Can't update from 5.0, claims can't get update file but I can get it via wget

dave33 · June 2, 2020, 3:12pm

I have been unable to update from version 5 (FTL updated), and the web interface seems to be having permissions errors in that it works for queries but I can't add domains and such.

Debug code https://tricorder.pi-hole.net/0cmgmmbpvj
Tried redoing git -- Why does the Pi-hole installer produce the error "Unable to complete update, contact Pi-hole'?

I can easily wget the update from the same server.

✓] Detected x86_64 architecture
[i] Checking for existing FTL binary...
[i] Latest FTL Binary already installed (v5.0). Confirming Checksum...
curl: (7) Failed connect to github-production-release-asset-2e65be.s3.amazonaws.com:443; Connection refused
[i] Corruption detected...
[i] Downloading and Installing FTL...curl: (7) Failed connect to github-production-release-asset-2e65be.s3.amazonaws.com:443; Connection refused
[✗] Downloading and Installing FTL
Error: URL https://github.com/pi-hole/ftl/releases/latest/download/pihole-FTL-linux-x86_64 not found
[✗] FTL Engine not installed
Unable to complete update, please contact Pi-hole Support

DanSchaper · June 2, 2020, 5:05pm

There's some external connectivity issues going on. The Pi-hole DNS is working since the domain was able to be resolved. This error is showing the connection attempt was blocked by the endpoint.

What does the output from curl -IL https://github.com/pi-hole/ftl/releases/latest/download/pihole-FTL-linux-x86_64 show? You may see a 403 Forbidden notice but that is expected.

dave33 · June 2, 2020, 5:37pm

Thanks. I do indeed get connection refused. Is there a way to upload the file?

My IP seems to be getting blocked by some of the blacklist locations, too... any idea why that might be? I only use this IP for one thing - the pihole - and I've blocked off all users outside my IP block via firewall.

Ouch, could that be the problem?

(I had to take out the lines with URLs to post.)

HTTP/1.1 302 Found
server: GitHub
date: Tue, 02 Jun 2020 17:32:22 GMT
content-type: text/html; charset=utf-8
status: 302 Found
vary: X-PJAX, Accept-Encoding, Accept, X-Requested-With
location: [url]cache-control: no-cache
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
expect-ct: max-age=2592000, report-uri="[url]/_private/browser/errors"
...

HTTP/1.1 302 Found
server: GitHub com
date: Tue, 02 Jun 2020 17:32:22 GMT
content-type: text/html; charset=utf-8
status: 302 Found
vary: X-PJAX, Accept-Encoding, Accept, X-Requested-With
location: ... 80716356/81c27580-92f1-11ea-9639-0a0bd8dd3cc3?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200602%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200602T173222Z&X-Amz-Expires=300&X-Amz-Signature=e6d46bb3ea70fffd27c2466d2baf532c69ce9f2414edfc1a151dfa734153cfae&X-Amz-SignedHeaders=host&actor_id=0&repo_id=80716356&response-content-disposition=attachment%3B%20filename%3Dpihole-FTL-linux-x86_64&response-content-type=application%2Foctet-stream
cache-control: no-cache
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
expect-ct: max-age=2592000, report-
content-security-policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; 
Set-Cookie: _octo=GH1.1.694065143.1591119142; Path=/; Domain=github; Expires=Wed, 02 Jun 2021 17:32:22 GMT; Secure; SameSite=Lax
Set-Cookie: logged_in=no; Path=/; Domain=github; Expires=Wed, 02 Jun 2021 17:32:22 GMT; HttpOnly; Secure; SameSite=Lax
Content-Length: 634
X-GitHub-Request-Id: B228:6F9E:14E9BA4:21B9BD5:5ED68D26

curl: (7) Failed connect to github-production-release-asset-2e65be.s3.amazonaws com:443; Connection refused

DanSchaper · June 2, 2020, 6:35pm

What does dig github-production-release-asset-2e65be.s3.amazonaws.com show as the target IP?

