Addding PPA gets routing/redirect error

strongthany · May 6, 2020, 4:46 PM

Good afternoon,

Previously I had made this post, where in I thought that HAProxy was causing issues with being able to add a PPA to an Ubuntu server running within my network. I have since ruled that out as a cause of the problem. What seems to be happening is that the traffic is being redirected to a captive portal, though I don't have one configured on my firewall.

I am at a loss as to what would be causing this issue. I am copying over information from the previous post to save time, though if I'm missing anything please check the other post. Let me know too if I am leaving out any details or if there is a setting you want to know the status of. Thank you for your time.

HA Proxy config:

# Automaticaly generated, dont edit manually.
# Generated on: 2020-04-22 16:27
global
	maxconn			1000
	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
	gid			80
	nbproc			1
	nbthread			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	tune.ssl.default-dh-param	2048
	server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats show-legends
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend SharedFrontend-merged
	bind			My.Public.IP:443 name My.Public.IP:443   ssl crt-list /var/etc/haproxy/SharedFrontend.crt_list crt-ignore-err all  
	mode			http
	log			global
	option			http-keep-alive
	option			forwardfor
	acl https ssl_fc
	http-request set-header		X-Forwarded-Proto http if !https
	http-request set-header		X-Forwarded-Proto https if https
	timeout client		30000
	acl			aclcrt_SharedFrontend	var(txn.txnhost) -m reg -i ^([^\.]*)\.mydomain\.tld(:([0-9]){1,5})?$
	acl			ACL1	var(txn.txnhost) -m str -i chat.mydomain.tld
	acl			ACL2	var(txn.txnhost) -m str -i blog.mydomain.tld
	acl			ACL3	var(txn.txnhost) -m str -i cloud.mydomain.tld
	http-request set-var(txn.txnhost) hdr(host)
	use_backend chat.mydomain.tld_ipvANY  if  ACL1 
	use_backend blog.mydomain.tld_ipv4  if  ACL2 
	use_backend cloud.mydomain.tld_ipv4  if  ACL3 
	default_backend chat.mydomain.tld_ipvANY
	default_backend blog.mydomain.tld_ipv4
	default_backend cloud.mydomain.tld_ipv4

frontend http-to-https
	bind			My.Public.IP:80 name My.Public.IP:80   
	mode			http
	log			global
	option			http-keep-alive
	option			forwardfor
	acl https ssl_fc
	http-request set-header		X-Forwarded-Proto http if !https
	http-request set-header		X-Forwarded-Proto https if https
	timeout client		30000
	http-request redirect scheme https 

backend chat.mydomain.tld_ipvANY
	mode			http
	id			100
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			chat.mydomain.tld 10.10.10.252:443 id 101 ssl check inter 1000  verify none 

backend blog.mydomain.tld_ipv4
	mode			http
	id			10102
	log			global
	option			log-health-checks
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	option			httpchk OPTIONS / HTTP/1.1\r\nHost:\ blog.mydomain.tld
	server			blog.mydomain.tld 10.10.10.251:443 id 10103 ssl check inter 1000  verify none 

backend cloud.mydomain.tld_ipv4
	mode			http
	id			10104
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	option			httpchk OPTIONS / HTTP/1.1\r\nHost:\ cloud.mydomain.tld
	server			cloud.mydomain.tld 10.10.10.250:443 id 10105 ssl check inter 1000  verify none

Error I get when I try to curl the destination of the PPA:

admin@landscape:~$ curl http://ppa.launchpad.net/landscape/19.10/ubuntu/dists/bionic/Release
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>
admin@landscape:~$ curl http://ppa.launchpad.net/landscape/19.10/ubuntu/dists/bionic/InRelease
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>

Issue I get when I try to update the system after adding the PPA

admin@landscape:~$ sudo apt update 
Ign:1 https://ppa.launchpad.net/landscape/19.10/ubuntu bionic InRelease
Err:2 https://ppa.launchpad.net/landscape/19.10/ubuntu bionic Release
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected.  Could not handshake: Error in the certificate verification. [IP: 91.189.95.83 443]
Hit:3 http://us.archive.ubuntu.com/ubuntu bionic InRelease
Hit:4 http://us.archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:5 http://us.archive.ubuntu.com/ubuntu bionic-backports InRelease
Hit:6 http://us.archive.ubuntu.com/ubuntu bionic-security InRelease
Reading package lists... Done                     
E: The repository 'http://ppa.launchpad.net/landscape/19.10/ubuntu bionic Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
admin@landscape:~$

stephenw10 · May 7, 2020, 4:20 PM

The site cert is wrong:

Firefox does not trust this site because it uses a certificate that is not valid for ppa.launchpad.net. The certificate is only valid for private-ppa.launchpad.net.

Though that doesn't appear to exist there anyway even if you accept the bad cert.

HA proxy would have nothing to do with outbound connections from a server behind it.

Steve

strongthany · May 8, 2020, 6:50 PM

@stephenw10 I just tried it again and it works. Looks like they finally updated their certs. Thanks for the help!