[Bug 1920615] Re: getcvd: Can't download daily.cvd from https://database.clamav.net/daily.cvd despite correct connection to https://database.clamav.net when symlinks are used for configuration and/or
Thnaks for your backchannel with the upstream. :-) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1920615 Title: getcvd: Can't download daily.cvd from https://database.clamav.net/daily.cvd despite correct connection to https://database.clamav.net when symlinks are used for configuration and/or database folders To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1920615/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1920615] Re: getcvd: Can't download daily.cvd from https://database.clamav.net/daily.cvd despite correct connection to https://database.clamav.net when symlinks are used for configuration and/or
Status update: Micah confirmed that the problem is at the upstream's end and that he'll reply to your mail soon. So yay! :) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1920615 Title: getcvd: Can't download daily.cvd from https://database.clamav.net/daily.cvd despite correct connection to https://database.clamav.net when symlinks are used for configuration and/or database folders To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1920615/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1920615] Re: getcvd: Can't download daily.cvd from https://database.clamav.net/daily.cvd despite correct connection to https://database.clamav.net when symlinks are used for configuration and/or
Hi Jean-Christophe, > Try this: > [...] Oh yeah, thanks, I could reproduce the symlinking issue now, but... > However, if we modify one of the aforementioned folders to a symlink > which points to another folder with the same contents, then the > issue described in this thread pops up. ..yeah, probably this isn't supported by upstream and as you've figured correctly, this isn't a bug here. So for now, I am marking this bug as "invalid" but should you feel differently, please feel free to change to what's more appropriate and let me know the reasoning of change. > I understand that clamav is also implemented on Windows and this > could explain this undesired behavior on Linux. Ooh, likely. That said... > I have already posted a "feature request" on the > clamav-de...@lists.clamav.net mailing list, but there is no > response so far. ...let me ping Micah and see if he can take a look at this. That said, thanks for helping me reproduce the issue and taking your time to file a comprehensive report here and forwarding this to upstream as well! \o/ ** Changed in: clamav (Ubuntu) Status: Incomplete => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1920615 Title: getcvd: Can't download daily.cvd from https://database.clamav.net/daily.cvd despite correct connection to https://database.clamav.net when symlinks are used for configuration and/or database folders To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1920615/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1920615] Re: getcvd: Can't download daily.cvd from https://database.clamav.net/daily.cvd despite correct connection to https://database.clamav.net when symlinks are used for configuration and/or
** Summary changed: - getcvd: Can't download daily.cvd from https://database.clamav.net/daily.cvd despite correct connection to https://database.clamav.net + getcvd: Can't download daily.cvd from https://database.clamav.net/daily.cvd despite correct connection to https://database.clamav.net when symlinks are used for configuration and/or database folders -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1920615 Title: getcvd: Can't download daily.cvd from https://database.clamav.net/daily.cvd despite correct connection to https://database.clamav.net when symlinks are used for configuration and/or database folders To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1920615/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1920615] Re: getcvd: Can't download daily.cvd from https://database.clamav.net/daily.cvd despite correct connection to https://database.clamav.net
@Lucas Kanashiro (lucaskanashiro) Thanks for taking the time to read and answer it. You're right, it is not a bug per se, more a serious shortcoming. If we install the required packages, everything works fine. However, if we modify one of the aforementioned folders to a symlink which points to another folder with the same contents, then the issue described in this thread pops up. This is the first time I encounter this strange "symlink sensitivity" by any Ubuntu package and I believe this should never happen on Linux. I understand that clamav is also implemented on Windows and this could explain this undesired behavior on Linux. I have already posted a "feature request" on the clamav- de...