Whonix Update Failure - Recieved HTTP code 403 from proxy after CONNECT

Qubes-Whonix
#1

OS: Qubes 3.0 (R3.0)

When trying to update whonix -ws / gs, the following is received in the terminal output for the past 2-3 days.

Err http://mirror.whonix.de jessie/main amd64 Packages
Recieved HTTP code 403 from proxy after CONNECT
W: Failed to fetch http://mirror.whonix.de/whonixdevelopermetafiles/internal/dists/jessie/main/binary/amd64/Packages Recieved HTTP code 403 from proxy after CONNECT

E: Some index files failed to download. They have been ignored, or old ones used instead.
Done. Press Enter to exit.

WhonixCheck continues to show updates required and Qubes VM Manager shows ā€œupdates pendingā€ for both templates.

Any advice? Thanks.

Errors updating whonix-gw template in qubes
#2

Correction to post, update is for ā€œwhonix-ws / gwā€.

#5

@barchino: I canā€™t replicate this. The only thing I can notice is that http://mirror.whonix.de/whonixdevelopermetafiles/internal/dists/jessie/main/binary/amd64/Packages doesnā€™t work, but http://mirror.whonix.de/whonixdevelopermetafiles/internal/dists/jessie/main/binary-amd64/Packages does. (dash between binary and amd64) Is your apt out of date?

#6

@fortasse: Thanks for your quick reply. My apologies in advance if I am not supplying the correct requested information as I am very much a layman at this.

Please note that I had to delete the link headers as was not allowed to post more than 5 links due being a new user.

  1. I have continued to attempt the update and recieve the same error. This time with ā€œbinary-amd64ā€ in the request line. Complete results below:

user@host:~$ sudo apt-get update && sudo apt-get dist-upgrade
Get:1 security.debian.org jessie/updates InRelease [63.1 kB]
Ign debian.org jessie InRelease
Ign whonix.de jessie InRelease
Hit torproject.org jessie InRelease
Hit deb.qubes-os.org jessie InRelease
Get:2 security.debian.org jessie/updates/main amd64 Packages [237 kB]
Hit us.debian.org jessie Release.gpg
Ign mirror.whonix.de jessie Release.gpg
Get:3 security.debian.org jessie/updates/contrib amd64 Packages [2,506 B]
Hit us.debian.org jessie Release
Ign mirror.whonix.de jessie Release
Get:4 security.debian.org jessie/updates/non-free amd64 Packages [14 B]
Get:5 security.debian.org jessie/updates/contrib Translation-en [1,211 B]
Ign mirror.whonix.de jessie/main amd64 Packages/DiffIndex
Hit deb.qubes-os.org jessie/main amd64 Packages
Get:6 security.debian.org jessie/updates/main Translation-en [129 kB]
Hit deb.torproject.org jessie/main amd64 Packages
Get:7 security.debian.org jessie/updates/non-free Translation-en [14 B]
Hit us.debian.org jessie/main amd64 Packages
Ign deb.qubes-os.org jessie/main Translation-en_US
Hit us.debian.org jessie/contrib amd64 Packages
Ign qubes-os.org jessie/main Translation-en
Hit us.debian.org jessie/non-free amd64 Packages
Ign deb.torproject.org jessie/main Translation-en_US
Hit us.debian.org jessie/contrib Translation-en
Ign deb.torproject.org jessie/main Translation-en
Hit us.debian.org jessie/main Translation-en
Hit us.debian.org jessie/non-free Translation-en
Ign mirror.whonix.de jessie/main Translation-en_US
Ign mirror.whonix.de jessie/main Translation-en
Err mirror.whonix.de jessie/main amd64 Packages
Received HTTP code 403 from proxy after CONNECT
Fetched 432 kB in 40s (10.8 kB/s)
W: Failed to fetch mirror.whonix.de/whonixdevelopermetafiles/internal/dists/jessie/main/binary-amd64/Packages Received HTTP code 403 from proxy after CONNECT

E: Some index files failed to download. They have been ignored, or old ones used instead.

  1. The whonix version appears to be up to date per whonixcheck if this is what you meant by " Is your apt out of date?" and returns the following from the teminal. Please let me know if Iā€™ve misunderstood this.

user@host:~$ whonixcheck
[INFO] [whonixcheck] whonix-ws | Whonix-Workstation | TemplateVM | xxxxxxxxxx UTC 2016
[INFO] [whonixcheck] Connected to Tor.
[INFO] [whonixcheck] SocksPort Test: Testing Torā€™s SocksPortā€¦
[INFO] [whonixcheck] SocksPort Test Result: Connected to Tor. IP: xxxxxxxxxxx
[INFO] [whonixcheck] TransPort Test: Testing Torā€™s TransPortā€¦
[INFO] [whonixcheck] TransPort Test Result: Connected to Tor. IP: xxxxxxxxxxx
[INFO] [whonixcheck] Stream Isolation Test Result: Functional.
[INFO] [whonixcheck] Whonix News Download: Checking for Whonix news and updatesā€¦
[INFO] [whonixcheck] Whonix News Result:
āˆš Up to date: whonix-workstation-packages-dependencies 2.9-1
āˆš Up to date: Whonix Build Version: 11.0.0.3.0
[INFO] [whonixcheck] Debian Package Update Check: Checking for software updates via apt-getā€¦ ( Documentation: Operating System Software and Updates - Kicksecure )
[WARNING] [whonixcheck] Debian Package Update Check Result: Could not check for software updates! (apt-get code: 100)
Please manually check inside this TemplateVM (ā€˜whonix-wsā€™).

  1. Open a terminal. (dom0 ā†’ Start Menu ā†’ Template: whonix-ws ā†’ Terminal)
  2. Update. sudo apt-get update && sudo apt-get dist-upgrade
    [INFO] [whonixcheck] Whonix APT Repository: Enabled.
    When the Whonix team releases JESSIE updates,
    they will be AUTOMATICALLY installed (when you run apt-get dist-upgrade)
    along with updated packages from the Debian team. Please
    read Placing Trust in Whonix ā„¢ to understand the risk.
    If you want to change this, use:
    sudo whonix_repository
  1. Quote: fortasse: ā€œCan you post the relevant lines from your sources.list? (if you donā€™t know, it should be in /etc/apt/sources.list or /etc/apt/sources.list.d/[a file here], I canā€™t quite remember)ā€

Not sure what the relevant lines would be but below is all the data from the 4 files in /etc/apt/sources.list.d/.

debian.list

This file is part of Whonix.

Copyright (C) 2012 - 2014 Patrick Schleizer adrelanos@riseup.net

See the file COPYING for copying conditions.

This is a default sources.list for Anonymity Linux Distributions,

which are derivatives of Debian.

If you want to see the example, which came with the upstream

distribution, see: /usr/share/doc/apt/examples/sources.list

Instead of directly editing this file,

the user is advised to create the file /etc/apt/sources.list.d/user.list.

This is because when this package gets updated,

/etc/apt/sources.list.d/debian.list will be overwritten and may receive new

new default values and comments. The entire folder /etc/apt/sources.list.d/

gets scanned for additional sources.list files by apt-get.

The user may keep their settings even after updating this package.

Without graphical user interface, you can use for example:

sudo nano /etc/apt/sources.list.d/user.list

With graphical user interface (KDE), you can use for example:

kdesudo kwrite /etc/apt/sources.list.d/user.list

deb security.debian.org jessie/updates main contrib non-free
deb us.debian.org/debian jessie main contrib non-free

#deb-src security.debian.org jessie/updates main contrib non-free
#deb-src us.debian.org/debian jessie main contrib non-free

Technical notes:

- Why is jessie-updates disabled by default?

See: StableUpdates - Debian Wiki

- Why are sources (deb-src) disabled by default?

Because those are not required by most users, to save time while

running ā€œsudo apt-get updateā€.

