certificate.
But that’s semantics.

If this is not the recommended way, why do you give me a gun, show me where my foot is, and tell me in all other threads “please pull it now”.
(The “you” is generic and pointed at you.)

I can’t rebuild the AUR packages after using pacman for the “official” updates because with pamac update --aur, it still tells me the above mentioned error.

3 Likes

:man_shrugging:

What a poster recommend in a thread is the poster’s opinion.

One can only speculate on the reason CDN generates those messages. One valid thought - I sincerely hope not - the source where CDN pulls the package database has failing renewal script - but I don’t know.

@codesardine is co-admin on some of the servers - perhaps he can enlighten the community.

The message is more clear when you open Firefox

Secure Connection Failed

An error occurred during a connection to aur.manjaro.org. The OCSP response does not include a status for the certificate being verified.

Error code: MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING

  • The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
  • Please contact the website owners to inform them of this problem.

It is soooo easy to renew a Let’s Encrypt certificate.

Setup a systemd timer to trigger every 60 days with the command

certbot renew

Generally, yes, but if this AUR data is on a CDN, they have to distribute the certificates to all their servers.
Certbot doesn’t do this.

Anyway, without proper confirmation by the actual admins there’s only speculation.

Try disabling OCSP stapling in Firefox under settings privacy to restore functionality, meanwhile we will research if this firefox issue can be fixed server side.

Why do you think this is a Firefox issue? Firefox will never access aur.manjaro.org. It’s pamac that want’s to download a file.

1 Like

I understand the pamac issue, however there is also a bug in firefox that does not read certificates with sha2 and I provided a temporary fix for that, as for pamac it will be investigated by the team, so my comment above was not very specific and it does not provide a fix for your issue but it will provide a fix for people having this issue on firefox.

The only reason why ppl get that message is because the AUR’s CDN is just mal-configured…
When it seemingly does “rate-throttling” it serves a page with a bad certificate, because if you try sometime later and get lucky the error disappears and the normal working continues without error, eg packman database + AUR np…

The CDN serves the AUR domain with proper certificate, but the error page is served from a default page with bad certificate or config.

Any updates on this? I started to receive the same error today, when updating from terminal. curl and firefox work fine though

Just wait and try later after a few hours.

I’ve never seen the error in the last 2 weeks.

[alex@alex-b450aoruselite ~]$ pamac upgrade --force-refresh
Preparing...
Sincronización de bases de datos de paquetes...
Actualizando core.db...                                                                                                                                               
Actualizando extra.db...                                                                                                                                              
Actualizando community.db...                                                                                                                                          
Actualizando multilib.db...                                                                                                                                           
Actualizando repo-ck.db...                                                                                                                                            
Actualizando core.files...                                                                                                                                            
Actualizando extra.files...                                                                                                                                           
Actualizando community.files...                                                                                                                                       
Actualizando multilib.files...                                                                                                                                        
Actualizando repo-ck.files...                                                                                                                                         
https://aur.manjaro.org/packages-meta-ext-v1.json.gz: Unacceptable TLS certificate                                                                                    
Failed to synchronize AUR database
Nothing to do.
Transaction successfully finished.

It is only manjaro aur

Yes, I know, but I think there is some pamac bug here that is not being addressed. But, who knows…

1 Like

It’s just the CDN that is delivering a error page with a bad SSL certificate, when there are too many requests, if you ask me…

There are too many requests for those AUR databases. Here the last 24h of traffic you guys generate just for that:

image

Remember that those DBs are just 8 MB in size.

Here a traffic snapshot for the last 30 days just for AUR DB files:

image

Certificates are all valid:

AUR, Download and Mirrors use the same as our main homepage.

So why do I get those errors?

CDN works like this:

  • we have one storage server which gets every 10 Minutes a new DB file from the Arch server
  • we purge the files every 15 mins from all CDN nodes
  • CDN nodes will fetch the updated DB files from the storage server and cache them again

If you hit a node which is in progress to purge the file you hit an error page. pamac should in that case ignore the error and try to fetch that file again. I assume if you retry to fetch the file you won’t have that error. You only wonder why you have that error and complain.

2 Likes

The certificates of the domains the CDN serves might be all correct, but how about the certificate of the default error pages of the CDN itself?
Because if there are no wrong certificates at all, why the error message about the certificate then?
“Simple logical deduction dedective Holmes” :wink: