Re: SWA error with crl_url (120 Views)
Reply
Trusted Contributor
mobidyc
Posts: 282
Registered: ‎09-20-2006
Message 1 of 17 (120 Views)
Accepted Solution

SWA error with crl_url

[ Edited ]

Hello,

i'm playing with swa and i've some little problems but not each time.

when i launch swa report, i very often receive the following error:
ERROR: Invalid value "http://crl.verisign.com/RSASecureServer.crl" for extended option "crl_url". The value is not a valid specification for a certificate revocation list.

the connection is through a squid proxy but i've not seen any error in the squid logs and the error message don't seems to be a connecion problem.

do you have an advice ?

/var/opt/swa/swa.conf contains the following configuration:
proxy=http://squidserver:8080
analyzers=QPK SEC PCW CRIT PW
ssh_options=-o batchmode=yes
allow_existing_depot=true

Regards,
Cedrick Gaillard

 

 

 

P.S.This thread has been moved from HP-UX>System Administration to HP-UX > patches-HP Forums Moderator

Best regards, Cedrick Gaillard
Please use plain text.
Exalted Contributor
Steven E. Protter
Posts: 33,806
Registered: ‎08-15-2002
Message 2 of 17 (120 Views)

Re: SWA error with crl_url

Shalom,

If its intermittant and squid logs are clean you might have a problem with network inside your shop or ISP issues.

For grins, perhaps permit a proxy bypass for this url.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Please use plain text.
Acclaimed Contributor
James R. Ferguson
Posts: 21,184
Registered: ‎07-06-2000
Message 3 of 17 (120 Views)

Re: SWA error with crl_url

Hi Cedrick:

I have seen this error intermittantly too albeit in a configuration without any proxy server interposed. My experience has been that upon rerunning, the command is successful.

Regards!

...JRF...
Please use plain text.
Acclaimed Contributor
Torsten.
Posts: 22,953
Registered: ‎10-02-2001
Message 4 of 17 (120 Views)

Re: SWA error with crl_url

Try

>swa report -x http_proxy=http://squidserver:8080

Hope this helps!
Regards
Torsten.

__________________________________________________

There are only 10 types of people in the world -
those who understand binary, and those who don't.

__________________________________________________

No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! star in the left column!   
Please use plain text.
Trusted Contributor
mobidyc
Posts: 282
Registered: ‎09-20-2006
Message 5 of 17 (120 Views)

Re: SWA error with crl_url

i've already set the proxy option and i can retrieve files through http, https and ftp wihtout problem.

my problem is that sometimes (often), i've the error 'invalid value' when swa check the RSASecureServer.crl file, i don't think than it's a problem with the http connection.

another advice ?
Best regards, Cedrick Gaillard
Please use plain text.
Trusted Contributor
mobidyc
Posts: 282
Registered: ‎09-20-2006
Message 6 of 17 (120 Views)

Re: SWA error with crl_url

additionnal information:
i know than if retry the swa command the error disappear.
what i want is understand this error message, maybe it's my limited english translation from my french mother tongue language...

all the options i use are in my first message, i've never set the crl_url extended option.

Regards,
Cedrick Gaillard
Best regards, Cedrick Gaillard
Please use plain text.
Acclaimed Contributor
Torsten.
Posts: 22,953
Registered: ‎10-02-2001
Message 7 of 17 (120 Views)

Re: SWA error with crl_url

Did you try the command? Looks like your conf file is in a wrong directory.

Hope this helps!
Regards
Torsten.

__________________________________________________

There are only 10 types of people in the world -
those who understand binary, and those who don't.

__________________________________________________

No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! star in the left column!   
Please use plain text.
Respected Contributor
Keith Buck
Posts: 233
Registered: ‎10-24-2000
Message 8 of 17 (120 Views)

Re: SWA error with crl_url

A couple comments here:

1. We have improved the text of the error message for the next SWA release. As stated, it somewhat implied that the URL was invalid. The error really means that the certificate revocation list downloaded from that URL is invalid, corrupted, or doesn't match the certificate of the https itrc website.

2. I have seen this error as well, but as it was a transient failure we were unable to reproduce it. One guess was that Verisign's website went down temporarily, but we were unable to confirm that with them, and the website was back up and working by the time we tried.

Thanks to all who have confirmed this problem. Next time someone sees it, try accessing that URL with a web browser. If it doesn't connect, that would confirm the website unavailability theory. If it does, please post the downloaded crl (e.g. respond to this forum posting) so we can have a look at it and diagnose further.

In the meantime, we'll keep an eye out for it. Thanks again for reporting this issue.

