Get the most out of your Centmin Mod LEMP stack
Become a Member

Install Installation stuck at Download libressl-2.4.3.tar.gz ...

Discussion in 'Install & Upgrades or Pre-Install Questions' started by nikolaikapustin, Oct 5, 2016.

Tags:
  1. eva2000

    eva2000 Administrator Staff Member

    44,781
    10,212
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,828
    Local Time:
    12:01 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    should be 5 seconds for curl header check, but seems you pass the header check but can't download
     
  2. eva2000

    eva2000 Administrator Staff Member

    44,781
    10,212
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,828
    Local Time:
    12:01 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    new option added to 123.09beta01 Beta Branch - add LOCALCENTMINMOD_MIRROR variable in 123.09beta01 | Centmin Mod Community

    so just before run centmin.sh, instead of editing centmin.sh directly, set persistent config file at /etc/centminmod/custom_config.inc (create file if doesn't exist), and set in it the variable to override centmin.sh file set version
    Code (Text):
    LOCALCENTMINMOD_MIRROR='https://centmin.sh'
     
  3. nikolaikapustin

    nikolaikapustin Member

    38
    5
    8
    Oct 5, 2016
    Ratings:
    +7
    Local Time:
    4:01 PM
    All seemed fine in this way untill:


    Code (Text):
    Download ccache-3.3.2.tar.gz ...
    Initializing download: https://centmin.sh/centminmodparts/ccache/ccache-3.3.2.tar.gz
    SSL error: tlsv1 alert internal error
    
    Error: ccache-3.3.2.tar.gz download failed.
    check Centmin Mod log for details at /root/centminlogs/
    Aborting script...
    
     
  4. eva2000

    eva2000 Administrator Staff Member

    44,781
    10,212
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,828
    Local Time:
    12:01 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    interesting error SSL error: tlsv1 alert internal error
    as the download does exist

    curl header check from my Tokyo mirror
    Code (Text):
    curl -I https://centmin.sh/centminmodparts/ccache/ccache-3.3.2.tar.gz
    HTTP/1.1 200 OK
    Date: Tue, 04 Oct 2016 20:04:12 GMT
    Content-Type: application/octet-stream
    Content-Length: 445945
    Connection: keep-alive
    Set-Cookie: __cfduid=d4b3ad67aa7c5690094891f4635647d5e1475611452; expires=Wed, 04-Oct-17 20:04:12 GMT; path=/; domain=.centmin.sh; HttpOnly
    Last-Modified: Mon, 03 Oct 2016 03:24:29 GMT
    ETag: "57f1cf6d-6cdf9"
    X-Powered-By: centminmod
    Expires: Thu, 03 Nov 2016 20:04:12 GMT
    Cache-Control: public, max-age=2592000
    Link: <http://centminmod.com/centminmodparts/ccache/ccache-3.3.2.tar.gz>; rel="canonical"
    CF-Cache-Status: MISS
    Accept-Ranges: bytes
    Server: cloudflare-nginx
    CF-RAY: 2ecb3dda1e3f5128-SJC


    what version of CentOS you installing on ? CentOS 6.8 or 7.2 ?

    what do you get for output for this command

    Code (Text):
    curl -Isv https://centmin.sh/centminmodparts/ccache/ccache-3.3.2.tar.gz
    
     
  5. nikolaikapustin

    nikolaikapustin Member

    38
    5
    8
    Oct 5, 2016
    Ratings:
    +7
    Local Time:
    4:01 PM
    Centos version:

    Code (Text):
     rpm --query centos-release
    centos-release-7-2.1511.el7.centos.2.10.x86_64
    


