Trouble updating certbot on Ubuntu 16.04 LTS and 14.04 LTS

I’m trying to update certbot from version 0.26 on both a 16.04 box and a 14.04 box. I installed certbot via the PPA by adding the repository to apt, as described in the instructions on the homepage.

However, when I run sudo apt-get update, I seem to be getting errors fetching updates for the certbot repo. Thus, when I go to try to install the update, apt says I have the latest version, when clearly I do not. I see there are releases of 0.28 for Trusty and Xenial on Launchpad, but for some reason I can’t seem to make my systems “see” them.

On Ubuntu 16.04 LTS:

$ certbot --version
certbot 0.26.1

$ sudo apt-get install certbot
Reading package lists... Done
Building dependency tree       
Reading state information... Done
certbot is already the newest version (0.26.1-1+ubuntu16.04.1+certbot+2).
0 upgraded, 0 newly installed, 0 to remove and 68 not upgraded.

$ sudo apt-get update
Ign:1 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.2 InRelease
Hit:2 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.2 Release                                                                                     
Hit:3 http://us.archive.ubuntu.com/ubuntu xenial InRelease                                                                                                  
Get:4 http://us.archive.ubuntu.com/ubuntu xenial-updates InRelease [109 kB]                                                                             
Ign:5 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial InRelease                                                                                  
Get:6 http://security.ubuntu.com/ubuntu xenial-security InRelease [109 kB]                                                          
Get:7 http://us.archive.ubuntu.com/ubuntu xenial-backports InRelease [107 kB]                                                                  
Ign:9 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial Release                                                                           
Hit:10 https://apt.dockerproject.org/repo ubuntu-xenial InRelease                                             
Ign:11 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main amd64 Packages.diff/Index                  
Ign:12 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main i386 Packages.diff/Index
Ign:13 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main all Packages
Ign:14 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main Translation-en_US
Ign:15 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main Translation-en.diff/Index
Ign:16 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main amd64 Packages
Ign:17 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main i386 Packages
Ign:13 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main all Packages
Ign:14 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main Translation-en_US
Ign:18 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main Translation-en
Ign:16 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main amd64 Packages
Ign:17 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main i386 Packages
Ign:13 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main all Packages
Ign:14 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main Translation-en_US
Ign:18 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main Translation-en
Ign:16 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main amd64 Packages
Ign:17 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main i386 Packages
Ign:13 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main all Packages
Ign:14 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main Translation-en_US
Ign:18 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main Translation-en
Ign:16 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main amd64 Packages
Ign:17 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main i386 Packages
Ign:13 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main all Packages
Ign:14 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main Translation-en_US
Ign:18 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main Translation-en
Ign:16 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main amd64 Packages
Ign:17 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main i386 Packages
Ign:13 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main all Packages
Ign:14 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main Translation-en_US
Ign:18 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main Translation-en
Err:16 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main amd64 Packages                                                                                                  
  Connection failed
Ign:17 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main i386 Packages                                                                                                   
Ign:18 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main Translation-en                                                                                                  
Fetched 325 kB in 6s (49.6 kB/s)                                                                                                                                                   
Reading package lists... Done
W: The repository 'http://ppa.launchpad.net/certbot/certbot/ubuntu xenial Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: Failed to fetch http://ppa.launchpad.net/certbot/certbot/ubuntu/dists/xenial/main/binary-amd64/Packages  Connection failed
E: Some index files failed to download. They have been ignored, or old ones used instead.

$ sudo apt-get install certbot
Reading package lists... Done
Building dependency tree       
Reading state information... Done
certbot is already the newest version (0.26.1-1+ubuntu16.04.1+certbot+2).
0 upgraded, 0 newly installed, 0 to remove and 68 not upgraded.

On 14.04 LTS:

$ certbot --version
certbot 0.26.1

$ sudo apt-get install certbot
Reading package lists... Done
Building dependency tree       
Reading state information... Done
certbot is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 231 not upgraded.