I have 52.216.146.163

dave33 · June 2, 2020, 6:49pm

s3-1-w.amazonaws.com. 3 IN A 52.216.242.68

Ping gets s3-1-w.amazonaws.com (52.216.162.243)

Weird name server issue? That would explain it. I was using 1.1.1.1 but can switch to something else... assuming the server is using the pihole DNS for its own purposes as well!
...

DanSchaper · June 2, 2020, 8:50pm

Those IPs are fine. The goal was to find out if they were public or private IP addresses.

I'm really not sure why you are being refused, you can try curl -L https://github-production-release-asset-2e65be.s3.amazonaws.com to see if there is any message returned. I get some html back that says AccessDenied but that's expected.

curl -IL https://github-production-release-asset-2e65be.s3.amazonaws.com should show 403 as a response.

Try both of those commands and see what warnings, if any, you get.

dave33 · June 2, 2020, 8:54pm

The first shows AccessDenied - as you said. The second shows 403 Forbidden.

DanSchaper · June 2, 2020, 8:56pm

Try curl -g -6 -IL https://github.com/pi-hole/ftl/releases/latest/download/pihole-FTL-linux-x86_64

I think this may be the curl IPv6 default glitch.

DanSchaper · June 2, 2020, 8:57pm

In the meantime, edit /etc/pihole/setupVars.conf and remove all the duplicate lines, that will confuse the heck out of pihole-FTL.

dave33 · June 2, 2020, 9:01pm

Thanks!! Yes, there are lots of dup lines, I deleted some but I'll drag it into BBEdit and get rid of the rest. I don't know why they keep cropping up. Does the order of the lines matter?

PS> curl: (6) Could not resolve host: github.com; Unknown error

Note: I don't know why but pihole -up now says: “Everything is up to date!”

Thanks on the dup lines, half of them must have been dups.

DanSchaper · June 2, 2020, 9:21pm

Check the output from pihole -v.

The order of the lines in setupVars.conf does not matter.

If you do not need IPv6 addresses then I'd just remove that and not have that additional need to configure.

jfb · June 2, 2020, 9:46pm

And when you are done, generate a new debug log and post the token. We'll check your configuration after the changes.

dave33 · June 3, 2020, 7:57pm

All looks good! Wow... and thanks!!

https://tricorder.pi-hole.net/qf30yikhsx

pihole -v brings:
Pi-hole version is v5.0 (Latest: v5.0)
AdminLTE version is v5.0 (Latest: v5.0)
FTL version is v5.0 (Latest: v5.0)

pihole -up
[i] Checking for updates...
[i] Pi-hole Core: up to date
[i] Web Interface: up to date
[i] FTL: up to date

[✓] Everything is up to date!

jfb · June 3, 2020, 8:00pm

Looks like it's working fine.

dave33 · June 3, 2020, 8:11pm

It is AMAZING software. Normally stunningly easy to use, either command line or GUI.

DanSchaper · June 3, 2020, 8:49pm

I do have to put on my grumpy pants and ask that you run the IP address you are using through Network and DNS Test Tools

Other people may find your Pi-hole install and weaponize it against others.

dave33 · June 3, 2020, 8:56pm

True, I serious concern. I keep an eye on the log. I have banned most of the world via firewall. Is the IP revealed anywhere in this thread?

PS> Good news. This server shouldn't partake in DNS amplification attacks. Your caching DNS server appears configured with correct ACL's. This server appears to have recursion disabled and does not answer to unknown third party DNS queries.

DanSchaper · June 3, 2020, 9:06pm

No identifying information has been revealed in public. I suggest that a better option would be to deploy VPN instead of manually blocking. Whack-a-mole gets tiring after a while and you only catch the moles after they've dug holes in the lawn.

dave33 · June 3, 2020, 9:07pm

True... though hard to get the wife and kids to activate VPN. I'll move to that over the next couple of weeks.

jfb · June 3, 2020, 9:10pm

Here is a dig to your (hidden) public IP:

dig flurry.com @66..xxx.xx.xx +short
0.0.0.0