v3.10.0 -> 3.10.1 upgrade error
-
For me it looks like a misconfiguration certificate
~/nodebb$ openssl s_client -connect packages.nodebb.org:443 CONNECTED(00000003) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R11 verify return:1 depth=0 CN = otherhome.ca verify return:1 --- Certificate chain 0 s:CN = otherhome.ca i:C = US, O = Let's Encrypt, CN = R11 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Sep 30 11:40:17 2024 GMT; NotAfter: Dec 29 11:40:16 2024 GMT 1 s:C = US, O = Let's Encrypt, CN = R11 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT --- Server certificate -----BEGIN CERTIFICATE----- MIIE+TCCA+GgAwIBAgISBKFrGq/uYt1x2fT4nxpBycwnMA0GCSqGSIb3DQEBCwUA MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD EwNSMTEwHhcNMjQwOTMwMTE0MDE3WhcNMjQxMjI5MTE0MDE2WjAXMRUwEwYDVQQD EwxvdGhlcmhvbWUuY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCx QM9xk/KQ/V60FHRXJywIpVnbmH8PNDSHMGx5XIEHdiw035J+DFySEkuXYdlgV8tH fENKbIMz+Ydy2sr9aniOZ469QrU/IS2pQn+qM51rvMLrgG7Jj4rqT0DHPTWg+bPK hyDHSipG7OfI2MeSL5FCJ8reZJHgidU3M+TE7oEaS6vbtIzAgR96SNtv5HQHzjkp 3f7iLtoY9Dg2O4aSEwqqz6GhwlgVwQTOok43YWR0IP99ZKm1xplh7Zaa8rwybD3u jEE7MjxDz3A7Dz9nNOXlZz37qywh4Z3SUD4T/FPT0vxqiHoqZ/sn+arKiWHmL2Rq RNGqu3SdXUQ/V4kg/euhAgMBAAGjggIhMIICHTAOBgNVHQ8BAf8EBAMCBaAwHQYD VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0O BBYEFNK/bs9ALNV6hDhxJuBzFuPOiN7WMB8GA1UdIwQYMBaAFMXPRqTq9MPAemyV xC2wXpIvJuO5MFcGCCsGAQUFBwEBBEswSTAiBggrBgEFBQcwAYYWaHR0cDovL3Ix MS5vLmxlbmNyLm9yZzAjBggrBgEFBQcwAoYXaHR0cDovL3IxMS5pLmxlbmNyLm9y Zy8wKQYDVR0RBCIwIIIMb3RoZXJob21lLmNhghB3d3cub3RoZXJob21lLmNhMBMG A1UdIAQMMAowCAYGZ4EMAQIBMIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHYAPxdL T9ciR1iUHWUchL4NEu2QN38fhWrrwb8ohez4ZG4AAAGSQvDDVgAABAMARzBFAiEA 4mux6bwlRhkod0w2lpnEDzptWExR/w/edW/E5KqdHxsCIE+eSuU0VZ0BJScxH/a1 XVjRbSXVv1mh7es6d8MAZQ0KAHUA7s3QZNXbGs7FXLedtM0TojKHRny87N7DUUhZ RnEftZsAAAGSQvDDYAAABAMARjBEAiBitznteh8jOf0ouYy+0zGgb2Ertk+sqZBv cakVejJdrQIgbDdaOcdeCL0CBAWtqlyTSlZ5WMuAag7CZz+Gd4+s4zgwDQYJKoZI hvcNAQELBQADggEBAFtg1wIruQmPeWYoLZsFu1AXci01qCMWkIsYnXydayz9zZkn 2T1BO3e6UJUK4N96hQx0zOjAAnNf9o7Ky87ZX/ttImFNKwuJyzy7cxvrtNC5NFn2 0bt6R6ui4fFSO4px2h/7W6WBTnpoILYGpAxbi/7U8lOC8wSrROw/YCiy33sCqiqk xi8GBQv7kod1lVTdG/f3X6EgHT4T+yXhP+KXMecoqXUl7j8Z+ELdqC1ogW1hDDNR 2usRzqAzxToavls5+zgeFosck9TqaehFLRSBgpZTlb824DjdXOaGg3+YOWtg/Ic5 gjdW9XlAYHsckwD0FErnr1EGEGWt/XFm2KMGHRM= -----END CERTIFICATE----- subject=CN = otherhome.ca issuer=C = US, O = Let's Encrypt, CN = R11 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 3132 bytes and written 405 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 0BAEE2E2596998FC051D88FA1D1A25EC671CC10D574E024DDE532762AF16A452 Session-ID-ctx: Resumption PSK: 5D8F0A9B82234EE41941D62904135FD72E4CBE4B7F0A8840504ACF7AFD1C452BDEBFB92FC5C3516C5E7582644D470DD5 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 86400 (seconds) TLS session ticket: 0000 - c7 21 33 b9 cb a3 fb 39-3f 07 98 90 16 a1 dd 8f .!3....9?....... 0010 - ed bd 1a 29 fb dc 9e 46-56 ee 48 f8 f7 b6 24 00 ...)...FV.H...$. Start Time: 1728584237 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 983BC3E889B11EFEB5782F6868276B49BBD14DF3B2C34EE453DCB79D0CBBC687 Session-ID-ctx: Resumption PSK: 0863E2FBD0E12E927F148560BC426747A03996188C8E0FE3F03AD6C7F8722BD53346145A27630C3B981CC58010B860EB PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 86400 (seconds) TLS session ticket: 0000 - 91 78 a8 cc 5e a5 a5 fd-f4 44 d2 cb ed 75 d1 05 .x..^....D...u.. 0010 - 7c 8b f3 1a 38 78 a1 25-94 e0 1a a9 27 3d 47 cd |...8x.%....'=G. Start Time: 1728584237 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK closed
This certificate is owned by bolded textsubject=CN = otherhome.ca
-
@FrankM See, that's where I don't see what you're seeing. When I run the same command, the certificate chain looks fine:
$ openssl s_client -connect packages.nodebb.org:443 CONNECTED(00000003) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R11 verify return:1 depth=0 CN = packages.nodebb.org verify return:1 --- Certificate chain 0 s:CN = packages.nodebb.org i:C = US, O = Let's Encrypt, CN = R11 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Sep 18 09:05:41 2024 GMT; NotAfter: Dec 17 09:05:40 2024 GMT 1 s:C = US, O = Let's Encrypt, CN = R11 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT ---
-
The only change I can share is that we disabled CloudFlare proxying roughly a day ago, so requests for
packages.nodebb.org
should get the actual IP now instead of the CloudFlare proxy IP.otherhome.ca
is not one of our clients, nor do we use their IP, although it does share the same first 6 digits. -
@baris, @Julian so I had to disable the plugin checking code in NodeBB/src/cli/upgrade-plugins.js to get the upgrade to finish, as it left my install in a broken state.
I commented out lines 77,78,79 and 82:
async function getSuggestedModules(nbbVersion, toCheck) { //const request = require('../request'); //let { response, body } = await request.get(`https://packages.nodebb.org/api/v1/suggest?version=${nbbVersion}&package[]=${toCheck.join('&package[]=')}`); //if (!response.ok) { console.warn(`Unable to get suggested module for NodeBB(${nbbVersion}) ${toCheck.join(',')}`); return []; //} if (!Array.isArray(body) && toCheck.length === 1) { body = [body]; } return body; }
at least now my install Is working, but a better fix would be appreciated. Some kind of fallback url for packages.nodebb.org would be great. How about hosting on GitHub for example?
I still however have the Internal Error. - Oops! Looks like something went wrong! - fetch failed error on in the Admin panel > Extend > Plugins
-
-
@julian
Hi, just now after you switched to CloudFlare the problem no longer occurs, but as far as I can see, now that you have switched the resolution to your source site again, your source site has a normal SSL configuration in an IPV4 environment, but not in an IPV6 environment. -
@julian Then there is some big issue in my server. ekk.app is neither getting public posts nor DMs from this server. Please guide on how I can find the cause of the problem.
Earlier had an issue with file uploads and thanks to guidance from @baris , I was able to solve the issue. Now, looking forward to you for help on this issue.