Failed to synchronize AUR database
Pamac --version
Pamac 10.4.3-1 - libpamac 11.4.1-1
Variant in use
GUI and CLI
Distribution
e.g. Manjaro
Desktop environment
KDE Plasma and GNOME
What's not working
When synchronizing package database i always get:
https://aur.manjaro.org/packages-meta-ext-v1.json.gz: Unacceptable TLS certificate
Failed to synchronize AUR database
How to reproduce?
Regardless if done from GUI or CLI - i noticed this first on unstable branch install i have, reproduced on the second install and then i could reproduce on my testing branch install.
Activity
Just to backup this issue and indicate it is not just a single user having that problem:
Looks like this is CDN related, see the forum: https://forum.manjaro.org/t/pamac-fails-to-synchronise-due-unacceptable-tls-certificate/125548/14?u=trimoon
- Owner
More or less an error page pops up, which we don't maintain, when a purge of a node is in progress and the file therefore doesn't exist. Pamac should ignore and try to refetch it. If that fails, pamac should give a meaning full error message why AUR DB couldn't been fetched.
- Owner
Unacceptable TLS certificate Failed to synchronize AUR database
Our CDN provider has its own CERT for it's own domains. Since we don't use their domain, we provide our own CERT from our main page, which we upload on regular bases to the CDN backend. We point to the folder structure of the file server in our URL pamac knows to fetch the AUR DB files.Internally the CDN is distributing the files from the file server to all his nodes, which then the URL may point to. If a node is in purge mode (as we have to purge as the file names never changes) it may lead to an error page, which we don't maintain and which uses the CERT from the CDN provider. In that case pamac fetches the wrong CERT and errors out. Anyway, if people read about CERT issues they freak out and post about it. I can check with the CDN provider if we find a solution within their backend or if pamac needs to do a refetch and reports in a more meaningful way why it failed to fetch the file. Sure the CERT error is correct, but technically true if you know how the backend works.
- Maintainer
From my test, if pamac retries immediately , it gives the same error. So I can only silent this error from pamac as there is no way to determine when it occurs.
- Owner
Can you check here: https://gitlab.com/goodvibes/goodvibes/-/commit/b75d8e6d similar to https://gitlab.com/goodvibes/goodvibes/-/issues/128 based on libsoup3?
- Owner
Since CDN77 staples OCSPs we should ignore them for that URL on the client side to avoid those TLS errors.
´´´ gnutls-cli --tofu aur.manjaro.org 1 ✘ Processed 163 CA certificate(s). Resolving 'aur.manjaro.org:443'... Connecting to '89.187.167.9:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
- subject
CN=manjaro.org', issuer
CN=R3,O=Let's Encrypt,C=US', serial 0x04d1b8323524113e2a6130837276c26f2d27, RSA key 2048 bits, signed using RSA-SHA256, activated2022-11-24 22:34:46 UTC', expires
2023-02-22 22:34:45 UTC', pin-sha256="2sCcFhr1i8lFMG/cWHrMs3ZcZy3HF01C4QUdTT1WIIk=" Public Key ID: sha1:3ff504335538839bb907da19827346d418833b1b sha256:dac09c161af58bc945306fdc587accb3765c672dc7174d42e1051d4d3d562089 Public Key PIN: pin-sha256:2sCcFhr1i8lFMG/cWHrMs3ZcZy3HF01C4QUdTT1WIIk= - Certificate[1] info:
- subject
CN=R3,O=Let's Encrypt,C=US', issuer
CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated2020-09-04 00:00:00 UTC', expires
2025-09-15 16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=" - Certificate[2] info:
- subject
CN=ISRG Root X1,O=Internet Security Research Group,C=US', issuer
CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using RSA-SHA256, activated2021-01-20 19:14:03 UTC', expires
2024-09-30 18:14:03 UTC', pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=" |<1>| There is a newer OCSP response but was not provided by the server - Status: The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded. *** PKI verification of server certificate failed... Host aur.manjaro.org (https) has never been contacted before. Its certificate is valid for aur.manjaro.org. Are you sure you want to trust it? (y/N): y
- Description: (TLS1.3-X.509)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
- Session ID: 7A:E5:C0:B6:28:64:B0:1A:16:37:A5:EE:D8:8F:5A:77:49:5E:FB:5A:CA:8E:53:48:B5:60:7B:9E:F6:80:C2:06
- Options: OCSP status request[ignored],
- Handshake was completed
- Simple Client Mode:
- Peer has closed the GnuTLS connection
-
Pamac 10.4.3-3 - libpamac 11.4.1-3
I am getting this error;
$ sudo pamac upgrade Warning: Building packages as dynamic user Warning: Setting build directory to /var/cache/pamac Preparing... Synchronizing package databases... https://aur.manjaro.org/packages-meta-ext-v1.json.gz: Unacceptable TLS certificate Failed to synchronize AUR database Nothing to do. Transaction successfully finished.
Edited by Abhishek Bhasker- Maintainer
should be fixed now
- Guillaume Benoit closed
closed
- Owner
@guinux seems we should use curl after all on this one. As an alternative I could create a new server, but then it would be only one location and not a CDN network.
- Philip Müller reopened
reopened
This annoying message still persists with
Pamac 10.6.0 pamac-cli 11.6.0 libpamac 11.6.0
I need to repeat the operation 7 or 8 times to get it working, why only
pamac
suffers from it whileyay
works fine ?- Owner
yay is using the databases from Arch and not those we provide. It is a problem with how we get the files from our CDN network. We tried to fix that by changing certificates but it seems it is not solved completely.
Same error here:
Sincronización de bases de datos de paquetes... https://aur.manjaro.org/packages-meta-ext-v1.json.gz: Certificado TLS inaceptable
pamac --version
pamac-cli 11.6.0 - libpamac 11.6.3
Distribution
Manjaro Linux 23.1.3 (kernel 6.6.10-1-MANJARO)
Desktop environment
i3
I don't know how to link but while searching the issue database for this particular issue I found a duplicate type issue here:
I'm not expecting a quick fix on the sync issue but could you at least provide an option to shift minor errors like sync failure to the status bar instead of an annoying prompt that I have to close. The sync issue hasn't effected me in any other noticeable way as yet so I'm satisfied if the error is just dumped in a place I can see it but don't have to close.
Operating System: Manjaro Linux KDE Plasma Version: 6.0.2 KDE Frameworks Version: 6.0.0 Qt Version: 6.6.2 Kernel Version: 6.8.1-2-MANJARO (64-bit) Graphics Platform: Wayland
With Pamac10.6.0, I'm now always getting this message
pamac upgrade --aur --force-refresh --no-confirm Preparing... Synchronizing package databases... Refreshing core.db... Refreshing extra.db... Refreshing multilib.db... Refreshing core.files... Refreshing extra.files... Refreshing multilib.files... Refreshing AUR... ** (pamac:13034): WARNING **: 22:23:18.924: aur_plugin.vala:483: Error moving file /var/tmp/pamac/packages-meta-ext-v1.json.gz.part: No such file or directory Failed to synchronize AUR database Nothing to do. Transaction successfully finished.
Edited by Medin- Mark Wagie mentioned in issue #1361 (closed)
mentioned in issue #1361 (closed)
- Maintainer
should be fixed with libpamac@3fe0f423
- Guillaume Benoit closed
closed