Curl error 60 in updater.log

[jdougan]

Troubleshooting a sandstorm tt-rss feed polling issue (stops updating), I was looking at sandstorm updater/log and found this:

** Time: Thu Jun  2 18:29:48 2022
Checking for updates on channel dev...
*** Uncaught exception ***
sandstorm/run-bundle.c++:299: failed: curl failed; url = https://install.sandstorm.io/dev?from=287&type=startup; exitCode = 60
stack: 618fda 617d9b 61799c 615a6b 613490 611a24 6110ac 50665b 50624b

Checking libcurl, I find:

CURLE_PEER_FAILED_VERIFICATION (60)
The remote server's SSL certificate or SSH md5 fingerprint was deemed not OK. This error code has been unified with CURLE_SSL_CACERT since 7.62.0. Its previous value was 51.

This is on Ubuntu 16.04 with all updates.

root@sandstorm:/opt/sandstorm# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.6 LTS
Release:        16.04
Codename:       xenial
root@sandstorm:/opt/sandstorm# uname -a ; curl --version
Linux sandstorm 4.4.0-210-generic #242-Ubuntu SMP Fri Apr 16 09:57:56 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
curl 7.47.0 (x86_64-pc-linux-gnu) libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP UnixSockets

[ocdtrekkie]

Ubuntu 16.04 is pretty old now. I believe I recently found another user encountered this and needed to tell curl to use a newer bundle of CA certificates: https://curl.se/docs/caextract.html

[ocdtrekkie]

curl 7.47.0 was released a very long time ago: https://curl.se/docs/vuln-7.47.0.html

[zenhack]

16.04 is indeed very old -- old enough to be out of support, even for an LTS release (canonical's window for those is 5 years). So you will probably want to update to a newer LTS release at some point anyway.

Perhaps this is obvious, but it is worth noting that that error means your sandstorm box is also not auto-updating -- and based on the from query parameter looks like this broke for you around September; the current release is 0.297 ...it would be good if Sandstorm tried a little harder to get an admin's attention when updates aren't working.

I have some vague recollection of let's encrypt having tweaked something at some point that broke some very old TLS clients, and my fuzzy memory of how long ago it was makes that seem like a possible proximate cause here as well.

[zenhack]

...also I wonder if maybe we should replace the shelling out to curl with using kj's http libraries, just to get rid of a system dependency.

[jdougan]

The original plan was to upgrade last year when 16 went obsolete. I had issues then installing sandstorm and stuff came up so I delayed.

And I may have broken curl while trying to update the certs. Some days...