- See also: Debian -- Security Information

- See also: /etc/apt/sources.list.d/

qubes-r3.list

Main qubes updates repository

deb [arch=amd64] Index of /r3.0/vm/ jessie main
#deb-src Index of /r3.0/vm/ jessie main

Qubes updates candidates repository

#deb [arch=amd64] /deb.qubes-os.org/r3.0/vm jessie-testing main
#deb-src Index of /r3.0/vm/ jessie-testing main

Qubes security updates testing repository

#deb [arch=amd64] Index of /r3.0/vm/ jessie-securitytesting main
#deb-src Index of /r3.0/vm/ jessie-securitytesting main

Qubes experimental/unstable repository

#deb [arch=amd64] Index of /r3.0/vm/ jessie-unstable main
#deb-src Index of /r3.0/vm/ jessie-unstable main

torproject.list

This file is part of Whonix.

Copyright (C) 2012 - 2014 Patrick Schleizer adrelanos@riseup.net

See the file COPYING for copying conditions.

deb Index of /torproject.org jessie main
#deb-src Index of /torproject.org jessie main

whonix.list

This file is part of Whonix.

Copyright (C) 2012 - 2014 Patrick Schleizer adrelanos@riseup.net

See the file COPYING for copying conditions.

Whonix /etc/apt/sources.list.d/whonix.list

This file has been automatically created by /usr/bin/whonix_repository.

If you make manual changes to it, your changes get lost next time you run

the whonix_repository tool or next time your upgrade Whonix.

You can conveniently manage this file, using the whonix_repository tool.

For any modifications (delete this file, use stable version, use testers

version or use developers version), please use the whonix_repository tool.

Run:

sudo whonix_repository

deb mirror.whonix.de/whonixdevelopermetafiles/internal/ jessie main

Leaving source line disabled by default to safe some time, itā€™s not useful

anyway, since itā€™s better to get the source code from the git repository.

#deb-src mirror.whonix.de/whonixdevelopermetafiles/internal/ jessie main

End of /etc/apt/sources.list.d/whonix.list

#7

barchino:

deb mirror.whonix.de/whonixdevelopermetafiles/internal/ jessie main

That line looks messed up. Did you manually edit it? We never had it
created with leading http.

Anyhow. This will can be easily re-created using Whonix repository tool.
Just enable again stable. See:

#8

No. I did not edit the line in the file. I only edited the line in the post (deleted http) due to not being allowed to post more than 5 links as a new user. The full line from the whonix.list file as copied is:

deb http://mirror.whonix.de/whonixdevelopermetafiles/internal/ jessie main shutdown

I tried to enable the stable repository again but still receive the same error.

Steps taken in order were:

  1. Enable the stable repository per APT Repository instructions.
    No change.
  2. Enable the stable repository, shutdown and restart whonix template VM.
    No change.
  3. Disable and reenable the stable repository.
    No change.
  4. Disable the stable repository. Restart the system. (whonix.list was no longer in /etc/apt/sources.list.d/ ) Enable the repository. (whonix.list repopulated in /etc/apt/sources.list.d/).
    No Change

For reference:

I have made no manual changes to whonix or qubes. The whonix updates have functioned well for over 4 months until a few days ago. The only other updates have been the qubes fedora template updates which continue to function.
Not sure if itā€™s relevant but did have a qubes DOM0 update show as ā€œpendingā€ a week or 2 ago but when attempting to update via the terminal, appeared to not update and the ā€œpendingā€ notification disappeared.

What next?

#9

I tried a few more things.

First was to update via terminal using only ā€œsudo apt-get updateā€. The results were the same:

Err http://mirror.whonix.de jessie/main amd64 Packages
Recieved HTTP code 403 from proxy after CONNECT
W: Failed to fetch http://mirror.whonix.de/whonixdevelopermetafiles/internal/dists/jessie/main/binary/amd64/Packages2 Recieved HTTP code 403 from proxy after CONNECT

Second tried ā€œsudo apt-get dist-upgradeā€ only via terminal and the upgrade succeded. The ā€œupdate pendingā€ notification in VM Manager disappeared.
Ran whonixcheck on both whonix and sys-whonix. Received a good report on both checks. See below for the sys-whonix check.