-Keith
Please use plain text.
Trusted Contributor
mobidyc
Posts: 282
Registered: ‎09-20-2006
Message 9 of 17 (120 Views)

Re: SWA error with crl_url

Hello keith,

Hello,

i don't know how, but i can reproduce the problem:

i test a download : OK
#> curl --proxy nr0y0036:8080 -G http://crl.verisign.com/RSASecureServer.crl >RSASecureServer.crl
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 332k 100 332k 0 0 218k 0 0:00:01 0:00:01 --:--:-- 285k
#> curl --proxy nr0y0036:8080 --pubkey RSASecureServer.crl https://ftp.itrc.hp.com/wpsl/bin/doc.pl/screen=wpslDownloadPatch/swa_catalog.xml.gz?PatchName=/expor...>
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1025k 0 1025k 0 0 146k 0 --:--:-- 0:00:06 --:--:-- 319k

i try with swa : NOK
#> rm -r /.swa
#> swa report

======= 07/12/07 10:58:50 METDSTDST BEGIN T Report on Issues and New Software (user=root) (jobid=nr0u0131)

* Gathering Inventory
NOTE: Created a template "//.swa/ignore" file. Please read this file for more information about how to ignore issues in the future.
* Getting Catalog of Recommended Actions and Software
ERROR: Invalid value "http://crl.verisign.com/RSASecureServer.crl" for extended option "crl_url". The value is not a valid specification for a certificate revocation list.

======= 07/12/07 10:59:04 METDSTDST END T Report on Issues and New Software failed with 1 error. (user=root) (jobid=nr0u0131)

NOTE: More information may be found in the Software Assistant logfile "/var/opt/swa/swa.log".


i retry with curl : OK
#> curl --proxy nr0y0036:8080 -G http://crl.verisign.com/RSASecureServer.crl >RSASecureServer.crl
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 332k 100 332k 0 0 162k 0 0:00:02 0:00:02 --:--:-- 204k


it's not a problem with the verisign.com website.

here is my config:
#> egrep -v "^$|^#" /etc/opt/swa/swa.conf
proxy=http://nr0y0036:8080
analyzers=QPK SEC PCW CRIT PW
ssh_options=-o batchmode=yes
allow_existing_depot=true

the squid log when i use curl:
1184231225.331 4671 10.92.12.128 TCP_MISS/200 340412 GET http://crl.verisign.com/RSASecureServer.crl - DIRECT/12.158.80.10 application/pkix-crl
1184231236.697 7895 10.92.12.128 TCP_MISS/200 1066576 CONNECT ftp.itrc.hp.com:443 - DIRECT/192.151.52.14 -

the squid log when i use swa report:
1184231464.078 3343 10.92.12.128 TCP_MISS/200 340412 GET http://crl.verisign.com/RSASecureServer.crl - DIRECT/12.158.80.10 application/pkix-crl
1184231586.036 125981 10.92.12.128 TCP_MISS/200 2032 CONNECT ftp.itrc.hp.com:443 - DIRECT/192.151.52.14 -


the more strange is that sometimes, that works!

hope these informations will help you.
Best regards, Cedrick Gaillard
Please use plain text.
Respected Contributor
Keith Buck
Posts: 233
Registered: ‎10-24-2000
Message 10 of 17 (120 Views)

Re: SWA error with crl_url

Cedrick,

Can you post the contents of the CRL that you downloaded (attach the file) so we can see whether it is valid?

You have confirmed that the website was up and running at the time; we still haven't validated that the crl is valid.

One other possibility: is your system time set correctly? This error might be triggered if your system time is off by enough that the crl would not be valid during that time period. This doesn't explain everything, but it could explain why you are seeing this more frequently than others.

Also, note:

1. -pubkey is used for ssh keys in curl, which is not related to the https connection.

2. curl doesn't appear to do crl checking at all (i.e. it is less secure because if the certificate is revoked, curl won't inform you.) So that explains why curl appeared to "work" over an https connection. You can turn off CRL checking in SWA as well, if that's the behavior you want (probably reasonable as a short term workaround).

Perhaps we should change the behavior in SWA to a warning rather than a fatal error?

Thanks for your help in tracking this down.

-Keith
Please use plain text.
Trusted Contributor
mobidyc
Posts: 282
Registered: ‎09-20-2006
Message 11 of 17 (120 Views)

Re: SWA error with crl_url

Hello,

you'll find the CRL downloaded with curl this morning (still no acces with swa) in attachment.

the system is ntp synchronized:
#> ntpq -p
remote refid st t when poll reach delay offset disp
==============================================================================
*nr0u0074e0.cbv. rcbv-prodag1.ne 5 u 50 64 377 0.46 0.009 0.02
+nr0u0089e0.cbv. rcbv-prodad1.ne 5 u 51 64 377 0.38 -0.639 0.02

the workaround for the moment is to download with ssh through another system, but i'd prefer to use the proxy.

one question :)
is it possible to change the ftp server for download the patchs?
europe-ffs.external.hp.com is really, really, really faster than ftp.itrc.hp.com.

