The cache is down (not anymore)

oggy · December 20, 2018, 7:44pm

warning: unable to download ‘https://cache.nixos.org/rffcxk0l94lc96yl07r26sdnfql6x0h4.narinfo’: SSL peer certificate or SSH remote key was not OK (51); retrying in 298 ms

Update: Fixed.

itorres · December 20, 2018, 7:52pm

Wrong certificate loaded, it’s using one for www.nixos.org:

$ curl -v https://cache.nixos.org
*   Trying 54.217.220.47...
* TCP_NODELAY set
* Connected to cache.nixos.org (54.217.220.47) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=www.nixos.org
*  start date: Nov 18 23:14:18 2018 GMT
*  expire date: Feb 16 23:14:18 2019 GMT
*  subjectAltName does not match cache.nixos.org
* SSL: no alternative certificate subject name matches target host name 'cache.nixos.org'
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'cache.nixos.org'
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

grahamc · December 20, 2018, 8:20pm

Hi,

Today at 19:25Z the DNS provider was changed from a previous provider to AWS Route53, managed by Terraform. As part of that change a few records were incorrectly set. These records were corrected within a few minutes of the breakage.

Unfortunately, the TTL on the records was set to 1 hour, so there are many people with broken, cached records.

If you need a short term workaround, you can set the following in your hosts file:

(deleted because it is now out of date)

however, this is NOT an ideal configuration and you should no longer have these set after a few hours from now.

Graham

grahamc · December 20, 2018, 9:09pm

This issue should be fixed now. I’m deleting my recommendation above, because you shouldn’t need it anymore and I don’t want people finding it and copy-pasting it thinking it’ll fix a problem 6mo from now.

asoong · January 9, 2019, 7:46pm

Not sure if related, still seeing this: warning: unable to download ‘https://nix.dapphub.com/pkgs/dapphub’: SSL peer certificate or SSH remote key was not OK (51); retrying in 2575 ms

vcunat · January 10, 2019, 2:55pm

Current NixPkgs versions don’t even reference dapphub. I guess you have a version before this change or something: Remove DappHub projects by asymmetric · Pull Request #47279 · NixOS/nixpkgs · GitHub EDIT: even so the URL you posted is weird – I can’t see how you arrived at it