APT | TLS errors when connecting to dietpi.com

[vanGeek]

Creating a bug report/issue

• [ x ] I have searched the existing open and closed issues

Required Information

• DietPi version | G_DIETPI_VERSION_CORE=9 G_DIETPI_VERSION_SUB=2 G_DIETPI_VERSION_RC=1 G_GITBRANCH='master'
• Distro version | bullseye 0
• Kernel version | Linux homePI 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr 3 17:24:16 BST 2023 aarch64 GNU/Linux
• SBC model | RPI Model 4 or (EG: RPi3)
• Power supply used | 5V 1A RAVpower)
• SD card used |SanDisk ultra 128gb

Additional Information (if applicable)

• Software title | (EG: Nextcloud)
• Was the software title installed freshly or updated/migrated?
• Can this issue be replicated on a fresh installation of DietPi?

• Bug report ID | echo $G_HW_UUID

Steps to reproduce

1. Dietpi-update
2. ...

Expected behaviour

• update dietpi

Actual behaviour

• fail to handshake : error in pull function

Extra details

• homebridge / adguard home

[MichaIng]

At which command did this happen exactly? At best, could you copy&paste the full update log/output here?

In case it happens during the APT update when pulling files from our APT repo: I get this by times when accessing resource on dietpi.com behind Cloudflare, but since no one else reported it yet, I was hoping it is an issue with my personal network/ISP/location. The same happens with curl (OpenSSL) and wget/apt (GnuTLS). Simply retrying the same thing solves it, so it is happening randomly, also independent of the actual Cloudflare edge involved:

root@micha:/tmp/apt/lists# curl -I https://dietpi.com/motd
curl: (35) Recv failure: Connection reset by peer
root@micha:/tmp/apt/lists# wget --spider https://dietpi.com/motd
Spider mode enabled. Check if remote file exists.
--2024-04-15 23:44:25--  https://dietpi.com/motd
Resolving dietpi.com (dietpi.com)... 2606:4700:20::ac43:4565, 2606:4700:20::681a:4f3, 2606:4700:20::681a:5f3, ...
Connecting to dietpi.com (dietpi.com)|2606:4700:20::ac43:4565|:443... connected.
GnuTLS: Error in the pull function.
Unable to establish SSL connection.

Since APT uses GnuTLS as well, it could happen when updating/upgrading from our new APT repo. If so, I'll open a ticket to get this investigated.

Disabling IPv4 solves it permanently here, but this is really not something I want to accept. We even temporarily switched to the Cloudflare Pro plan to test some routing optimisations, but while it helped for another issue, it did not help in my case.

[vanGeek]

[DietPi v9.2.1 : 23:04 - Mo 15.04.2024
 ─────────────────────────────────────────────────────
 - Device model : RPi 4 Model B (aarch64)
 - CPU temp : 42 °C / 107 °F : Optimal temperature
 - LAN IP :  (eth0)
curl: (35) OpenSSL SSL_connect: Die Verbindung wurde vom Kommunikationspartner zurückgesetzt in connection to dietpi.com:443 
 ─────────────────────────────────────────────────────

 DietPi Team     : https://github.com/MichaIng/DietPi#the-dietpi-project-team
 Patreon Legends : Chris Gelatt, ADSB.im
 Website         : https://dietpi.com/ | https://twitter.com/DietPi_
 Contribute      : https://dietpi.com/contribute.html
 Web Hosting by  : https://myvirtualserver.com

 dietpi-launcher : All the DietPi programs in one place
 dietpi-config   : Feature rich configuration tool for your device
 dietpi-software : Select optimised software for installation
 htop            : Resource monitor
 cpu             : Shows CPU information and stats

root@homePI:~# dietpi-update

 DietPi-Update
─────────────────────────────────────────────────────
 Phase: Checking for available DietPi update

[  OK  ] DietPi-Update | Checking IPv4 network connectivity
[  OK  ] DietPi-Update | Checking IPv6 network connectivity
[  OK  ] DietPi-Update | Checking DNS resolver
[ INFO ] DietPi-Update | Getting latest version from: https://raw.githubusercontent.com/MichaIng/DietPi/master/.update/version
[  OK  ] DietPi-Update | Got valid latest version: 9.3.0
[  OK  ] DietPi-Update | Update available:
[ INFO ] DietPi-Update | Current version : v9.2.1
[ INFO ] DietPi-Update | Latest version  : v9.3.0