    Curl output:
    Code (Text):
    * About to connect() to centmin.sh port 443 (#0)
    *   Trying 104.27.172.154...
    * Connected to centmin.sh (104.27.172.154) port 443 (#0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
      CApath: none
    * SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    * Server certificate:
    *       subject: CN=sni164888.cloudflaressl.com,OU=PositiveSSL Multi-Domain,OU=Domain Control Validated
    *       start date: Aug 20 00:00:00 2016 GMT
    *       expire date: Feb 26 23:59:59 2017 GMT
    *       common name: sni164888.cloudflaressl.com
    *       issuer: CN=COMODO ECC Domain Validation Secure Server CA 2,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
    > HEAD /centminmodparts/ccache/ccache-3.3.2.tar.gz HTTP/1.1
    > User-Agent: curl/7.29.0
    > Host: centmin.sh
    > Accept: */*
    >
    < HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    < Date: Tue, 04 Oct 2016 20:07:51 GMT
    Date: Tue, 04 Oct 2016 20:07:51 GMT
    < Content-Type: application/octet-stream
    Content-Type: application/octet-stream
    < Content-Length: 445945
    Content-Length: 445945
    < Connection: keep-alive
    Connection: keep-alive
    < Set-Cookie: __cfduid=dcfb2935b3bbef6ed96c1c03c1f3473d01475611671; expires=Wed, 04-Oct-17 20:07:51 GMT; path=/; domain=.centmin.sh; HttpOnly
    Set-Cookie: __cfduid=dcfb2935b3bbef6ed96c1c03c1f3473d01475611671; expires=Wed, 04-Oct-17 20:07:51 GMT; path=/; domain=.centmin.sh; HttpOnly
    < Last-Modified: Mon, 03 Oct 2016 03:24:29 GMT
    Last-Modified: Mon, 03 Oct 2016 03:24:29 GMT
    < ETag: "57f1cf6d-6cdf9"
    ETag: "57f1cf6d-6cdf9"
    < X-Powered-By: centminmod
    X-Powered-By: centminmod
    < Expires: Thu, 03 Nov 2016 20:07:51 GMT
    Expires: Thu, 03 Nov 2016 20:07:51 GMT
    < Cache-Control: public, max-age=2592000
    Cache-Control: public, max-age=2592000
    < Link: <http://centminmod.com/centminmodparts/ccache/ccache-3.3.2.tar.gz>; rel="canonical"
    Link: <http://centminmod.com/centminmodparts/ccache/ccache-3.3.2.tar.gz>; rel="canonical"
    < CF-Cache-Status: MISS
    CF-Cache-Status: MISS
    < Accept-Ranges: bytes
    Accept-Ranges: bytes
    < Server: cloudflare-nginx
    Server: cloudflare-nginx
    < CF-RAY: 2ecb433388ce384c-ATL
    CF-RAY: 2ecb433388ce384c-ATL
    
    <
    * Connection #0 to host centmin.sh left intact
    
     
  6. eva2000

    eva2000 Administrator Staff Member

    44,781
    10,212
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,828
    Local Time:
    12:01 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    again checking headers looks fine !

    if you do a yum update any updates ?
    Code (Text):
    yum -y update
    
     
  7. nikolaikapustin

    nikolaikapustin Member

    38
    5
    8
    Oct 5, 2016
    Ratings:
    +7
    Local Time:
    4:01 PM
    I tried once again, same tls error.

    no yum updates
    Code (Text):
    No packages marked for update
    
     
  8. eva2000

    eva2000 Administrator Staff Member

    44,781
    10,212
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,828
    Local Time:
    12:01 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    weird tried on 10 different servers and they all work.. you can verify via manual download to /svr-setup
    Code (Text):
    cd /svr-setup
    rm -rf /svr-setup/ccache-3.3.2.tar.gz
    wget http://centmin.sh/centminmodparts/ccache/ccache-3.3.2.tar.gz
    
     
  9. nikolaikapustin

    nikolaikapustin Member

    38
    5
    8
    Oct 5, 2016
    Ratings:
    +7
    Local Time:
    4:01 PM
    that worked. Weird..

    Code (Text):
    --2016-10-04 16:20:44--  http://centmin.sh/centminmodparts/ccache/ccache-3.3.2.tar.gz
    Resolving centmin.sh (centmin.sh)... 104.27.172.154, 104.27.173.154
    Connecting to centmin.sh (centmin.sh)|104.27.172.154|:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 445945 (435K) [application/octet-stream]
    Saving to: 'ccache-3.3.2.tar.gz'
    
    100%[======================================>] 445,945     --.-K/s   in 0.008s
    
    2016-10-04 16:20:45 (55.8 MB/s) - 'ccache-3.3.2.tar.gz' saved [445945/445945]
     
  10. eva2000

    eva2000 Administrator Staff Member

    44,781
    10,212
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,828
    Local Time:
    12:01 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    indeed could be an issue with one of cloudflare's edge servers themselves ? just this time you got allocated a different cloudflare edge server to serve the download :)
     