Regards,
Cedrick Gaillard
Best regards, Cedrick Gaillard
Please use plain text.
Respected Contributor
Keith Buck
Posts: 233
Registered: ‎10-24-2000
Message 12 of 17 (120 Views)

Re: SWA error with crl_url

Thanks for more great feedback, and I will look into that CRL you attached.

The next few sentences might qualify as SWA "advanced topics"....

1. The other workaround is to disable crl checking for now (since you're not checking the CRL through your alternate mechanism anyway.) You can do this with -x crl_check=false. The certificate has not been revoked, and I would know if it had been...of course, you're may be viewing this over an http page so you can never be quite sure :)

2. The "download_cmd" option allows for a lot of flexibility, including many things for which it was not originally intended. For example, we had intended to have an option to specify the download site for patches, but that option hasn't yet fit into a release. However, you can use the download_cmd option to improve your download speed by pointing at the European server. (by the way, HP might be working on some infrastructure changes which could improve that performance issue)

Ok, so if you make a script like so (writing this on the fly...haven't tested it, and I hope my shell characters don't get mangled in posting...):

##################
#!/sbin/sh
newurl=`echo $1 | sed -e 's/ftp:\/\/ftp.itrc./ftp:\/\/europe-ffs.external/'`
curl $newurl

#################

Then specify this script as the download_cmd for swa get. It should rewrite the url to use the european ftp site. The security characteristics are the same because the integrity of the patches is based on the md5sum in the catalog, which was downloaded over https.

Note that in the swa.conf file, you should be able to specify a different download command for get mode vs. report in the same way as SD default files, as such:

get.download_cmd=foo
report.download_cmd=bar
step.download_cmd=foo

Again, these are pretty advanced topics and probably not very well documented (the man pages are pretty long already)

Hope that helps...let me know how it goes.

-Keith
Please use plain text.
Trusted Contributor
mobidyc
Posts: 282
Registered: ‎09-20-2006
Message 13 of 17 (120 Views)

Re: SWA error with crl_url

thanks Keith.

Best regards, Cedrick Gaillard
Please use plain text.
Respected Contributor
Keith Buck
Posts: 233
Registered: ‎10-24-2000
Message 14 of 17 (120 Views)

Re: SWA error with crl_url

Cedrick,

I was able to load the crl you posted and it appeared to be valid (both in SWA and in Firefox). My remaining theories:

1. some sort of transient network failure that just happens frequently in your circumstance...

2. some issue related to timezones. It appears that Verisign updates this particular CRL each day at 4:00:38am (or so) and posts it to the website at 10:00am. I'm not sure what timezone either of those is in, but we have heard more reports of this problem in Europe than in the US.

Have you tried it later in the day?

It is odd that the crl that they post indicates that the "next update time" of the crl is two weeks from whatever date it is posted, even though they update it daily...

I'll keep looking into it...just wanted to give you a status report.

-Keith
Please use plain text.
Trusted Contributor
mobidyc
Posts: 282
Registered: ‎09-20-2006
Message 15 of 17 (120 Views)

Re: SWA error with crl_url

Hello,

sorry for the delay.
i've tried once this morning with no error.

all servers here are ntp synchronised, i've verified the date, all seems correct (on the proxy, on the gateway, on the server), and i do not use a proxy cache, don't know where the transients errors could be.

thanks for your update ;).

also note that i've open a call for enhancement (JAGag44677) but i don't know the status of it, do you have any link for see it ?

Regards,
Cedrick Gaillard.
Best regards, Cedrick Gaillard
Please use plain text.
Respected Contributor
Keith Buck
Posts: 233
Registered: ‎10-24-2000
Message 16 of 17 (120 Views)

Re: SWA error with crl_url

Well, I've had no luck here reproducing the problem. The CRL that you attached looks perfectly valid. The modified time of the CRL which is posted each day at 10:00am UTC appears to match the 4:00am MDT update time in the CRL.
Apparently you can't reproduce it reliably on your end either...for now I guess we'll just keep an eye out for others experiencing this problem.

Re: JAGag44677 (system-specific readBeforeInstall.txt) - we will be discussing this in the context of other multi-system support.

Thanks for all the feedback!

-Keith
Please use plain text.
Trusted Contributor
mobidyc
Posts: 282
Registered: ‎09-20-2006
Message 17 of 17 (120 Views)

Re: SWA error with crl_url

Thanks to you Keith,

Regards,
Cedrick Gaillard
Best regards, Cedrick Gaillard
Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation