No IPv6 for deb.nodesource.com #170

Closed
igalic opened this Issue Nov 10, 2015 · 21 comments

Projects

None yet

10 participants

@igalic
igalic commented Nov 10, 2015

Hi folks,

i'd like to report an issue with deb.nodesource.com:

igalic@levix ~> dig in AAAA deb.nodesource.com

; <<>> DiG 9.9.5-9ubuntu0.3-Ubuntu <<>> in AAAA deb.nodesource.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47273
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;deb.nodesource.com.            IN      AAAA

;; AUTHORITY SECTION:
nodesource.com.         10800   IN      SOA     rodney.ns.cloudflare.com. dns.cloudflare.com. 2019875292 10000 2400 604800 3600

;; Query time: 15 msec
;; SERVER: 10.1.7.42#53(10.1.7.42)
;; WHEN: Tue Nov 10 22:17:02 CET 2015
;; MSG SIZE  rcvd: 108

igalic@levix ~>

it's unreachable via IPv6, so we have to use workarounds like dns64 to get it installed.

@bastelfreak

๐Ÿ‘ for fixing this. Could you please deploy IPv6?

@ehwat
ehwat commented Nov 10, 2015

+1

@igalic
igalic commented Nov 10, 2015

what i find bizarre is that this is hosted on cloudflare, and it's not just supported out of the box

@rvagg
Member
rvagg commented Nov 14, 2015

It's not hosted on CloudFlare, just the DNS is, we'll have to enable ipv6 on the box and update DNS for it. I've got it on my TODO list.

@igalic
igalic commented Nov 17, 2015

๐Ÿ’œ

@rotanid
rotanid commented Nov 22, 2015

clodflare translates from IPv6 to your boxes IPv4, you just have to activate it in your cloudflare account - many websites use this feature

@bastelfreak

Hi,
how is the current state @rvagg, any updates?

@rvagg
Member
rvagg commented Jan 5, 2016

I think this is good to go now .. had a few issues with DNS and I'm not on an ipv6 connection atm to test. Let me know how it goes.

@rvbhute
rvbhute commented Jan 8, 2016

I am getting errors since last couple of days.

W: Failed to fetch https://deb.nodesource.com/node_4.x/dists/trusty/main/binary-amd64/Packages Failed to connect to deb.nodesource.com port 443: Network is unreachable

Attaching gist with curl -v command output. Connecting via VPN or another ISP does not give this error.

https://gist.github.com/rvbhute/2dac82a5a5d40ebc9c2b

@bastelfreak

@rvagg it is possible that your IPv6 in general is broken, can you connect to other services like google.com?

@rvagg it is working fine, thanks:

$ curl -v https://deb.nodesource.com
* Rebuilt URL to: https://deb.nodesource.com/
*   Trying 2604:a880:1:20::13b:b001...
* Connected to deb.nodesource.com (2604:a880:1:20::13b:b001) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* NPN, negotiated HTTP1.1
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Unknown (67):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*    subject: C=US; ST=CA; L=Anaheim; O=Node Source, LLC; CN=*.nodesource.com
*    start date: Apr 20 00:00:00 2015 GMT
*    expire date: Jun 13 12:00:00 2018 GMT
*    subjectAltName: deb.nodesource.com matched
*    issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
*    SSL certificate verify ok.
> GET / HTTP/1.1
> Host: deb.nodesource.com
> User-Agent: curl/7.46.0
> Accept: */*
> 
< HTTP/1.1 302 Moved Temporarily
< Server: nginx
< Date: Fri, 08 Jan 2016 10:39:17 GMT
< Content-Type: text/html
< Content-Length: 154
< Connection: keep-alive
< Location: https://github.com/nodesource/distributions
< Strict-Transport-Security: max-age=15552000
< 
<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
* Connection #0 to host deb.nodesource.com left intact
@daenney
daenney commented Jan 8, 2016

Do note that because of the redirect to Github, which doesn't do IPv6, this still won't work for a system that can not talk IPv4. If you let curl follow the redirect:

* Connected to github.com (192.30.252.130) port 443 (#0)

If you can turn this into a Github Pages, then using a CNAME at Cloudflare to point it this way and send the traffic through the Cloudflare network instead (not just the DNS lookup) Cloudflare will proxy the request for you and will then be delivered over IPv6.

@rvbhute
rvbhute commented Jan 8, 2016

I am on IPv4, on all 3 ISPs. All other traffic (browser, xmpp, apt updates from other repos) is fine. The connection which has a problem right now also used to work fine till about three days ago more or less (around the same time the DNS was updated) which is why I don't think it is an ISP problem.

Running the curl test, for other two ISPs (ADSL and 3G hotspot), it shows Immediate connect fail for 2604:a880:1:20::13b:b001: Network is unreachable and then successfully connects to deb.nodesource.com on its resolved IPv4 address.

