Unable to download any package due to a SSL/TLS issue #2142
Comments
|
Looks like Spacedock's SSL cert expired, so this is kind of on them. |
|
I have created a commit that hacks around this here, based on the advice in this thread. Note this completely disables SSL checks of any kind, so use with extreme caution. |
|
The SSL cert should now be fixed, can you confirm |
|
@Olympic1 looks good! This probably closes the issue. |
Hi, it seems that the spacedock certificates are expired again, and I can't download anything from there using CKAN :( |
|
Confirmed, Spacedock seems to have their cert. expired again. |
|
they useletsencrypt which is a free SSL/TTL certificate authority with a quarterly renewal. It's great if you setup the auto renew. https://community.letsencrypt.org/t/how-to-automatically-renew-certificates/4393 |
|
As a work around for this, can we get an option to ignore SSL cert errors in CKAN? |
|
Just to confirm, I am having the same issue. for me, its on editor extensions redux and janitor's closet if that helps. |
Following Horcrux's previous workaround described in KSP-CKAN#2142, disable SSL certificate verification when downloading mods. PLEASE USE THIS WITH EXTREME CAUTION - SSL CHECKS PROTECT YOUR COMPUTER
|
I've resurrected Horcrux's fix on the disable-ssl-check branch on my fork. Note that you'll have to compile it yourself to use the version with the "fix". As Horcrux said previously: "Note this completely disables SSL checks of any kind, so use with extreme caution." I'm willing to work on a better fix for this if there's interest, I'm not sure what you folks feel is an appropriate solution (checkbox in options menu/command line flag? automatically disable SSL and retry spacedock downloads if they fail?) |
HebaruSan
added
Enhancement
|
I've been trying to determine exactly what the vulnerability level is here so we can make an informed decision, but most of the commentary for site owners revolves around avoiding annoying errors on your page and alert fatigue, neither of which have to do with enumerating viable attack vectors. Let's see if this makes sense... KerbalStuff is currently replaced by a malicious web site, such that it can't even be mentioned on the KSP forums (it's auto-corrected to "*"). If we completely ignore expired certificates, then such a site could likewise replace SpaceDock someday and use its old expired certificates to provide CKAN users with malware downloads. Is that true? But we would de-list SpaceDock URLs in NetKAN and CKAN-meta if that happened. And with #2243 validating the hashes of downloads before installing them in the next update, we have a form of end-to-end security that would mean the downloads would have to be the same as what we indexed, so we should be safe unless we index malicious downloads. ... I'm not confident enough in any of that to make code changes. Can anyone share a fuller picture of the security implications of expired certificates? |
|
This has been fixed. The site certificate has been updated. |
|
Confirmed this works now. Given the above comments, an option in CKAN to disable the cert check would be helpfull. |
|
Ckan still fails, no way to update? |
|
download and install 1.4 manually |
Just updated CKAN to the latest version, then tried to update all the installed mods.
As usual, selected "add available updates" --> "apply".
But the downloading fails. I get 3 error messages in the popups, then the update process stops. The messages all look like:
With the previous CKAN version, I've never had any troubles updating the packages (nor any network connection issues).
Do you need any additional info?
CKAN Version:
v1.22.5
Operating System:
Win10 Home RU
The issue you are experiencing:
Unable to download packages.
How to recreate this issue:
CKAN error codes (if applicable):
no error codes, error messages see above
The text was updated successfully, but these errors were encountered: