Cannot update apt https repositories via corporate proxy (“reading from proxy failed”) on Debian 10 buster

aptdebian-busterPROXY

Trying to run apt-get update against https repositories on a Debian 10 host which has an apt proxy configured. This example shows the output when trying to update from the grafana apt repository:

# cat /etc/apt/sources.list.d/grafana.list
deb https://packages.grafana.com/oss/deb stable main

# apt-get update
Err:1 https://packages.grafana.com/oss/deb stable InRelease
Reading from proxy failed - select (115: Operation now in progress) [IP: xxx.xxx.xxx.xxx 8080]
Reading package lists... Done
W: Failed to fetch https://packages.grafana.com/oss/deb/dists/stable/InRelease  Reading from proxy failed - select (115: Operation now in progress) [IP: xxx.xxx.xxx.xxx 8080]
W: Some index files failed to download. They have been ignored, or old ones used instead.

The above xxx.xxx.xxx.xxx is the IP address of the proxy.

Details:

  • The proxy inspects the https traffic and the corresponding proxy CA certificate is installed on the host
  • The same apt repository configured on a Debian stretch (9) can be updated without the above error. The stretch host uses the same proxy CA certificates.
  • The URL https://packages.grafana.com/oss/deb/dists/stable/InRelease can be downloaded without any errors using the following curl command:
curl --proxy http://proxy.domain.com:8080 https://packages.grafana.com/oss/deb/dists/stable/InRelease
  • The proxy admin says there are no errors on the proxy itself during these connection attempts
  • There's no authentication used on the proxy.
  • I've tried specifying the proxy cert explicitly using the Acquire::https::packages.grafana.com::CaInfo apt parameter, but this doesn't change anything (probably this isn't a certificate issue). Also, I've been experimenting with the No-Cache, Queue-Mode apt parameters, no luck though.
  • I've tried to relax the openssl.cnf settings related to TLS protocol but to no avail (not sure if apt makes use of those):
[system_default_sect]
MinProtocol = None
CipherString = DEFAULT

No matter what I try, I can't use https repositories on Debian 10 behind the proxy. Has anyone encountered this situation yet ?

Best Answer

It seems that the problem was the web proxy itself. After an upgrade, which fixed several SSL inspection issues, the problem went away.

Related Topic