Ubuntu
ubuntu-release-upgrader package

do-release-upgrade ignores APT proxy exemption

Bug #1913240 reported by MegaBrutal
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-release-upgrader (Ubuntu)
New
Undecided
Unassigned

Bug Description

When I try to check for an upgrade, this is what happens:

# do-release-upgrade -c
Checking for a new Ubuntu release
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
There is no development version of an LTS available.
To upgrade to the latest non-LTS develoment release
set Prompt=normal in /etc/update-manager/release-upgrades.

With tcpdump, I discovered that do-release-upgrade tries to connect the configured APT-Cacher-NG proxy. The proxy only listens on plaintext HTTP (TCP:80), while the script tries to connect it on HTTPS (TCP:443), because it wants to download meta-release-lts through an https:// URL. Since I have no intention to configure SSL certificates on the proxy for the sole reason to enable upgraders to operate, I thought I'd rather exempt it from the APT proxy setting.

Currently, I have this APT proxy configuration under /etc/apt/apt.conf.d:

Acquire::http {
 Proxy::changelogs.ubuntu.com "DIRECT";
 Proxy "http://taranis.lan";
};
Acquire::https {
 Proxy::changelogs.ubuntu.com "DIRECT";
};

I added an explicit section for https too, just in case. According to man apt-transport-http, the syntax should be correct and `apt-config dump` reports that it correctly parsed the config file and understands that it needs to exempt changelogs.ubuntu.com.

Acquire::http::Proxy "http://taranis.lan";
Acquire::http::Proxy::changelogs.ubuntu.com "DIRECT";
Acquire::https::Proxy "";
Acquire::https::Proxy::changelogs.ubuntu.com "DIRECT";

However, trying `do-release-upgrade -c` has the same result, the upgrader still wants to get the meta-release file via the proxy. It is a strange situation, because it seems `do-release-upgrade` wants to honour the APT proxy configuration, but it ignores the exemptions. In my case, it would be better to ignore the proxy altogether.

I have this proxy for quite a while and the server was configured to use it, and I don't remember encountering this issue on any previous release upgrade, but I haven't run one since 2018. I guess the feature of honouring the APT proxy config was added recently in the last 2 years. I have this issue on my Bionic server, and I reproduced it on a pristine Focal VM installation as well.

I think the intended or desirable behaviour would be to adhere to the APT proxy configuration in its entirety, including the exemptions.

Revision history for this message
MegaBrutal (qbu6to) wrote :

Posted a 10 USD bounty on this issue:
https://www.bountysource.com/issues/96530138-do-release-upgrade-ignores-apt-proxy-exemption

Revision history for this message
Changbin Du (changbindu) wrote :

First, enable debug logs:
$ DEBUG_UPDATE_MANAGER=1 do-release-upgrade
...
result of meta-release download: '<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1131)>'
...

So in my case, the connection failed due to the certification of the proxy. Then change /usr/bin/do-release-upgrade to ignore this check.

Insert this code at the beginning of /usr/bin/do-release-upgrade file but after the '__future__' line:

from __future__ import print_function

import ssl

try:
    _create_unverified_https_context = ssl._create_unverified_context
except AttributeError:
    pass
else:
    ssl._create_default_https_context = _create_unverified_https_context

ok, now it works!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.