 DietPi-Update
─────────────────────────────────────────────────────
 Phase: Checking for update pre-requirements

[  OK  ] DietPi-Update | DietPi-Userdata validation: /mnt/dietpi_userdata
[  OK  ] DietPi-Update | Free space check: path=/ | available=109443 MiB | required=100 MiB
[ SUB1 ] DietPi-Services > stop 
[  OK  ] DietPi-Services | stop : cron
[  OK  ] DietPi-Services | stop : homebridge
[  OK  ] DietPi-Services | stop : lighttpd
[  OK  ] DietPi-Services | stop : php7.4-fpm
[  OK  ] DietPi-Services | stop : mariadb
[  OK  ] DietPi-Services | stop : redis-server

 DietPi-Update
─────────────────────────────────────────────────────
 Phase: Applying pre-patches

[  OK  ] DietPi-Update | Downloading pre-patches
[  OK  ] DietPi-Update | Applying execute permission
[  OK  ] DietPi-Update | Successfully applied pre-patches

 DietPi-Update
─────────────────────────────────────────────────────
 Phase: Upgrading APT packages

[ INFO ] DietPi-Update | APT update, please wait...
Hit:1 https://deb.debian.org/debian bullseye InRelease
Get:2 https://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]
Err:3 https://repo.homebridge.io stable InRelease
  Could not handshake: Error in the pull function. [IP: 2606:4700:3037::6815:393e 443]
Get:4 https://deb.debian.org/debian-security bullseye-security InRelease [48.4 kB]
Hit:5 https://archive.raspberrypi.com/debian bullseye InRelease
Get:6 https://deb.debian.org/debian bullseye-backports InRelease [49.0 kB]
Get:7 https://deb.debian.org/debian-security bullseye-security/main arm64 Packages [266 kB]
Fetched 407 kB in 2s (190 kB/s)
Reading package lists...
E: Failed to fetch https://repo.homebridge.io/dists/stable/InRelease  Could not handshake: Error in the pull function. [IP: 2606:4700:3037::6815:393e 443]
E: Some index files failed to download. They have been ignored, or old ones used instead.
[FAILED] DietPi-Update | APT update
 - Command: apt-get -y -eany update
[ INFO ] DietPi-Update | APT update, please wait...
Hit:1 https://deb.debian.org/debian bullseye InRelease
Hit:2 https://deb.debian.org/debian bullseye-updates InRelease
Hit:3 https://deb.debian.org/debian-security bullseye-security InRelease
Hit:4 https://deb.debian.org/debian bullseye-backports InRelease
Hit:5 https://repo.homebridge.io stable InRelease
Hit:6 https://archive.raspberrypi.com/debian bullseye InRelease
Reading package lists...
[  OK  ] DietPi-Update | APT update
[ INFO ] DietPi-Update | APT upgrade, please wait...
Reading package lists...
Building dependency tree...
Reading state information...
Calculating upgrade...
The following packages will be upgraded:
  php7.4-cli php7.4-common php7.4-curl php7.4-fpm php7.4-gd php7.4-intl
  php7.4-json php7.4-mbstring php7.4-mysql php7.4-opcache php7.4-readline
  php7.4-xml php7.4-zip
13 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 4605 kB of archives.
After this operation, 23.6 kB of additional disk space will be used.
Get:1 https://deb.debian.org/debian-security bullseye-security/main arm64 php7.4-zip arm64 7.4.33-1+deb11u5 [20.1 kB]
Get:2 https://deb.debian.org/debian-security bullseye-security/main arm64 php7.4-xml arm64 7.4.33-1+deb11u5 [91.0 kB]
Get:3 https://deb.debian.org/debian-security bullseye-security/main arm64 php7.4-readline arm64 7.4.33-1+deb11u5 [11.6 kB]
Get:4 https://deb.debian.org/debian-security bullseye-security/main arm64 php7.4-opcache arm64 7.4.33-1+deb11u5 [179 kB]
Get:5 https://deb.debian.org/debian-security bullseye-security/main arm64 php7.4-mysql arm64 7.4.33-1+deb11u5 [111 kB]
Get:6 https://deb.debian.org/debian-security bullseye-security/main arm64 php7.4-mbstring arm64 7.4.33-1+deb11u5 [387 kB]
Get:7 https://deb.debian.org/debian-security bullseye-security/main arm64 php7.4-json arm64 7.4.33-1+deb11u5 [18.2 kB]
Get:8 https://deb.debian.org/debian-security bullseye-security/main arm64 php7.4-intl arm64 7.4.33-1+deb11u5 [114 kB]
Get:9 https://deb.debian.org/debian-security bullseye-security/main arm64 php7.4-gd arm64 7.4.33-1+deb11u5 [26.7 kB]
Get:10 https://deb.debian.org/debian-security bullseye-security/main arm64 php7.4-fpm arm64 7.4.33-1+deb11u5 [1313 kB]
Get:11 https://deb.debian.org/debian-security bullseye-security/main arm64 php7.4-curl arm64 7.4.33-1+deb11u5 [29.1 kB]
Get:12 https://deb.debian.org/debian-security bullseye-security/main arm64 php7.4-cli arm64 7.4.33-1+deb11u5 [1301 kB]
Get:13 https://deb.debian.org/debian-security bullseye-security/main arm64 php7.4-common arm64 7.4.33-1+deb11u5 [1002 kB]
debconf: delaying package configuration, since apt-utils is not installed
Fetched 4605 kB in 1s (7617 kB/s)
(Reading database ... 52800 files and directories currently installed.)
Preparing to unpack .../00-php7.4-zip_7.4.33-1+deb11u5_arm64.deb ...
Unpacking php7.4-zip (7.4.33-1+deb11u5) over (7.4.33-1+deb11u4) ...
Preparing to unpack .../01-php7.4-xml_7.4.33-1+deb11u5_arm64.deb ...
Unpacking php7.4-xml (7.4.33-1+deb11u5) over (7.4.33-1+deb11u4) ...
Preparing to unpack .../02-php7.4-readline_7.4.33-1+deb11u5_arm64.deb ...
Unpacking php7.4-readline (7.4.33-1+deb11u5) over (7.4.33-1+deb11u4) ...
Preparing to unpack .../03-php7.4-opcache_7.4.33-1+deb11u5_arm64.deb ...
Unpacking php7.4-opcache (7.4.33-1+deb11u5) over (7.4.33-1+deb11u4) ...
Preparing to unpack .../04-php7.4-mysql_7.4.33-1+deb11u5_arm64.deb ...
Unpacking php7.4-mysql (7.4.33-1+deb11u5) over (7.4.33-1+deb11u4) ...
Preparing to unpack .../05-php7.4-mbstring_7.4.33-1+deb11u5_arm64.deb ...
Unpacking php7.4-mbstring (7.4.33-1+deb11u5) over (7.4.33-1+deb11u4) ...
Preparing to unpack .../06-php7.4-json_7.4.33-1+deb11u5_arm64.deb ...
Unpacking php7.4-json (7.4.33-1+deb11u5) over (7.4.33-1+deb11u4) ...
Preparing to unpack .../07-php7.4-intl_7.4.33-1+deb11u5_arm64.deb ...
Unpacking php7.4-intl (7.4.33-1+deb11u5) over (7.4.33-1+deb11u4) ...
Preparing to unpack .../08-php7.4-gd_7.4.33-1+deb11u5_arm64.deb ...
Unpacking php7.4-gd (7.4.33-1+deb11u5) over (7.4.33-1+deb11u4) ...
Preparing to unpack .../09-php7.4-fpm_7.4.33-1+deb11u5_arm64.deb ...
Unpacking php7.4-fpm (7.4.33-1+deb11u5) over (7.4.33-1+deb11u4) ...
Preparing to unpack .../10-php7.4-curl_7.4.33-1+deb11u5_arm64.deb ...
Unpacking php7.4-curl (7.4.33-1+deb11u5) over (7.4.33-1+deb11u4) ...
Preparing to unpack .../11-php7.4-cli_7.4.33-1+deb11u5_arm64.deb ...
Unpacking php7.4-cli (7.4.33-1+deb11u5) over (7.4.33-1+deb11u4) ...
Preparing to unpack .../12-php7.4-common_7.4.33-1+deb11u5_arm64.deb ...
Unpacking php7.4-common (7.4.33-1+deb11u5) over (7.4.33-1+deb11u4) ...
Setting up php7.4-common (7.4.33-1+deb11u5) ...
Setting up php7.4-curl (7.4.33-1+deb11u5) ...
Setting up php7.4-mysql (7.4.33-1+deb11u5) ...
Setting up php7.4-readline (7.4.33-1+deb11u5) ...
Setting up php7.4-mbstring (7.4.33-1+deb11u5) ...
Setting up php7.4-intl (7.4.33-1+deb11u5) ...
Setting up php7.4-zip (7.4.33-1+deb11u5) ...
Setting up php7.4-opcache (7.4.33-1+deb11u5) ...
Setting up php7.4-gd (7.4.33-1+deb11u5) ...
Setting up php7.4-json (7.4.33-1+deb11u5) ...
Setting up php7.4-xml (7.4.33-1+deb11u5) ...
Setting up php7.4-cli (7.4.33-1+deb11u5) ...
Setting up php7.4-fpm (7.4.33-1+deb11u5) ...
Processing triggers for php7.4-cli (7.4.33-1+deb11u5) ...
Processing triggers for php7.4-fpm (7.4.33-1+deb11u5) ...
[  OK  ] DietPi-Update | APT upgrade