$ sudo apt-get update
Ign http://us.archive.ubuntu.com trusty InRelease
Get:1 http://us.archive.ubuntu.com trusty-updates InRelease [65.9 kB]    
Ign http://ppa.launchpad.net trusty InRelease                                  
Get:2 http://security.ubuntu.com trusty-security InRelease [65.9 kB]           
Hit http://us.archive.ubuntu.com trusty-backports InRelease                    
Hit http://us.archive.ubuntu.com trusty Release.gpg                            
Get:3 http://us.archive.ubuntu.com trusty-updates/main Sources [427 kB]        
Err http://ppa.launchpad.net trusty Release.gpg                                
  Connection failed
Get:4 http://us.archive.ubuntu.com trusty-updates/restricted Sources [6,322 B] 
Get:5 http://us.archive.ubuntu.com trusty-updates/universe Sources [230 kB]    
Get:6 http://us.archive.ubuntu.com trusty-updates/multiverse Sources [7,435 B] 
Get:7 http://security.ubuntu.com trusty-security/main Sources [169 kB]         
Get:8 http://us.archive.ubuntu.com trusty-updates/main amd64 Packages [1,143 kB]
Ign http://ppa.launchpad.net trusty Release                                    
Ign http://ppa.launchpad.net trusty/main amd64 Packages/DiffIndex              
Get:9 http://us.archive.ubuntu.com trusty-updates/restricted amd64 Packages [17.2 kB]
Get:10 http://security.ubuntu.com trusty-security/restricted Sources [4,931 B] 
Get:11 http://us.archive.ubuntu.com trusty-updates/universe amd64 Packages [517 kB]
Get:12 http://security.ubuntu.com trusty-security/universe Sources [101 kB]    
Ign http://ppa.launchpad.net trusty/main i386 Packages/DiffIndex               
Get:13 http://us.archive.ubuntu.com trusty-updates/multiverse amd64 Packages [14.6 kB]
Get:14 http://us.archive.ubuntu.com trusty-updates/main i386 Packages [1,070 kB]
Get:15 http://security.ubuntu.com trusty-security/multiverse Sources [3,265 B] 
Get:16 http://security.ubuntu.com trusty-security/main amd64 Packages [808 kB] 
Get:17 http://us.archive.ubuntu.com trusty-updates/restricted i386 Packages [17.1 kB]
Get:18 http://us.archive.ubuntu.com trusty-updates/universe i386 Packages [499 kB]
Get:19 http://us.archive.ubuntu.com trusty-updates/multiverse i386 Packages [15.0 kB]
Hit http://us.archive.ubuntu.com trusty-updates/main Translation-en            
Hit http://us.archive.ubuntu.com trusty-updates/multiverse Translation-en      
Hit http://us.archive.ubuntu.com trusty-updates/restricted Translation-en      
Hit http://us.archive.ubuntu.com trusty-updates/universe Translation-en        
Hit http://us.archive.ubuntu.com trusty Release                                
Get:20 http://security.ubuntu.com trusty-security/restricted amd64 Packages [14.2 kB]
Hit http://us.archive.ubuntu.com trusty-backports/main Sources                 
Hit http://us.archive.ubuntu.com trusty-backports/restricted Sources           
Hit http://us.archive.ubuntu.com trusty-backports/universe Sources             
Get:21 http://security.ubuntu.com trusty-security/universe amd64 Packages [287 kB]
Hit http://us.archive.ubuntu.com trusty-backports/multiverse Sources           
Hit http://us.archive.ubuntu.com trusty-backports/main amd64 Packages          
Hit http://us.archive.ubuntu.com trusty-backports/restricted amd64 Packages    
Hit http://us.archive.ubuntu.com trusty-backports/universe amd64 Packages      
Hit http://us.archive.ubuntu.com trusty-backports/multiverse amd64 Packages    
Hit http://us.archive.ubuntu.com trusty-backports/main i386 Packages           
Hit http://us.archive.ubuntu.com trusty-backports/restricted i386 Packages     
Hit http://us.archive.ubuntu.com trusty-backports/universe i386 Packages       
Get:22 http://security.ubuntu.com trusty-security/multiverse amd64 Packages [4,800 B]
Hit http://us.archive.ubuntu.com trusty-backports/multiverse i386 Packages     
Hit http://us.archive.ubuntu.com trusty-backports/main Translation-en          
Hit http://us.archive.ubuntu.com trusty-backports/multiverse Translation-en    
Get:23 http://security.ubuntu.com trusty-security/main i386 Packages [734 kB]  
Hit http://us.archive.ubuntu.com trusty-backports/restricted Translation-en    
Hit http://us.archive.ubuntu.com trusty-backports/universe Translation-en      
Hit http://us.archive.ubuntu.com trusty/main Sources                           
Hit http://us.archive.ubuntu.com trusty/restricted Sources                     
Hit http://us.archive.ubuntu.com trusty/universe Sources                       
Hit http://us.archive.ubuntu.com trusty/multiverse Sources                     
Hit http://us.archive.ubuntu.com trusty/main amd64 Packages                    
Hit http://us.archive.ubuntu.com trusty/restricted amd64 Packages              
Hit http://us.archive.ubuntu.com trusty/universe amd64 Packages                
Hit http://us.archive.ubuntu.com trusty/multiverse amd64 Packages              
Hit http://us.archive.ubuntu.com trusty/main i386 Packages                     
Get:24 http://security.ubuntu.com trusty-security/restricted i386 Packages [13.9 kB]
Hit http://us.archive.ubuntu.com trusty/restricted i386 Packages               
Hit http://us.archive.ubuntu.com trusty/universe i386 Packages                 
Hit http://us.archive.ubuntu.com trusty/multiverse i386 Packages               
Get:25 http://security.ubuntu.com trusty-security/universe i386 Packages [272 kB]
Hit http://us.archive.ubuntu.com trusty/main Translation-en                    
Hit http://us.archive.ubuntu.com trusty/multiverse Translation-en              
Get:26 http://security.ubuntu.com trusty-security/multiverse i386 Packages [4,959 B]
Hit http://us.archive.ubuntu.com trusty/restricted Translation-en              
Hit http://us.archive.ubuntu.com trusty/universe Translation-en                
Hit http://security.ubuntu.com trusty-security/main Translation-en             
Hit http://security.ubuntu.com trusty-security/multiverse Translation-en       
Hit http://security.ubuntu.com trusty-security/restricted Translation-en       
Hit http://security.ubuntu.com trusty-security/universe Translation-en         
Ign http://us.archive.ubuntu.com trusty/main Translation-en_US                 
Ign http://us.archive.ubuntu.com trusty/multiverse Translation-en_US           
Ign http://us.archive.ubuntu.com trusty/restricted Translation-en_US           
Ign http://us.archive.ubuntu.com trusty/universe Translation-en_US             
Err http://ppa.launchpad.net trusty/main Translation-en_US                     
  Connection failed
Err http://ppa.launchpad.net trusty/main Translation-en                  
  Connection failed
Err http://ppa.launchpad.net trusty/main amd64 Packages                 
  Connection failed
Err http://ppa.launchpad.net trusty/main i386 Packages                  
  Connection failed
Fetched 6,513 kB in 5s (1,120 kB/s)                                     
W: Failed to fetch http://ppa.launchpad.net/certbot/certbot/ubuntu/dists/trusty/Release.gpg  Connection failed