user@host:~$ whonixcheck
[INFO] [whonixcheck] sys-whonix | Whonix-Gateway | whonix-gw Template-Based ProxyVM | xxxxxx UTC 2016
[INFO] [whonixcheck] Connected to Tor.
[INFO] [whonixcheck] SocksPort Test: Testing Torā€™s SocksPortā€¦
[INFO] [whonixcheck] SocksPort Test Result: Connected to Tor. IP: xxxxxxxxxx
[INFO] [whonixcheck] Whonix News Download: Checking for Whonix news and updatesā€¦
[INFO] [whonixcheck] Whonix News Result:
āˆš Up to date: whonix-gateway-packages-dependencies 2.9-1
āˆš Up to date: Whonix Build Version: 11.0.0.3.0
[INFO] [whonixcheck] Debian Package Update Check: Checking for software updates via apt-getā€¦ ( Documentation: Operating System Software and Updates - Kicksecure )
[INFO] [whonixcheck] Debian Package Update Check Result: No updates found via apt-get.
[INFO] [whonixcheck] Whonix APT Repository: Enabled.
When the Whonix team releases JESSIE updates,
they will be AUTOMATICALLY installed (when you run apt-get dist-upgrade)
along with updated packages from the Debian team. Please
read Placing Trust in Whonix ā„¢ to understand the risk.
If you want to change this, use:
sudo whonix_repository

Third, ran whonixcheck on both whonix-ws and whonix-gw but recieved the same Debian Package Update WARNING and apt-get code 100 as before. See below.

user@host:~$ whonixcheck
[INFO] [whonixcheck] whonix-ws | Whonix-Workstation | TemplateVM | xxxxxxxx UTC 2016
[INFO] [whonixcheck] Connected to Tor.
[INFO] [whonixcheck] SocksPort Test: Testing Torā€™s SocksPortā€¦
[INFO] [whonixcheck] SocksPort Test Result: Connected to Tor. IP: xxxxxxxxxxxx
[INFO] [whonixcheck] TransPort Test: Testing Torā€™s TransPortā€¦
[INFO] [whonixcheck] TransPort Test Result: Connected to Tor. IP: xxxxxxxxxxxx
[INFO] [whonixcheck] Stream Isolation Test Result: Functional.
[INFO] [whonixcheck] Whonix News Download: Checking for Whonix news and updatesā€¦
[INFO] [whonixcheck] Whonix News Result:
āˆš Up to date: whonix-workstation-packages-dependencies 2.9-1
āˆš Up to date: Whonix Build Version: 11.0.0.3.0
[INFO] [whonixcheck] Debian Package Update Check: Checking for software updates via apt-getā€¦ ( Documentation: Operating System Software and Updates - Kicksecure )
[WARNING] [whonixcheck] Debian Package Update Check Result: Could not check for software updates! (apt-get code: 100)
Please manually check inside this TemplateVM (ā€˜whonix-wsā€™).

  1. Open a terminal. (dom0 ā†’ Start Menu ā†’ Template: whonix-ws ā†’ Terminal)
  2. Update. sudo apt-get update && sudo apt-get dist-upgrade
    [INFO] [whonixcheck] Whonix APT Repository: Enabled.
    When the Whonix team releases JESSIE updates,
    they will be AUTOMATICALLY installed (when you run apt-get dist-upgrade)
    along with updated packages from the Debian team. Please
    read Placing Trust in Whonix ā„¢ to understand the risk.
    If you want to change this, use:
    sudo whonix_repository

Fourth, tested whonix-ws and -gw template update functions again . Still get the same results from Qubes VM Manager update and the terminal using ā€œsudo apt-get update && sudo apt-get dist-upgradeā€ and only ā€œsudo apt-get updateā€. ā€œsudo apt-get dist-upgradeā€ by itself appears to function.

Are there any other steps I can try to resolve this?
Thanks.

#10

Correction to second to last post:

Just saw that somehow I added shutdow to the line in the reply. The file line actually reads:

deb http://mirror.whonix.de/whonixdevelopermetafiles/internal/ jessie main

#11

With a newly downloaded and installed whonix-gw template in qubes, it shows updates available in qubes-manager. However, doing :

ā€œsudo apt-get updateā€

ā€¦from within whonix-gw terminal , produces some errors. Most repos are contacted fine, but one of them causes an error like:

ā€œError, http code 403 received from proxy after CONNECTā€

I donā€™t have my qubes/whonix machine here with me so canā€™t copy-paste it exactly, but the affected repo is something related to ā€œamd64 packagesā€.

And because of this, it ends up with:

ā€œE: Some index files failed to download. They have been ignored, or old ones used instead.ā€

This glitch means that trying ā€œsudo apt-get update && apt-get dist-upgradeā€ fails entirely, because the error is considered fatal and not even other updates will complete. Manually forcing ā€œsudo apt-get dist-upgradeā€ will get the other updates, but even so, doing ā€œwhonixcheckā€ reports that it was unable to check for package updates, due to apt error 100.

Normal non-qubes Whonix running under KVM on Linux Mint has no issue, and updates check and complete correctly. Only whonix template on qubes is affected.

Can anyone/Patrick confirm that the repo in question is just offline at the moment, and if so, advise how to proceed? This has been the case for at least 4 days straight now, so it is not a ā€œquickly-resolvingā€ temporary problem.

Thanks!

#12

Ah sorry, I didnā€™t see this original similar (identical) topic when posting mine. For the record, I have made absolutely no manual changes to anything in either whonix or qubes, and am getting this same error. It is a fresh clean install, and just trying to update the whonix-gw template. No text files were ever edited or customized in any way.

I am guessing there is no resolution yetā€¦

#13

Qubes R3.0 or R3.1?

Can you please compare contents of your tinyproxy config files?

There might be a difference Qubes R3.0 vs R3.1.

user@host:~$ cat /etc/tinyproxy/tinyproxy-updates.conf 

User tinyproxy
Group tinyproxy
Port 8082
Timeout 60
DefaultErrorFile "/usr/share/tinyproxy/default.html"

#StatHost "tinyproxy.stats"
StatFile "/usr/share/tinyproxy/stats.html"
Syslog On
LogLevel Notice
PidFile "/var/run/tinyproxy-updates/tinyproxy.pid"

MaxClients 50
MinSpareServers 2
MaxSpareServers 10
StartServers 2
MaxRequestsPerChild 0
DisableViaHeader Yes

Allow 127.0.0.1
Allow 10.137.0.0/16

ConnectPort 443

# Explicitly block connections to the proxy IP, to return an error in such
# case. This error page contains a magic string which is used in Whonix to
# detect whether proxy is torified or not.
# See https://github.com/qubesos/qubes-issues/issues/1482 for details
Filter "/etc/tinyproxy/updates-blacklist"

user@host:~$ cat /etc/tinyproxy/updates-blacklist 

10.137.255.254
#14

Please also check tinyproxy logs. EDIT: In sys-whonix.

sudo journalctl -u qubes-updates-proxy | cat
#15

It is Qubes 3.1, by virtue of having updated from 3.0 directly within qubes via ā€œsudo qubes-dom0-updateā€. Not a new install of 3.1 out of the box. But all went smoothly with no errors from that update.

I will have to check the tinyproxy config settings when I am back at that machine. I presume this is done within the whonix-gw terminal itself.

#16

Tinyproxy logs command in sys-whonix. The others donā€™t matter.

During Qubes R3.0 ā†’ R3.1 upgrade, did you follow the instructions Redirectingā€¦? Did you also upgrade to R3.1 inside the Whonix templates?

(ā€œsudo qubes-dom0-updateā€ alone is not a complete upgrade to R3.1.)