 DietPi-Update
─────────────────────────────────────────────────────
 Phase: Installing new DietPi code

[  OK  ] DietPi-Update | Downloading update archive
[  OK  ] DietPi-Update | Unpacking update archive
[  OK  ] DietPi-Update | Removing unused files
[  OK  ] DietPi-Update | Hardening update archive mode
[  OK  ] DietPi-Update | Installing new DietPi scripts
[  OK  ] DietPi-Update | Installing new DietPi system files
[ SUB1 ] DietPi-Set_software > verify_dietpi.txt
[  OK  ] DietPi-Set_software | Downloading current dietpi.txt
[  OK  ] verify_dietpi.txt  | Completed
[  OK  ] DietPi-Update | sync
[  OK  ] DietPi-Update | systemctl daemon-reload

 DietPi-Update
─────────────────────────────────────────────────────
 Phase: Applying incremental patches

[ INFO ] DietPi-Update | Current version : v9.2.1
[ INFO ] DietPi-Update | Latest version  : v9.3.0
[ INFO ] DietPi-Patch | Patching to DietPi v9.3...
[ INFO ] DietPi-Patch | APT purge vmtouch, please wait...
Reading package lists...
Building dependency tree...
Reading state information...
The following packages will be REMOVED:
  vmtouch*
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
                                                              After this operation, 53.2 kB disk space will be freed.
                                                 (Reading database .(Reading database ... 52800 files and directories currently installed.)
Removing vmtouch (1.3.1-dietpi1) ...
Deconfiguring vmtouch systemd service ...
Removed /etc/systemd/system/local-fs.target.wants/vmtouch.service.
(Reading database ... 52796 files and directories currently installed.)
Purging configuration files for vmtouch (1.3.1-dietpi1) ...
[  OK  ] DietPi-Patch | APT purge vmtouch
[ SUB2 ] DietPi-Set_software > apt-mirror (dietpi)
[FAILED] DietPi-Set_software | curl -sSf https://dietpi.com/apt/key.asc -o /etc/apt/trusted.gpg.d/dietpi.asc
[  OK  ] DietPi-Set_software | curl -sSf https://dietpi.com/apt/key.asc -o /etc/apt/trusted.gpg.d/dietpi.asc
[  OK  ] DietPi-Set_software | eval echo 'deb https://dietpi.com/apt bullseye main rpi4' > /etc/apt/sources.list.d/dietpi.list
[  OK  ] DietPi-Set_software | eval echo 'deb https://dietpi.com/apt all rpi' >> /etc/apt/sources.list.d/dietpi.list
[  OK  ] apt-mirror dietpi | Completed
[ INFO ] DietPi-Patch | APT update, please wait...
Err:1 https://dietpi.com/apt bullseye InRelease
  Could not handshake: Error in the pull function. [IP: 2606:4700:20::681a:5f3 443]
Hit:2 https://deb.debian.org/debian bullseye InRelease
Hit:3 https://deb.debian.org/debian bullseye-updates InRelease
Hit:4 https://repo.homebridge.io stable InRelease
Hit:5 https://deb.debian.org/debian-security bullseye-security InRelease
Hit:6 https://deb.debian.org/debian bullseye-backports InRelease
Hit:7 https://archive.raspberrypi.com/debian bullseye InRelease
Get:8 https://dietpi.com/apt all InRelease [3889 B]
Get:9 https://dietpi.com/apt all/rpi all Packages [428 B]
Fetched 4317 B in 3s (1469 B/s)
Reading package lists...
E: Failed to fetch https://dietpi.com/apt/dists/bullseye/InRelease  Could not handshake: Error in the pull function. [IP: 2606:4700:20::681a:5f3 443]
E: Some index files failed to download. They have been ignored, or old ones used instead.
[FAILED] DietPi-Patch | APT update
 - Command: apt-get -y -eany update
[ INFO ] DietPi-BugReport | Generating informative command outputs, please wait...
[ INFO ] DietPi-BugReport | cp /tmp/G_EXEC_ERROR_REPORT G_EXEC_ERROR_REPORT, please wait...
[  OK  ] DietPi-BugReport | cp /tmp/G_EXEC_ERROR_REPORT G_EXEC_ERROR_REPORT
[  OK  ] DietPi-BugReport | Packing upload archive
[  OK  ] DietPi-BugReport | Sending bug report
[  OK  ] DietPi-BugReport | Your bug report has been successfully uploaded.
- Reference code: 376406fe-af36-4c1f-af4c-4615404b879b