  11. nikolaikapustin

    nikolaikapustin Member

    38
    5
    8
    Oct 5, 2016
    Ratings:
    +7
    Local Time:
    4:01 PM
    Tt could be even if i tried twice. i will pre-download both libressl and cache packages in /svr-setup, then i'll mail Ramnode asking where my ip is coming from ;)
     
  12. eva2000

    eva2000 Administrator Staff Member

    44,781
    10,212
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,828
    Local Time:
    12:01 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Actually i think i know somewhat what's going on, as the official ccache download link would only failover to my local centmin.sh cloudflare mirror if the official mirror was down . I checked the ccache official download link has a force http to https redirect now to https://www.samba.org/ftp/ccache/ it use to be non-https. So it could be and issue with the CentOS 7 systems ssl handshake with https sites causing it to fail on official mirror download and on centminmod.com and centmin.sh https based downloads.

    I'll update official ccache download url to the new https version as well
     
  13. eva2000

    eva2000 Administrator Staff Member

    44,781
    10,212
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,828
    Local Time:
    12:01 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    nope looks like it's a cloudflare issue on centmin.sh did a fresh centos 7 install with variable set
    Code (Text):
    LOCALCENTMINMOD_MIRROR='https://centmin.sh'
    

    and got
    Code (Text):
    Download ccache-3.3.2.tar.gz ...
    Initializing download: https://centmin.sh/centminmodparts/ccache/ccache-3.3.2.tar.gz
    SSL error: tlsv1 alert internal error
    
    Error: ccache-3.3.2.tar.gz download failed.
    check Centmin Mod log for details at /root/centminlogs/
    Aborting script...
    

    will have to investigate, though for you ccache official mirror should be working now so shouldn't need to set LOCALCENTMINMOD_MIRROR='CentminMod.com LEMP Fully Optimized Nginx web stack for CentOS at all
     
  14. nikolaikapustin

    nikolaikapustin Member

    38
    5
    8
    Oct 5, 2016
    Ratings:
    +7
    Local Time:
    4:01 PM
    yes, i just download libressl in svr-setup. Installation worked like a charm. Thank you.
     
  15. eva2000

    eva2000 Administrator Staff Member

    44,781
    10,212
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,828
    Local Time:
    12:01 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    seems problem is axel download accelerator doesn't like cloudflare https !
    Code (Text):
    axel https://centmin.sh/centminmodparts/ccache/ccache-3.3.2.tar.gz
    Initializing download: https://centmin.sh/centminmodparts/ccache/ccache-3.3.2.tar.gz
    SSL error: tlsv1 alert internal error


    submitted a bug report to axel folks cloudflare SSL error: tlsv1 alert internal error · Issue #35 · eribertomota/axel · GitHub

    looks like it's to do with axel compiled against system openssl 1.0.1e in centos which doesn't support ECDSA ssl ciphers used in cloudflare's free ssl certificates as they used ECC 256bit SSL certs with ECDSA. Need to upgrade to paid plan on cloudflare to get wider standard RSA 2048bit SSL cert support [details] for HTTPS served sites on cloudflare or compile axel against openssl 1.0.2+. This is what Nginx does compile against openssl 1.0.2+. But axel install routine is very first thing installed so openssl 1.0.2+ custom install is not available at the axel install stage.

    this could be problematic if more sites online start using cloudflare free ssl plans with ECDSA ciphers as then there's more chance a 3rd party download link will be behind cloudflare free ssl HTTPS and run into this bug. So looks like i need to sort this out by either adding axel compile time support for openssl 1.0.2+ or using axel alternative for downloads that are multi-threaded instead of single threaded wget downloads. Problem with adding openssl 1.0.2+ to axel is the source compile time of openssl 1.0.2+ is much longer than the benefits obtained from using axel (multi-threaded downloads) in the first place over wget (single threaded).

    or i can just check for download link's header to see if cloudflare serves it as curl supports ECDSA in CentOS 6.8 and 7 so if cloudflare is detected use wget and if not use axel.

    edit: workaround added for ECDSA at https://community.centminmod.com/th...eck-for-ecdsa-ssl-based-https-download….9018/
     
    Last edited: Oct 5, 2016