fedora-infrastructure

Clone
Source Code
GIT

#12541 Issues using dnf failing on 503 errors getting mirrors from 18.159.254.57 and 2a05:d014:10:7803:f774:4d7c:e277:a457
Closed: Fixed 2 months ago by james. Opened 2 months ago by xanathar.

Closed: Fixed
Reopen Issue

Using dnf to install some packages fails while, presumably, fetching the list of mirrors.

sudo dnf install strace        
Updating and loading repositories:
 Fedora 42 - x86_64 - Updates                                                                                                                            100% |  62.0 KiB/s |  39.1 KiB |  00m01s
>>> Status code: 503 for https://mirrors.fedoraproject.org/metalink?repo=updates-released-f42&arch=x86_64 (IP: 2a05:d014:10:7803:f774:4d7c:e277:a457) - https://mirrors.fedoraproject.org/metalin
...
>>> Status code: 503 for https://mirrors.fedoraproject.org/metalink?repo=updates-released-f42&arch=x86_64 (IP: 2a05:d014:10:7803:f774:4d7c:e277:a457) - https://mirrors.fedoraproject.org/metalin
>>> Librepo error: Cannot prepare internal mirrorlist: Status code: 503 for https://mirrors.fedoraproject.org/metalink?repo=updates-released-f42&arch=x86_64 (IP: 2a05:d014:10:7803:f774:4d7c:e27
Error checking if metalink "https://mirrors.fedoraproject.org/metalink?repo=updates-released-f42&arch=x86_64" is in sync for repository "updates"
 Librepo error: Cannot prepare internal mirrorlist: Status code: 503 for https://mirrors.fedoraproject.org/metalink?repo=updates-released-f42&arch=x86_64 (IP: 2a05:d014:10:7803:f774:4d7c:e277:a457)

Suspecting the issue to be related to IPv6, I tried adding ip_resolve=4 to /etc/dnf/dnf.conf; it allowed me to actually install the package I needed :) but errors are still returned from/for 18.159.254.57. 

sudo dnf install strace
Updating and loading repositories:
 Fedora 42 - x86_64 - Updates                                                                                                                            100% |  45.6 KiB/s |  36.7 KiB |  00m01s
>>> Status code: 503 for https://mirrors.fedoraproject.org/metalink?repo=updates-released-f42&arch=x86_64 (IP: 18.159.254.57) - https://mirrors.fedoraproject.org/metalink?repo=updates-released-
...
>>> Status code: 503 for https://mirrors.fedoraproject.org/metalink?repo=updates-released-f42&arch=x86_64 (IP: 18.159.254.57) - https://mirrors.fedoraproject.org/metalink?repo=updates-released-
 Fedora 42 openh264 (From Cisco) - x86_64                                                                                                                100% |   2.3 KiB/s | 989.0   B |  00m00s
 Fedora 42 - x86_64                                                                                                                                      100% |  29.8 KiB/s |  20.9 KiB |  00m01s
 Fedora 42 - x86_64 - Updates                                                                                                                            100% | 680.1 KiB/s |   1.3 MiB |  00m02s
>>> Status code: 503 for https://mirrors.fedoraproject.org/metalink?repo=updates-released-f42&arch=x86_64 (IP: 18.159.254.57) - https://mirrors.fedoraproject.org/metalink?repo=updates-released-
...
>>> Status code: 503 for https://mirrors.fedoraproject.org/metalink?repo=updates-released-f42&arch=x86_64 (IP: 18.159.254.57) - https://mirrors.fedoraproject.org/metalink?repo=updates-released-
Repositories loaded.
Package                                                          Arch            Version                                                           Repository                                Size
Installing:
 strace                                                          x86_64          6.14-1.fc42                                                       fedora                                 2.6 MiB

Transaction Summary:
 Installing:         1 package

Total size of inbound packages is 1 MiB. Need to download 1 MiB.
After this operation, 3 MiB extra will be used (install 3 MiB, remove 0 B).

Digging into it with the IP addresses of the mirrors, it seems that the issue is indeed limited to

  • 2a05:d014:10:7803:f774:4d7c:e277:a457
  • 18.159.254.57

All other hosts seems to work fine (verified with curl -v "https://mirrors.fedoraproject.org/metalink?repo=updates-released-f42&arch=x86_64" --resolve 'mirrors.fedoraproject.org:443:$IPADDRESS'

Can confirm.
According to the headers in curl calls this seems to be proxy36.fedoraproject.org

Yes, proxy36 unhappy

$ curl -v "https://mirrors.fedoraproject.org/metalink?repo=updates-released-f41&arch=x86_64"
* Host mirrors.fedoraproject.org:443 was resolved.
* IPv6: 2a05:d014:10:7803:f774:4d7c:e277:a457, 2001:4178:2:1269::fed2, 2600:2701:4000:5211:dead:beef:fe:fed3, 2604:1580:fe00:0:dead:beef:cafe:fed1, 2605:bc80:3010:600:dead:beef:cafe:fed9
* IPv4: 8.43.85.73, 8.43.85.67, 34.221.3.152, 152.19.134.198, 140.211.169.196, 38.145.60.21, 67.219.144.68, 38.145.60.20, 152.19.134.142
*   Trying [2a05:d014:10:7803:f774:4d7c:e277:a457]:443...
* Connected to mirrors.fedoraproject.org (2a05:d014:10:7803:f774:4d7c:e277:a457) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
*  subject: C=US; ST=North Carolina; L=Raleigh; O=Red Hat, Inc.; CN=*.fedoraproject.org
*  start date: Oct  9 00:00:00 2024 GMT
*  expire date: Nov  9 23:59:59 2025 GMT
*  subjectAltName: host "mirrors.fedoraproject.org" matched cert's "*.fedoraproject.org"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert Global G3 TLS ECC SHA384 2020 CA1
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (4096/152 Bits/secBits), signed using ecdsa-with-SHA384
*   Certificate level 1: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using ecdsa-with-SHA384
*   Certificate level 2: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using ecdsa-with-SHA384
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://mirrors.fedoraproject.org/metalink?repo=updates-released-f41&arch=x86_64
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: mirrors.fedoraproject.org]
* [HTTP/2] [1] [:path: /metalink?repo=updates-released-f41&arch=x86_64]
* [HTTP/2] [1] [user-agent: curl/8.9.1]
* [HTTP/2] [1] [accept: */*]
> GET /metalink?repo=updates-released-f41&arch=x86_64 HTTP/2
> Host: mirrors.fedoraproject.org
> User-Agent: curl/8.9.1
> Accept: */*
> 
* Request completely sent off
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/2 503 
< x-frame-options: SAMEORIGIN
< x-xss-protection: 1; mode=block
< x-content-type-options: nosniff
< referrer-policy: same-origin
< content-length: 3335
< cache-control: no-cache
< pragma: no-cache
< content-type: text/html; charset=UTF-8
< apptime: D=424
< x-fedora-proxyserver: proxy36.fedoraproject.org
< x-fedora-requestid: aBdy0xuyTgQ302bn7rZA-gAATgg
< date: Sun, 04 May 2025 13:59:47 GMT
< server: Apache
<

I'm taking this proxy out of rotation. it should stop being offerred in dns in ~5min.

Metadata Update from @kevin:
- Issue assigned to kevin
- Issue tagged with: high-gain, low-trouble
2 months ago

Metadata Update from @james:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)
2 months ago

Log in to comment on this ticket.

Metadata

low-trouble high-gain

None
None
Needs Review
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.