#17

Ah, I think this is my fault from being away from Qubes for so long. Iā€™ve been using Whonix by itself with KVM, and only this weekend went to try Qubes again. I just read this page:

and the last line:

ā€œExisting users of the 3.0 and 3.1-rcX releases should be able to easily upgrade
without re-installing. Enjoy!ā€

I figured qubes-dom0-update was all that was necessary to go from 3.0 to 3.1, just as recent update from Whonix 11 to 12 was achievable through similarly simple commands (nice job and applause on that, by the way!!).

It was my ignorance being unaware of that special update instruction page, since I havenā€™t kept up with Qubes in recent months. So, I am probably still in fact on 3.0 without having realized it. I thought that 3.0 ā†’ 3.1 was just a natural, automatic update no different from any other sporadic one, with no additional steps. I will revisit the update later and try again.

Thanks!

1 Like
#18

I appreciate the report! Itā€™s not confirmed yet, that R3.1 will not have this issue. Too early to blame it on tinyproxy configuration. Letā€™s see. Please try if you will still be having this issue with R3.1.

And even if R3.0 has this issue, Whonix should recommend to upgrade to R3.1. (Especially for the upcoming Whonix 12 ā†’ 13 upgrading instructions.)

Blog post should link to these instructions indeed. Submitted a fix:

#19

I had a chance to do a fresh install of Qubes R3.1 to a different device, and on that installation the whonix template updates worked perfectly fine with no 403 error complaint. On Qubes R3.0 I am still seeing the same issue.

Unfortunately I encountered a completely new non-whonix-related problem, in that Qubes 3.1 totally breaks functionality with my Realtek wireless card. It worked fine on 3.0, but on 3.1 it glitches and freezes constantly, and wonā€™t connect to wifi spot.

I donā€™t know whether itā€™s a fedora 23, kernel, or Qubes core issue, but I am going to try importing my fedora 21 template from 3.0 and see if using that for sys-net helps at all. Like I said though, not a whonix-specific issue there, but still annoying.

1 Like
#20

2 posts were split to a new topic: in-place upgrades possible? If (not) so, why? Recommended? ( Whonix 12 ā†’ Whonix 13 )

in-place upgrades possible? If (not) so, why? Recommended? ( Whonix 12 -> Whonix 13 )
#21

I can also confirm that his is a problem on R3.0. As far as I can see, the main ā€œconfusionā€ seems to be whether this problem is related to Qubes R3.0 or if it is something more general. Otto_Kratik seems to have isolated it to R3.0.

There are various reasons why people are still on R3.0, and not al of them are laziness. Has the root cause of the problem been determined yet? If so, can someone offer a workaround?

Just for completeness, I should also make it clear that I have made no manual changes to my Qubes-Whonix configuration.

My /etc/tinyproxy/tinyproxy-updates.conf file differs slightly at the end:

[code]cat /etc/tinyproxy/tinyproxy-updates.conf
User tinyproxy
Group tinyproxy
Port 8082
Timeout 60
DefaultErrorFile ā€œ/usr/share/tinyproxy/default.htmlā€

#StatHost "tinyproxy.stats"
StatFile "/usr/share/tinyproxy/stats.html"
Syslog On
LogLevel Notice
PidFile ā€œ/var/run/tinyproxy-updates/tinyproxy.pidā€

MaxClients 50
MinSpareServers 2
MaxSpareServers 10
StartServers 2
MaxRequestsPerChild 0
ViaProxyName ā€œtinyproxyā€

Allow 127.0.0.1
Allow 10.137.0.0/16

Filter "/etc/tinyproxy/filter-updates"
FilterURLs On
#FilterExtended On
#FilterCaseSensitive On
FilterDefaultDeny Yes
ConnectPort 443[/code]
and /etc/tinyproxy contains the following files:

ls -l /etc/tinyproxy total 8 -rw-r--r-- 1 root root 1026 Nov 15 2015 filter-updates -rw-r--r-- 1 root root 542 Nov 15 2015 tinyproxy-updates.conf
ie there is no updates-blacklist file.

#22

With reasonable certainty, it is the tinyproxy config files.

Use the tinyproxy config files for Qubes R3.1. Update them in your whonix-gw TemplateVM. Then restart sys-whonix. Should work. Untested.