Please file a related bug report at GitHub or our forum:
- https://github.com/MichaIng/DietPi/issues
- https://dietpi.com/forum/c/troubleshooting/10

The uploaded file will be removed automatically after 48 hours or when your issue has been solved. Additionally you can remove it by running:
- dietpi-bugreport -1

Press any key to continue...g
[ INFO ] DietPi-BugReport | Generating informative command outputs, please wait...
[ INFO ] DietPi-BugReport | cp /tmp/G_EXEC_ERROR_REPORT G_EXEC_ERROR_REPORT, please wait...
[  OK  ] DietPi-BugReport | cp /tmp/G_EXEC_ERROR_REPORT G_EXEC_ERROR_REPORT
[  OK  ] DietPi-BugReport | Packing upload archive
[  OK  ] DietPi-BugReport | Sending bug report
[  OK  ] DietPi-BugReport | Your bug report has been successfully uploaded.
- Reference code: 376406fe-af36-4c1f-af4c-4615404b879b

Please file a related bug report at GitHub or our forum:
- https://github.com/MichaIng/DietPi/issues
- https://dietpi.com/forum/c/troubleshooting/10

The uploaded file will be removed automatically after 48 hours or when your issue has been solved. Additionally you can remove it by running:
- dietpi-bugreport -1

Press any key to continue...g

---------------------------------------------------------------------
- DietPi has encountered an error                                   -
- Please create a ticket: https://github.com/MichaIng/DietPi/issues -
- Copy and paste only the BLUE lines below into the ticket          -
---------------------------------------------------------------------
#### Details:
- Date           | Mon Apr 15 23:07:15 CEST 2024
- Bug report     | 376406fe-af36-4c1f-af4c-4615404b879b
- DietPi version | v9.3.0 (MichaIng/master)
- Image creator  | 
- Pre-image      | 
- Hardware       | RPi 4 Model B (aarch64) (ID=4)
- Kernel version | `Linux homePI 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr  3 17:24:16 BST 2023 aarch64 GNU/Linux`
- Distro         | bullseye (ID=6,RASPBIAN=0)
- Command        | `apt-get -y -eany update`
- Exit code      | 100
- Software title | DietPi-Patch
#### Steps to reproduce:
<!-- Explain how to reproduce the issue -->
1. ...
2. ...
#### Expected behaviour:
<!-- What SHOULD happen? -->
- ...
#### Actual behaviour:
<!-- What IS happening? -->
- ...
#### Extra details:
<!-- Please post any extra details that might help solve the issue -->
- ...
#### Additional logs:

Err:1 https://dietpi.com/apt bullseye InRelease
  Could not handshake: Error in the pull function. [IP: 2606:4700:20::681a:5f3 443]
Hit:2 https://deb.debian.org/debian bullseye InRelease
Hit:3 https://deb.debian.org/debian bullseye-updates InRelease
Hit:4 https://repo.homebridge.io stable InRelease
Hit:5 https://deb.debian.org/debian-security bullseye-security InRelease
Hit:6 https://deb.debian.org/debian bullseye-backports InRelease
Hit:7 https://archive.raspberrypi.com/debian bullseye InRelease
Get:8 https://dietpi.com/apt all InRelease [3889 B]
Get:9 https://dietpi.com/apt all/rpi all Packages [428 B]
Fetched 4317 B in 3s (1469 B/s)
Reading package lists...
E: Failed to fetch https://dietpi.com/apt/dists/bullseye/InRelease  Could not handshake: Error in the pull function. [IP: 2606:4700:20::681a:5f3 443]
E: Some index files failed to download. They have been ignored, or old ones used instead.