@lists.clamav.net mailing list, but there is no response so far. @Utkarsh Gupta (utkarsh) Try this: # sudo systemctl stop clamav-daemon # sudo systemctl stop clamav-freshclam # sudo mv -f /etc/clamav /etc/clamav.sav # sudo ln -fsv /etc/clamav.sav /etc/clamav '/etc/clamav' -> '/etc/clamav.sav' # sudo systemctl restart clamav-daemon # sudo systemctl restart clamav-freshclam # sudo systemctl status clamav-freshclam ● clamav-freshclam.service - ClamAV virus database updater Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Tue 2021-03-23 18:45:15 CET; 5s ago Docs: man:freshclam(1) man:freshclam.conf(5) https://www.clamav.net/documents Process: 2460871 ExecStart=/usr/bin/freshclam -d --foreground=true (code=exited, status=2) Main PID: 2460871 (code=exited, status=2) Mar 23 18:45:15 host systemd[1]: Started ClamAV virus database updater. Mar 23 18:45:15 host freshclam[2460871]: ERROR: Can't open/parse the config file /etc/clamav/freshclam.conf Mar 23 18:45:15 host systemd[1]: clamav-freshclam.service: Main process exited, code=exited, status=2/INVALIDARGUMENT Mar 23 18:45:15 host systemd[1]: clamav-freshclam.service: Failed with result 'exit-code'. Then back to normal: # sudo rm -f /etc/clamav # sudo mv -f /etc/clamav.sav /etc/clamav # sudo systemctl restart clamav-daemon # sudo systemctl restart clamav-freshclam # sudo systemctl status clamav-freshclam ● clamav-freshclam.service - ClamAV virus database updater Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2021-03-23 18:55:53 CET; 5s ago Docs: man:freshclam(1) man:freshclam.conf(5) https://www.clamav.net/documents Main PID: 2511510 (freshclam) Tasks: 1 (limit: 18975) Memory: 2.1M CGroup: /system.slice/clamav-freshclam.service └─2511510 /usr/bin/freshclam -d --foreground=true Mar 23 18:55:53 host systemd[1]: Started ClamAV virus database updater. Mar 23 18:55:53 host freshclam[2511510]: Tue Mar 23 18:55:53 2021 -> ClamAV update process started at Tue Mar 23 18:55:53 2021 Mar 23 18:55:53 host freshclam[2511510]: Tue Mar 23 18:55:53 2021 -> daily.cld database is up to date (version: 26118, sigs: 3965203, f-level: 63,> Mar 23 18:55:53 host freshclam[2511510]: Tue Mar 23 18:55:53 2021 -> main.cld database is up to date (version: 59, sigs: 4564902, f-level: 60, bui> Mar 23 18:55:53 host freshclam[2511510]: Tue Mar 23 18:55:53 2021 -> bytecode.cvd database is up to date (version: 333, sigs: 92, f-level: 63, bui> -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1920615 Title: getcvd: Can't download daily.cvd from https://database.clamav.net/daily.cvd despite correct connection to https://database.clamav.net To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1920615/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1920615] Re: getcvd: Can't download daily.cvd from https://database.clamav.net/daily.cvd despite correct connection to https://database.clamav.net
FWIW, this indeed looks like a local issue. I tried to further reproduce this in a hirsute VM and couldn't. # rm /var/lib/daily.cvd # systemctl stop clamav-freshclam # freshclam --debug --verbose ...which worked fine and I didn't see any errors like you did. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1920615 Title: getcvd: Can't download daily.cvd from https://database.clamav.net/daily.cvd despite correct connection to https://database.clamav.net To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1920615/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1920615] Re: getcvd: Can't download daily.cvd from https://database.clamav.net/daily.cvd despite correct connection to https://database.clamav.net
Thank you for taking the time to file a bug report. None of the mentioned packages create a link to the certificates directory (/etc/ssl/certs), so I believe you made some kind of manual intervention. And IMO this "symlink sensitivity" is an upstream design decision and not a bug, if you believe this is a bug please go ahead and file an upstream bug. Since it seems likely to me that this is a local configuration problem, rather than a bug in Ubuntu, I am marking this bug as 'Incomplete'. However, if you believe that this is really a bug in Ubuntu, then we would be grateful if you would provide a more complete description of the problem with steps to reproduce, explain why you believe this is a bug in Ubuntu rather than a problem specific to your system, and then change the bug status back to "New". For local configuration issues, you can find assistance here: http://www.ubuntu.com/support/community ** Changed in: clamav (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1920615 Title: getcvd: Can't download daily.cvd from https://database.clamav.net/daily.cvd despite correct connection to https://database.clamav.net To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1920615/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1920615] Re: getcvd: Can't download daily.cvd from https://database.clamav.net/daily.cvd despite correct connection to https://database.clamav.net
I have found the cause of the issue: clamav does not support symlinks for any of the following: - /etc/clamav - /etc/ssl - /etc/ssl/certs - /var/lib/clamav If I make sure there is no symlink anymore for any of the above folders, then the issue is worked around: # freshclam --debug --verbose ... * Trying 104.16.219.84:443... * Connected to database.clamav.net (104.16.219.84) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: /etc/ssl/certs * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN, server accepted to use h2 * Server certificate: * subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com * start date: Aug 15 00:00:00 2020 GMT * expire date: Aug 15 12:00:00 2021 GMT * subjectAltName: host "database.clamav.net" matched cert's "database.clamav.net" * issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3 * SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x55631ca7a1e0) > GET /safebrowsing.cvd HTTP/2 Host: database.clamav.net user-agent: ClamAV/0.103.0 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64) accept: */* I'm not sure whether this symlink sensitivity is by design or a bug. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1920615 Title: getcvd: Can't download daily.cvd from https://database.clamav.net/daily.cvd despite correct connection to https://database.clamav.net To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1920615/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1920615] Re: getcvd: Can't download daily.cvd from https://database.clamav.net/daily.cvd despite correct connection to https://database.clamav.net
