runsisi's

technical notes

Could not handshake, An unexpected TLS packet was received

2019-02-11 runsisi#apt

最近在使用 apt update 时发现只要是 https 的 apt 源都会出现如下的错误(环境为 Ubuntu 18.04):

~$ sudo apt update
Ign:1 https://dl.yarnpkg.com/debian stable InRelease
Err:2 https://dl.yarnpkg.com/debian stable Release
  Could not handshake: An unexpected TLS packet was received. [IP: 10.120.123.234 12345]

而直接访问 https 地址是没有任何问题的:

~$ sudo apt install gnutls-bin
~$ gnutls-cli -V -p 443 dl.yarnpkg.com
Processed 133 CA certificate(s).
Resolving 'dl.yarnpkg.com:443'...
Connecting to '104.16.63.173:443'...

确认是不是 apt https 组件的版本问题:

~$ dpkg --list apt*| grep "^ii"
ii  apt                    1.6.6                  amd64        commandline package manager
ii  apt-config-icons       0.12.0-3ubuntu1        all          APT configuration snippet to enable icon downloads
ii  apt-file               3.1.5                  all          search for files within Debian packages (command-line interface)
ii  apt-transport-https    1.6.6                  all          transitional package for https support
ii  apt-utils              1.6.6                  amd64        package management related utility programs
ii  aptdaemon              1.1.1+bzr982-0ubuntu19 all          transaction based package management service
ii  aptdaemon-data         1.1.1+bzr982-0ubuntu19 all          data files for clients
ii  apturl                 0.5.2ubuntu14.2        amd64        install packages using the apt protocol - GTK+ frontend
ii  apturl-common          0.5.2ubuntu14.2        amd64        install packages using the apt protocol - common data

~$ apt policy apt-transport-https
apt-transport-https:
  Installed: 1.6.6
  Candidate: 1.6.6ubuntu0.1
  Version table:
     1.6.6ubuntu0.1 500
        500 http://10.111.111.111/ubuntu bionic-updates/universe amd64 Packages
        500 http://10.111.111.111/ubuntu bionic-updates/universe i386 Packages
 *** 1.6.6 100
        100 /var/lib/dpkg/status
     1.6.1 500
        500 http://10.111.111.111/ubuntu bionic/universe amd64 Packages
        500 http://10.111.111.111/ubuntu bionic/universe i386 Packages

降级安装 apt https 组件,仍然没能解决问题:

$ sudo apt install apt-transport-https=1.6.1
...
dpkg: warning: downgrading apt-transport-https from 1.6.6 to 1.6.1
...

折腾了一大圈,最后发现不知为何机器上单独为 apt 配置了代理,且代理配置的有问题(注意 https::proxy 后面的代理地址写成了 https 类型的地址),修改代理服务器地址,或者删除该代理配置即可解决前面的问题:

~$ cat /etc/apt/apt.conf
Acquire::http::proxy "http://10.120.123.234 12345";
Acquire::https::proxy "https://10.120.123.234 12345";

~$ sudo vi /etc/apt/apt.conf
Acquire::http::proxy "http://10.120.123.234 12345";
Acquire::https::proxy "http://10.120.123.234 12345";

参考资料

[1] apt-transport-https not sending a certificate to the server

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703932