---------------------------------------------------------------------
[FAILED] DietPi-Patch | Unable to continue, DietPi-Patch will now terminate.
[FAILED] DietPi-Update | An error occurred during incremental patching. Please check the above log or /var/tmp/dietpi/logs/dietpi-update.log for errors, and rerun "dietpi-update" after the cause has been solved.
root@homePI:~# 
root@homePI:~# 
root@homePI:~# cat /boot/dietpi/.version
G_DIETPI_VERSION_CORE=9
G_DIETPI_VERSION_SUB=2
G_DIETPI_VERSION_RC=1
G_GITBRANCH='master'
G_GITOWNER='MichaIng'
root@homePI:~# echo $G_DISTRO_NAME $G_RASPBIAN
bullseye 0
root@homePI:~# uname -a
Linux Registrierter homePI 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr  3 17:24:16 BST 2023 aarch64 GNU/Linux
root@homePI:~# echo $G_HW_MODEL_NAME
RPi 4 Model B (aarch64)
root@homePI:~# 
Connection to  closed.]()

[Joulinar]

as workaround, you can try to disable IPv6

[MichaIng]

Yes, or just "Retry" from the error handler. Okay I'll open a ticket with Cloudflare. It is really an issue with their edge server(s), maybe in combination with some settings, as it does not happen when accessing our server directly.

[vanGeek]

Retry did not work, i tried it several times but always ran into the same issue.
I tried it today and it worked fine.

[Power-onoff]

I'm having the same problem

• bug report reference code: 6691dfaa-3bee-47d7-b6b5-b34978f14cb7

Details:

• Date | Wed Apr 17 21:29:04 KST 2024
• DietPi version | v9.2.1 (MichaIng/master)
• Image creator |
• Pre-image |
• Hardware | Native PC (x86_64) (ID=21)
• Kernel version | Linux localhost 6.1.0-20-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.85-1 (2024-04-11) x86_64 GNU/Linux
• Distro | bookworm (ID=7)
• Command | apt-get -y -eany update
• Exit code | 100
• Software title | DietPi-Update

Steps to reproduce:

1. dietpi-update
2. ...

Expected behaviour:

• ...

Actual behaviour:

• ...

Extra details:

• ...

Additional logs:

Hit:1 https://deb.debian.org/debian bookworm InRelease
Hit:2 https://deb.debian.org/debian bookworm-updates InRelease
Hit:3 https://deb.debian.org/debian-security bookworm-security InRelease
Get:4 https://download.docker.com/linux/debian bookworm InRelease [43.3 kB]
Get:5 https://dietpi.com/apt bookworm InRelease [3522 B]
Hit:6 https://deb.debian.org/debian bookworm-backports InRelease
Err:5 https://dietpi.com/apt bookworm InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 1DF45FDB9C6CE851
Reading package lists...
W: https://deb.debian.org/debian/dists/bookworm/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/dietpi.asc are ignored as the file is not readable by user '_apt' executing apt-key.
W: https://deb.debian.org/debian/dists/bookworm-updates/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/dietpi.asc are ignored as the file is not readable by user '_apt' executing apt-key.
W: https://deb.debian.org/debian-security/dists/bookworm-security/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/dietpi.asc are ignored as the file is not readable by user '_apt' executing apt-key.
W: https://download.docker.com/linux/debian/dists/bookworm/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/dietpi.asc are ignored as the file is not readable by user '_apt' executing apt-key.
W: https://dietpi.com/apt/dists/bookworm/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/dietpi.asc are ignored as the file is not readable by user '_apt' executing apt-key.
W: GPG error: https://dietpi.com/apt bookworm InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 1DF45FDB9C6CE851
E: The repository 'https://dietpi.com/apt bookworm InRelease' is not signed.
W: https://deb.debian.org/debian/dists/bookworm-backports/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/dietpi.asc are ignored as the file is not readable by user '_apt' executing apt-key.

root@localhost:/# curl -I https://dietpi.com/motd
HTTP/2 200
date: Wed, 17 Apr 2024 12:39:19 GMT
content-type: text/plain; charset=utf-8
content-length: 404
content-language: en
strict-transport-security: max-age=31536000; includeSubDomains; preload
content-security-policy: upgrade-insecure-requests; frame-ancestors 'none'; form-action 'none'; base-uri 'none'; default-src 'none'
permissions-policy: accelerometer=(), autoplay=(), browsing-topics=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), usb=(), screen-wake-lock=()
referrer-policy: no-referrer-when-downgrade
x-content-type-options: nosniff
x-frame-options: DENY
x-permitted-cross-domain-policies: none
x-robots-tag: noindex, nofollow
x-xss-protection: 0
server: cloudflare
cf-ray: 875c7a293fe019e2-KIX
alt-svc: h3=":443"; ma=86400

root@localhost:/# wget --spider https://dietpi.com/motd
Spider mode enabled. Check if remote file exists.
--2024-04-17 21:40:06--  https://dietpi.com/motd
Resolving dietpi.com (dietpi.com)... 104.26.4.243, 104.26.5.243, 172.67.69.101, ...
Connecting to dietpi.com (dietpi.com)|104.26.4.243|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 404 [text/plain]
Remote file exists.

[Joulinar]

I'm having the same problem

It's different problem

Err:5 https://dietpi.com/apt bookworm InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 1DF45FDB9C6CE851

Somehow the public key is missing. 🤔 Usually this should be applied during update

[MichaIng]

The keys are there, but all not readable:

W: https://deb.debian.org/debian/dists/bookworm/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/dietpi.asc are ignored as the file is not readable by user '_apt' executing apt-key.
W: https://deb.debian.org/debian/dists/bookworm-updates/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/dietpi.asc are ignored as the file is not readable by user '_apt' executing apt-key.
W: https://deb.debian.org/debian-security/dists/bookworm-security/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/dietpi.asc are ignored as the file is not readable by user '_apt' executing apt-key.
W: https://download.docker.com/linux/debian/dists/bookworm/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/dietpi.asc are ignored as the file is not readable by user '_apt' executing apt-key.
W: https://dietpi.com/apt/dists/bookworm/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/dietpi.asc are ignored as the file is not readable by user '_apt' executing apt-key.

Please check the permissions for this and all parent directories:

ls -dl /etc /etc/apt /etc/apt/trusted.gpg.d
ls -l /etc/apt/trusted.gpg.d

[Power-onoff]

The keys are there, but all not readable:

W: https://deb.debian.org/debian/dists/bookworm/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/dietpi.asc are ignored as the file is not readable by user '_apt' executing apt-key.
W: https://deb.debian.org/debian/dists/bookworm-updates/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/dietpi.asc are ignored as the file is not readable by user '_apt' executing apt-key.
W: https://deb.debian.org/debian-security/dists/bookworm-security/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/dietpi.asc are ignored as the file is not readable by user '_apt' executing apt-key.
W: https://download.docker.com/linux/debian/dists/bookworm/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/dietpi.asc are ignored as the file is not readable by user '_apt' executing apt-key.
W: https://dietpi.com/apt/dists/bookworm/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/dietpi.asc are ignored as the file is not readable by user '_apt' executing apt-key.

Please check the permissions for this and all parent directories:

ls -dl /etc /etc/apt /etc/apt/trusted.gpg.d
ls -l /etc/apt/trusted.gpg.d

As you told me, I think the permission for the public key file is wrong

ls -l /etc/apt /etc/apt/trusted.gpg.d/
/etc/apt:
total 28
drwxr-xr-x 2 root root 4096 Apr 15 04:32 apt.conf.d
drwxr-xr-x 2 root root 4096 May 25  2023 auth.conf.d
drwxr-xr-x 2 root root 4096 May 25  2023 keyrings
drwxr-xr-x 2 root root 4096 Aug  1  2023 preferences.d
-rw-r--r-- 1 root root  372 Aug  8  2023 sources.list
drwxr-xr-x 2 root root 4096 Apr 17 21:16 sources.list.d
drwxr-xr-x 2 root root 4096 Apr 17 21:16 trusted.gpg.d

/etc/apt/trusted.gpg.d/:
total 96
-rw-r--r-- 1 root root 11861 Mar 29  2023 debian-archive-bookworm-automatic.asc
-rw-r--r-- 1 root root 11873 Mar 29  2023 debian-archive-bookworm-security-automatic.asc
-rw-r--r-- 1 root root   461 Mar 29  2023 debian-archive-bookworm-stable.asc
-rw-r--r-- 1 root root 11861 Mar 29  2023 debian-archive-bullseye-automatic.asc
-rw-r--r-- 1 root root 11873 Mar 29  2023 debian-archive-bullseye-security-automatic.asc
-rw-r--r-- 1 root root  3403 Mar 29  2023 debian-archive-bullseye-stable.asc
-rw-r--r-- 1 root root 11093 Mar 29  2023 debian-archive-buster-automatic.asc
-rw-r--r-- 1 root root 11105 Mar 29  2023 debian-archive-buster-security-automatic.asc
-rw-r--r-- 1 root root  1704 Mar 29  2023 debian-archive-buster-stable.asc
-rw-r--r-- 1 root root  2760 Aug  8  2023 dietpi-docker.gpg
-rw-r----- 1 root root  4694 Apr 17 21:16 dietpi.asc