W: Failed to fetch http://ppa.launchpad.net/certbot/certbot/ubuntu/dists/trusty/main/i18n/Translation-en_US  Connection failed

W: Failed to fetch http://ppa.launchpad.net/certbot/certbot/ubuntu/dists/trusty/main/i18n/Translation-en  Connection failed

W: Failed to fetch http://ppa.launchpad.net/certbot/certbot/ubuntu/dists/trusty/main/binary-amd64/Packages  Connection failed

W: Failed to fetch http://ppa.launchpad.net/certbot/certbot/ubuntu/dists/trusty/main/binary-i386/Packages  Connection failed

E: Some index files failed to download. They have been ignored, or old ones used instead.

$ sudo apt-get install certbot
Reading package lists... Done
Building dependency tree       
Reading state information... Done
certbot is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 231 not upgraded.

Any idea why these are failing? Do I need to update my apt source somehow?

What does, say, “curl -v http://ppa.launchpad.net/” do.

Launchpad is run by Canonical; if it’s having operational issues, Let’s Encrypt and the EFF can’t fix them.

Thanks for the reply. Here’s the output of that command:

$ curl -v http://ppa.launchpad.net/
* Hostname was NOT found in DNS cache
*   Trying 91.189.95.83...
* Connected to ppa.launchpad.net (91.189.95.83) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: ppa.launchpad.net
> Accept: */*
> 
< HTTP/1.1 302 Found
< Date: Wed, 13 Feb 2019 19:45:24 GMT
* Server Apache is not blacklisted
< Server: Apache
< Location: https://launchpad.net
< Content-Length: 205
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
< 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://launchpad.net">here</a>.</p>
</body></html>
* Closing connection 0

Would a 302 be causing this issue?

