Hi Giovanni, > > > > > error: unable to refresh mirrors file for channel > > > > > updates.spamassassin.org, using old file ... > one of the mirrors listed in mirrors.updates.spamassassin.org has > switched to https. > A connection failure due to OpenSSL incompatible algorithms could be > the issue.
I think you're correct. With -D, the overnight run gives: 1 dbg: channel: file /var/lib/spamassassin/3.004000/updates_spamassassin_org/MIRRORED.BY is too old, refreshing mirrors file 2 dbg: channel: DNS lookup on mirrors.updates.spamassassin.org 3 4 dbg: http: url: https://spamassassin.apache.org/updates/MIRRORED.BY 5 dbg: http: downloading to: /var/lib/spamassassin/3.004000/updates_spamassassin_org/MIRRORED.BY, replace 6 dbg: util: executable for curl was found at /usr/bin/curl 7 dbg: http: /usr/bin/curl -s -L -O --remote-time -g --max-redirs 2 --connect-timeout 30 --max-time 300 --fail -o MIRRORED.BY -- https://spamassassin.apache.org/updates/MIRRORED.BY 8 dbg: http: process [13681], exit status: 15360 9 dbg: channel: no mirror data available for channel updates.spamassassin.org from https://spamassassin.apache.org/updates/MIRRORED.BY 10 11 dbg: http: url: https://sa-update.spamassassin.org/MIRRORED.BY 12 dbg: http: downloading to: /var/lib/spamassassin/3.004000/updates_spamassassin_org/MIRRORED.BY, replace 13 dbg: util: executable for curl was found at /usr/bin/curl 14 dbg: http: /usr/bin/curl -s -L -O --remote-time -g --max-redirs 2 --connect-timeout 30 --max-time 300 --fail -o MIRRORED.BY -- https://sa-update.spamassassin.org/MIRRORED.BY 15 dbg: http: process [13683], exit status: 15360 16 dbg: channel: no mirror data available for channel updates.spamassassin.org from https://sa-update.spamassassin.org/MIRRORED.BY 17 18 error: unable to refresh mirrors file for channel updates.spamassassin.org, using old file Lines of interest: 2. Both URLs 2 are https schemas. 8, 15. curl(1) exits 15360 for both URLs. Which is 0x3c00 or exit(60) in exit(3) terms. curl's man page says: 60 Peer certificate cannot be authenticated with known CA certificates. So that explains it. Given this old machine is being turned off within the year, I can either: ignore it; workaround it by updating MIRRORED.BY separately; or attempt to update the machine's certificates in case all schemas become https again, though this still leaves other TLS negotiation aspects to fail in the future. Anyway, that's my question answered; thanks, list. I did think from looking at the debug that running curl might benefit from a -S given the -s, and exit statuses are better printed as hex. -- Cheers, Ralph.