chmod 644 /etc/apt/trusted.gpg.d/dietpi.asc
ls -l /etc/apt/trusted.gpg.d/
-rw-r--r-- 1 root root 11861 Mar 29  2023 debian-archive-bookworm-automatic.asc
-rw-r--r-- 1 root root 11873 Mar 29  2023 debian-archive-bookworm-security-automatic.asc
-rw-r--r-- 1 root root   461 Mar 29  2023 debian-archive-bookworm-stable.asc
-rw-r--r-- 1 root root 11861 Mar 29  2023 debian-archive-bullseye-automatic.asc
-rw-r--r-- 1 root root 11873 Mar 29  2023 debian-archive-bullseye-security-automatic.asc
-rw-r--r-- 1 root root  3403 Mar 29  2023 debian-archive-bullseye-stable.asc
-rw-r--r-- 1 root root 11093 Mar 29  2023 debian-archive-buster-automatic.asc
-rw-r--r-- 1 root root 11105 Mar 29  2023 debian-archive-buster-security-automatic.asc
-rw-r--r-- 1 root root  1704 Mar 29  2023 debian-archive-buster-stable.asc
-rw-r--r-- 1 root root  2760 Aug  8  2023 dietpi-docker.gpg
-rw-r--r-- 1 root root  4694 Apr 17 21:16 dietpi.asc

I think "Other" read permission was lost due to umask setting while downloading the public key file

[MichaIng]

Ah right, it was our key only, but since it is in trusted.gpg.d, it is checked for every repo. Did you change your default umask? I then wonder why the /etc/apt/sources.list.d/dietpi.list is not affected.

Probably we should set it to 0022 in all our scripts. It counter-acts security ideas when it is intentionally set to 0027, but otherwise a lot of things our scripts to rely on it being 0022 🤔.

[Power-onoff]

Ah right, it was our key only, but since it is in trusted.gpg.d, it is checked for every repo. Did you change your default umask? I then wonder why the /etc/apt/sources.list.d/dietpi.list is not affected.

Probably we should set it to 0022 in all our scripts. It counter-acts security ideas when it is intentionally set to 0027, but otherwise a lot of things our scripts to rely on it being 0022 🤔.

The default umask value is 0022.

However, before running the detpi-update, I set the umask value to 0027

The current "/etc/apt/trusted.gpg.d/dietpi.asc" file has been successfully read and the dietpi-update has been successfully run

Later, I checked the permissions of the "/etc/apt/sources.list.d/dietpi.list" file and found that you still don't have read permissions

root@localhost:/etc/apt/sources.list.d# ls -l
total 8
-rw-r----- 1 root root 41 Apr 17 23:46 dietpi.list
-rw-r--r-- 1 root root 62 Aug  8  2023 docker.list

[MichaIng]

Okay, then the lists are not read by this _apt user. A check via htop while apt update runs, reveals that indeed only the cryptography stuff and the HTTPS connection is done by this user, after the list has been read already.

I think it is indeed best when we actively set 0022 in our scripts. It applies only for the script/subshell, hence does not affect any other/parent shell. In case checking and changing modes of every generated file would be much too much additional code and work, an we often rely on group R/W or all/other R/O modes, to allow access to downloads/media files by downloaders and media players/servers, or leave certain (config) files owned by root:root when the consuming service is not supposed to edit them directly.

It aligns with the enforced PATH and LC_ALL/LANG: c9cc8df

[MichaIng]

For the record: https://community.cloudflare.com/t/intermittent-tls-errors-when-accessing-websites-behind-cloudflare-via-ipv6/650353

Probably you can go through the tests/points and see whether it is all the same for you. Also, if you want to share, which country/location/ISP/router are you using? Probably we find some similarities/pattern.

Checking logs above, repo.homebridge.io was affected for you as well, and indeed that one is also behind Cloudflare and I face the same errors with this host.