No. They just do that for the index. The files apt accesses don't redirect. (Last I looked, anyway.) And even if they did redirect it wouldn't be a problem.

So, I need to contact Launchpad to figure out why these requests are failing?

It's as likely to be an issue with your system or ISP or an ISP in between, rather than Canonical's own infrastructure. But maybe.

It's interesting that, of the 3 repositories you accessed, ppa.launchpad.net is the only one that isn't partially hosted in the US and doesn't support IPv6.

That's a lot of packages.

I wonder if the files are also available via https
If so, then maybe updating the repo to use https would get you the files needed.

Or perhaps forcing another IP for ppa.launchpad.net in /etc/hosts
[termporarily]

I see:
Name: ppa.launchpad.net
Address: 91.189.95.83

Switching the source to https gives me 404 errors on both platforms instead of “Connection failed”.

If you have another system that can fully reach the ppa, you should be able to proxy through it…

If the proxy method fails with the same error…, then the error message is misleading and…
It may be something more like the file signatures don’t match or something else.

Just tried setting up certbot on a fresh box and it couldn’t get the initial listing from Launchpad at all. Clearly this is an issue with our network somewhere, assuming no one else on the planet is having this issue with Launchpad right now. Obviously it used to work back when I initially set up certbot, but I suppose something must have changed between now and then. I’m going to have a chat with our network admin.

This time it was 18.04 Bionic:

$ sudo add-apt-repository ppa:certbot/certbot
 This is the PPA for packages prepared by Debian Let's Encrypt Team and backported for Ubuntu(s).
 More info: https://launchpad.net/~certbot/+archive/ubuntu/certbot
Press [ENTER] to continue or Ctrl-c to cancel adding it.

Err:1 http://ppa.launchpad.net/certbot/certbot/ubuntu bionic InRelease
  Connection failed [IP: 91.189.95.83 80]
Hit:2 http://archive.ubuntu.com/ubuntu bionic InRelease
Hit:3 http://archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:4 http://security.ubuntu.com/ubuntu bionic-security InRelease
Hit:5 http://archive.ubuntu.com/ubuntu bionic-backports InRelease
Reading package lists... Done                     
W: Failed to fetch http://ppa.launchpad.net/certbot/certbot/ubuntu/dists/bionic/InRelease  Connection failed [IP: 91.189.95.83 80]
W: Some index files failed to download. They have been ignored, or old ones used instead.

Can you curl/wget it directly?

I (w)get 21256 bytes.

Seems not:

$ curl -v http://ppa.launchpad.net/certbot/certbot/ubuntu/dists/bionic/InRelease
*   Trying 91.189.95.83...
* TCP_NODELAY set
* Connected to ppa.launchpad.net (91.189.95.83) port 80 (#0)
> GET /certbot/certbot/ubuntu/dists/bionic/InRelease HTTP/1.1
> Host: ppa.launchpad.net
> User-Agent: curl/7.58.0
> Accept: */*
> 
* Recv failure: Connection reset by peer
* stopped the pause stream!
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer

Bad MITM.
Blocked by ISP/Country?

I get:
curl -Iki http://ppa.launchpad.net/certbot/certbot/ubuntu/dists/bionic/InRelease
HTTP/1.1 200 OK
Date: Wed, 13 Feb 2019 20:38:40 GMT
Server: Apache
Last-Modified: Fri, 14 Dec 2018 16:13:54 GMT
ETag: “5308-57cfdb7b54e81”
Accept-Ranges: bytes
Content-Length: 21256
Cache-Control: max-age=0, s-maxage=270, proxy-revalidate
Expires: Wed, 13 Feb 2019 20:38:40 GMT
Connection: close

Network admin just got back to me, he says it looks like an issue with our SonicWall flagging the traffic with its intrusion prevention service :man_facepalming:

Thanks for the help. I guess the real insight came from trying the new server and realizing that it was happening there too. I was convinced it was a configuration issue on the Trusty/Xenial servers figuring it was due to them possibly being out of date, but being broken in the same way on a brand new box told me it was something wider in our system.

2 Likes

The file does contain a bunch of MD5|SHA1|SHA256 sums.
Perhaps some part of that matches a pattern string match - LOL

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.