** Description changed: Ubuntu 21.04 clamav-freshclam: 0.103.0+dfsg-3.1 + + /etc/clamav/freshclam.conf: + -- + DatabaseOwner clamav + UpdateLogFile /var/log/clamav/freshclam.log + LogVerbose false + LogSyslog false + LogFacility LOG_LOCAL6 + LogFileMaxSize 0 + LogRotate true + LogTime true + Foreground false + Debug true + MaxAttempts 5 + DatabaseDirectory /var/lib/clamav + DNSDatabaseInfo current.cvd.clamav.net + ConnectTimeout 30 + ReceiveTimeout 30 + TestDatabases yes + ScriptedUpdates yes + CompressLocalDatabase no + SafeBrowsing true + Bytecode true + NotifyClamd /etc/clamav/clamd.conf + # Check for new database 24 times a day + Checks 24 + DatabaseMirror db.fr.clamav.net + DatabaseMirror database.clamav.net Commands executed as root: # systemctl stop clamav-freshclam # freshclam --debug --verbose Sat Mar 20 16:00:21 2021 -> ClamAV update process started at Sat Mar 20 16:00:21 2021 Sat Mar 20 16:00:21 2021 -> *Current working dir is /var/lib/clamav/ Sat Mar 20 16:00:21 2021 -> *Querying current.cvd.clamav.net Sat Mar 20 16:00:21 2021 -> *TTL: 1623 Sat Mar 20 16:00:21 2021 -> *fc_dns_query_update_info: Software version from DNS: 0.103.1 Sat Mar 20 16:00:21 2021 -> *Current working dir is /var/lib/clamav/ Sat Mar 20 16:00:21 2021 -> *check_for_new_database_version: No local copy of "daily" database. Sat Mar 20 16:00:21 2021 -> *query_remote_database_version: daily.cvd version from DNS: 26115 Sat Mar 20 16:00:21 2021 -> daily database available for download (remote version: 26115) Sat Mar 20 16:00:21 2021 -> *Retrieving https://database.clamav.net/daily.cvd Sat Mar 20 16:00:21 2021 -> *downloadFile: Download source: https://database.clamav.net/daily.cvd Sat Mar 20 16:00:21 2021 -> *downloadFile: Download destination: /var/lib/clamav/tmp.5ee08cf0a0/clamav-746b5f842a022ff02206be76e0c77fe8.tmp * Trying 104.16.219.84:443... * Connected to database.clamav.net (104.16.219.84) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * error setting certificate verify locations: CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * Closing connection 0 Sat Mar 20 16:00:21 2021 -> ^Download failed (77) Sat Mar 20 16:00:21 2021 -> ^ Message: Problem with the SSL CA cert (path? access rights?) Sat Mar 20 16:00:21 2021 -> ^getcvd: Can't download daily.cvd from https://database.clamav.net/daily.cvd Sat Mar 20 16:00:21 2021 -> Trying again in 5 secs... The alleged "error setting certificate verify locations" is false: # sudo -u clamav -EH ls -al /etc/ssl/certs/ca-certificates.crt -rw-r--r-- 1 root root 186336 Mar 15 08:45 /etc/ssl/certs/ca-certificates.crt # sudo -u clamav -EH ls -al /etc/ssl/certs total 556 drwxr-xr-x 3 root root 12288 Mar 15 08:45 . ... Also, it is possible to contact the website as clamav user, meaning there is no CA access issue for that user: # sudo -u clamav -EH wget https://database.clamav.net --2021-03-20 16:21:12-- https://database.clamav.net/ Resolving database.clamav.net (database.clamav.net)... 104.16.219.84, 104.16.218.84, 2606:4700::6810:da54, ... Connecting to database.clamav.net (database.clamav.net)|104.16.219.84|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘index.html’ index.html [ <=> ] 1.14K --.-KB/sin 0s 2021-03-20 16:21:12 (21.3 MB/s) - ‘index.html’ saved [1166] # more index.html - - http://www.clamav.net; http-equiv="Refresh"> - ClamAV database mirror + + http://www.clamav.net; http-equiv="Refresh"> + ClamAV database mirror + src="//www.clamav.net/assets/clamav-trademark.png"> You reached one of ClamAV virus database mirrors: http://database.clamav.net;>database.clamav.net + style="font-style: italic;" href="http://database.clamav.net;>database.clamav.net is a round robin record that tries to equally balance the traffic between all the database mirrors. For a complete list of our mirrors visit http://www.clamav.net/mirrors.html;>http://www.clamav.net/mirrors.html + href="http://www.clamav.net/mirrors.html;>http://www.clamav.net/mirrors.html You'll be redirected to ClamAV home page (http://www.clamav.net;>http://www.clamav.net) in 15 + href="http://www.clamav.net;>http://www.clamav.net) in 15 seconds... This mirror is sponsored by This is a very strange issue. Any suggestion on how to debug/workaround that issue? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1920615 Title: getcvd: Can't download daily.cvd from https://database.clamav.net/daily.cvd despite correct connection to https://database.clamav.net To manage notifications about this bug go to:
[Bug 1920615] Re: getcvd: Can't download daily.cvd from https://database.clamav.net/daily.cvd despite correct connection to https://database.clamav.net
There is no such issue on another Ubuntu device with the **exact** same SSL and freshclam configurations and located on the same private network as the failing device sharing the same IP public address. Is it possible that cloudflare enforces a limit on the number of devices which are allowed to download from https://database.clamav.net/daily.cvd? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1920615 Title: getcvd: Can't download daily.cvd from https://database.clamav.net/daily.cvd despite correct connection to https://database.clamav.net To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1920615/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