First output is the one where it fails

rohit@ryujin:~$ curl -v https://deb.nodesource.com
* Rebuilt URL to: https://deb.nodesource.com/
* Hostname was NOT found in DNS cache
*   Trying 192.241.233.42...
*   Trying 2604:a880:1:20::13b:b001...
* connect to 2604:a880:1:20::13b:b001 port 443 failed: Network is unreachable
* Failed to connect to deb.nodesource.com port 443: Network is unreachable
* Closing connection 0
curl: (7) Failed to connect to deb.nodesource.com port 443: Network is unreachable

Trying with the IP address

rohit@ryujin:~$ curl -v https://192.241.233.42
* Rebuilt URL to: https://192.241.233.42/
* Hostname was NOT found in DNS cache
*   Trying 192.241.233.42...
* Connected to 192.241.233.42 (192.241.233.42) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
*    subject: C=US; ST=CA; L=Anaheim; O=Node Source, LLC; CN=*.nodesource.com
*    start date: 2015-04-20 00:00:00 GMT
*    expire date: 2018-06-13 12:00:00 GMT
* SSL: certificate subject name '*.nodesource.com' does not match target host name '192.241.233.42'
* Closing connection 0
* SSLv3, TLS alert, Client hello (1):
curl: (51) SSL: certificate subject name '*.nodesource.com' does not match target host name '192.241.233.42'

These two are from ISPs that work correctly. Apologies for the wall of text.

rohit@ryujin:~$ curl -v https://deb.nodesource.com
* Rebuilt URL to: https://deb.nodesource.com/
* Hostname was NOT found in DNS cache
*   Trying 192.241.233.42...
*   Trying 2604:a880:1:20::13b:b001...
* Immediate connect fail for 2604:a880:1:20::13b:b001: Network is unreachable
* Connected to deb.nodesource.com (192.241.233.42) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
*    subject: C=US; ST=CA; L=Anaheim; O=Node Source, LLC; CN=*.nodesource.com
*    start date: 2015-04-20 00:00:00 GMT
*    expire date: 2018-06-13 12:00:00 GMT
*    subjectAltName: deb.nodesource.com matched
*    issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
*    SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: deb.nodesource.com
> Accept: */*
> 
< HTTP/1.1 302 Moved Temporarily
* Server nginx is not blacklisted
< Server: nginx
< Date: Fri, 08 Jan 2016 10:47:40 GMT
< Content-Type: text/html
< Content-Length: 154
< Connection: keep-alive
< Location: https://github.com/nodesource/distributions
< Strict-Transport-Security: max-age=15552000
< 
<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
* Connection #0 to host deb.nodesource.com left intact
rohit@ryujin:~$ curl -v https://deb.nodesource.com
* Rebuilt URL to: https://deb.nodesource.com/
* Hostname was NOT found in DNS cache
*   Trying 192.241.233.42...
*   Trying 2604:a880:1:20::13b:b001...
* Immediate connect fail for 2604:a880:1:20::13b:b001: Network is unreachable
* Connected to deb.nodesource.com (192.241.233.42) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
*    subject: C=US; ST=CA; L=Anaheim; O=Node Source, LLC; CN=*.nodesource.com
*    start date: 2015-04-20 00:00:00 GMT
*    expire date: 2018-06-13 12:00:00 GMT
*    subjectAltName: deb.nodesource.com matched
*    issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
*    SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: deb.nodesource.com
> Accept: */*
> 
< HTTP/1.1 302 Moved Temporarily
* Server nginx is not blacklisted
< Server: nginx
< Date: Fri, 08 Jan 2016 10:48:34 GMT
< Content-Type: text/html
< Content-Length: 154
< Connection: keep-alive
< Location: https://github.com/nodesource/distributions
< Strict-Transport-Security: max-age=15552000
< 
<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
* Connection #0 to host deb.nodesource.com left intact
@rvagg
Member
rvagg commented Jan 8, 2016

OK folks, we're getting reports of problems from a number of sources so for now we're moving the IPv6 address onto deb6.nodesource.com and rpm6.nodesource.com, leaving the vanilla ones IPv4-only. If you want to use IPv6 then switch hostnames in /etc/apt/sources.list*.

@retrohacker retrohacker assigned chrislea and unassigned chrislea Jun 6, 2016
@retrohacker
Contributor

This appears to have been resolved. Adding the deb6 and rpm6 urls to the FAQ section in #308

@retrohacker retrohacker closed this Jun 6, 2016
@retrohacker
Contributor

If IPv6 support is still a problem, feel free to reopen this issue and we can explore.

@rotanid
rotanid commented Jun 6, 2016
  1. i can't find it in the FAQ section
  2. you didn't fix it, dual-stack was asked here and providing a different URL is not a solution for that
@retrohacker retrohacker added a commit that referenced this issue Jun 7, 2016
@retrohacker retrohacker Add IPv6 to FAQ
Per issue #170
31ee1ee
@retrohacker retrohacker reopened this Jun 7, 2016
@retrohacker
Contributor

Thanks, @rotanid,

I pulled the trigger too quickly on closing this issue during the cleanup of this repo. It has been re-opened. Sorry!

@rvagg
Member
rvagg commented Jun 8, 2016

can anyone point to an existing successfully dual-stack APT repo that we can poke at? I'm not seeing how we can achieve this and work around the problems that folks experienced when we turned on dual-stack.

@rotanid
rotanid commented Jun 8, 2016

like "ftp.debian.org"? that would be a big APT repo with dual-stack.

@rvagg
Member
rvagg commented Jun 8, 2016

mm, good one, so we need to work out why resolution order was messing up for people when we switched it on in the first place

@mweagle
mweagle commented Sep 9, 2016

Hi @igalic - we have migrated to CloudFront for hosting and it currently does not support ipv6 related. When it becomes available we will add support soon afterwards.

Ref: #353 (comment)

@mweagle mweagle closed this Sep 9, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment