Run fails

Question

Run fails

Closed this issue 9 years ago · 20 comments

Hi

I tried running the scanner as directed in the README, but I get this:

$ bash patrolserver
Error reading signature file /tmp/tmp.OudAzcpRZx
Verification of PatrolServer code failed, somebody tried to edit our code without proper signing

Answer 1 · 2015-11-10T14:04:48.000Z

Hey Danny,

Is it possible to state on what machine you try to run it (operating system)? Also do you want to give the result of following code?

# Get the runner
RUNNER=`mktemp`
wget -O $RUNNER "https://raw.githubusercontent.com/PatrolServer/bashScanner/master/compiled.sh" 2> /dev/null
chmod +x $RUNNER

# Get the signature
SIGNATURE=`mktemp`
wget -O $SIGNATURE "https://raw.githubusercontent.com/PatrolServer/bashScanner/master/compiled.sign" 2> /dev/null

# Public key
PUBLIC_KEY=`mktemp`
echo "-----BEGIN PUBLIC KEY-----" > $PUBLIC_KEY
echo "MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6thRDBr1JJRrWQkIzRdF" >> $PUBLIC_KEY
echo "XxuPBH6ZkuAbDNxYT75pqQXMXMO3C/N2LiWwXVJTLIsuOEtegySzNc0T6JylwUXN" >> $PUBLIC_KEY
echo "ljNHltqa5KBdAmpSGaZJ8JYwd1iNarrf1GQfEVpnvNF85EtcwKo0L5U4aelLdpaG" >> $PUBLIC_KEY
echo "aEigyJwnk5I5Ji+kIzcMkHTiF5RzSpJcoSvbKem++x4bvIrfwfdnvEctcX8/m/PD" >> $PUBLIC_KEY
echo "8c/hQL1OW1gjvmNiO3AlAnr41y3QBnpcchcXv05yX3VAfZhjMZdD8JS5wvke3GT7" >> $PUBLIC_KEY
echo "Vji5ToLPfUzyvlH9tjHx4zefxIvSTIMVI2gg+bXw5VlNIWp/ST9xQGjFG1wEa+uy" >> $PUBLIC_KEY
echo "PU3T69j0ylEA0SaTX/ZDo8qZSn8XTNdhtc0lOK7GFM+U/iZvWe+CRA41DafsUsPa" >> $PUBLIC_KEY
echo "GkxVS84eZ/xkIMh5EBghaxfmkYN8yubK0yILr95kU/gpFjPxRimHFvIBxIAhE8Xv" >> $PUBLIC_KEY
echo "3+QSGEt8h11WHd8I27U3egDwVsDCDtgbPedOTiW7MGoHcxtTdcl1Fpp6cLaNeJJ/" >> $PUBLIC_KEY
echo "UPzlIqow4S6I0O7hboiB6wSDwXfKcjg4F/7JJH3TOevNK7DLZOGOxTEX7z5JRaJZ" >> $PUBLIC_KEY
echo "m8pa1pizQ598dwailRhkbPJGzcSCawmXq6HQTyh7F5PeyolSKVKMA4mOKSJ4KLdv" >> $PUBLIC_KEY
echo "ceos+VHmkBUcE8QrAZNFNq0CAwEAAQ==" >> $PUBLIC_KEY
echo "-----END PUBLIC KEY-----" >> $PUBLIC_KEY

# Verify the runner
VERIFIED=`openssl dgst -sha256 -verify $PUBLIC_KEY -signature $SIGNATURE $RUNNER`

echo $VERIFIED

Answer 2 · 2015-11-10T14:09:58.000Z

Thanks for fast reply!

$ uname -a
Linux dev-hq-db01 2.6.32-16-pve #1 SMP Mon Oct 22 08:38:13 CEST 2012 x86_64 GNU/Linux

Output of that script:

Error reading signature file /tmp/tmp.yTTSdnOkLd

I'm running the script in /tmp, if that makes any difference?

Answer 3 · 2015-11-10T14:22:37.000Z

We are trying to do our best ;)
Normally you can run it anywhere, so I think your system doesn't support some wget params.
Can you try the following?

# Get the runner
RUNNER=`mktemp`
wget -O $RUNNER "https://raw.githubusercontent.com/PatrolServer/bashScanner/master/compiled.sh" 
chmod +x $RUNNER

# Get the signature
SIGNATURE=`mktemp`
wget -O $SIGNATURE "https://raw.githubusercontent.com/PatrolServer/bashScanner/master/compiled.sign" 

cat $SIGNATURE

Answer 4 · 2015-11-10T14:28:18.000Z

--2015-11-10 16:25:25--  https://raw.githubusercontent.com/PatrolServer/bashScanner/master/compiled.sh
Resolving raw.githubusercontent.com... 185.31.19.133
Connecting to raw.githubusercontent.com|185.31.19.133|:443... connected.
ERROR: cannot verify raw.githubusercontent.com's certificate, issued by `/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA':
  Unable to locally verify the issuer's authority.
ERROR: certificate common name `www.github.com' doesn't match requested host name `raw.githubusercontent.com'.
To connect to raw.githubusercontent.com insecurely, use `--no-check-certificate'.
--2015-11-10 16:25:25--  https://raw.githubusercontent.com/PatrolServer/bashScanner/master/compiled.sign
Resolving raw.githubusercontent.com... 185.31.19.133
Connecting to raw.githubusercontent.com|185.31.19.133|:443... connected.
ERROR: cannot verify raw.githubusercontent.com's certificate, issued by `/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA':
  Unable to locally verify the issuer's authority.
ERROR: certificate common name `www.github.com' doesn't match requested host name `raw.githubusercontent.com'.
To connect to raw.githubusercontent.com insecurely, use `--no-check-certificate'.

Tried from another server of mine (Linux 3.13.0-32-generic #57~precise1-Ubuntu SMP Tue Jul 15 03:51:20 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux) and it returned this:

$ bash patrolserver
> Hi root,
> PatrolServer.com at your service.
> I'm starting...

> patrolserver.com is not reachable, contact us (3)

Answer 5 · 2015-11-10T14:38:45.000Z

And my server can talk out to the domain:

$ ping patrolserver.com
PING patrolserver.com (104.28.4.163) 56(84) bytes of data.
64 bytes from 104.28.4.163: icmp_req=1 ttl=61 time=0.783 ms
64 bytes from 104.28.4.163: icmp_req=2 ttl=61 time=0.711 ms
64 bytes from 104.28.4.163: icmp_req=3 ttl=61 time=0.694 ms

Answer 6 · 2015-11-10T14:40:37.000Z

The first issue should be resolved. So remove your patrolserver client and redownload it.
For the second issue, can you give the output of

wget -t2 -T6 -qO- "https://app.patrolserver.com/api/server/exists?host=testdomain.com"

Answer 7 · 2015-11-10T14:48:02.000Z

OK cool, the first issue is resolved! Thanks

Second one: the command runs but exits with status 127

Answer 8 · 2015-11-10T14:52:39.000Z

And the following?

wget "https://app.patrolserver.com/api/server/exists?host=testdomain.com"

Status code 127 is normally for executing commands that aren't found, strange.

Answer 9 · 2015-11-10T14:59:57.000Z

I'm getting the same error as above, and also can ping the server. Output of the wget command on my end is:

root@r2:~# cat exists?host=testdomain.com
{"exists":null,"error":"2","errors":["The hostname doesn't resolve to the requesting IP"]}

Answer 10 · 2015-11-10T15:11:18.000Z

So wget still doesn't do anything except returning status code 127? And wget is installed on your system? Is it Ubuntu that you use?

Answer 11 · 2015-11-10T15:12:11.000Z

Yes this is an Ubuntu box.

On Tue, Nov 10, 2015 at 9:11 AM, dolfje notifications@github.com wrote:

So wget still doesn't do anything except returning status code 127? Is it
Ubuntu that you use?

—
Reply to this email directly or view it on GitHub
#5 (comment)
.

Answer 12 · 2015-11-10T15:17:39.000Z

Can you give the output of the following?

/usr/bin/wget "https://app.patrolserver.com/api/server/exists?host=testdomain.com"

And

whereis wget

Answer 13 · 2015-11-10T15:20:00.000Z

root@r2:~# /usr/bin/wget "
https://app.patrolserver.com/api/server/exists?host=testdomain.com"

--2015-11-10 09:18:00--
https://app.patrolserver.com/api/server/exists?host=testdomain.com
Resolving app.patrolserver.com... 128.199.58.216
Connecting to app.patrolserver.com|128.199.58.216|:443... connected.
ERROR: certificate common name api.patrolserver.com' doesn't match requested host nameapp.patrolserver.com'.
To connect to app.patrolserver.com insecurely, use `--no-check-certificate'.

root@r2:~# /usr/bin/wget "
https://app.patrolserver.com/api/server/exists?host=testdomain.com"
--no-check-

certificate--2015-11-10 09:18:10--
https://app.patrolserver.com/api/server/exists?host=testdomain.com
Resolving app.patrolserver.com... 128.199.58.216
Connecting to app.patrolserver.com|128.199.58.216|:443... connected.
WARNING: certificate common name api.patrolserver.com' doesn't match requested host nameapp.patrolserver.com'.
HTTP request sent, awaiting response... 200 OK
Length: 90 [application/json]
Saving to: `exists?host=testdomain.com.1'

100%[==========================================================================>]
90 --.-K/s in 0s

2015-11-10 09:18:11 (3.56 MB/s) - `exists?host=testdomain.com.1' saved
[90/90]

root@r2:# cat exists?host=testdomain.com
{"exists":null,"error":"2","errors":["The hostname doesn't resolve to the
requesting IP"]}root@r2:#

root@r2:~# which wget

/usr/bin/wget

On Tue, Nov 10, 2015 at 9:17 AM, dolfje notifications@github.com wrote:

Can you give the output of the following?

/usr/bin/wget "https://app.patrolserver.com/api/server/exists?host=testdomain.com"

And

whereis wget

—
Reply to this email directly or view it on GitHub
#5 (comment)
.

Answer 14 · 2015-11-10T15:30:55.000Z

$ /usr/bin/wget "https://app.patrolserver.com/api/server/exists?host=testdomain.com"
--2015-11-10 17:30:39--  https://app.patrolserver.com/api/server/exists?host=testdomain.com
Resolving app.patrolserver.com (app.patrolserver.com)... 128.199.58.216
Connecting to app.patrolserver.com (app.patrolserver.com)|128.199.58.216|:443... connected.
ERROR: no certificate subject alternative name matches
    requested host name `app.patrolserver.com'.
To connect to app.patrolserver.com insecurely, use `--no-check-certificate'.

Answer 15 · 2015-11-10T16:20:54.000Z

I will have to look into this. We want to support you, but when wget can't securely connect to our server, that is a problem. And I will not blindly add --no-check-certificate because that opens a security hole.

Answer 16 · 2015-11-10T16:30:10.000Z

Maybe there's an alternate method to import your cert, or pull the files
down and verify sigs. etc.

On Tue, Nov 10, 2015 at 10:20 AM, dolfje notifications@github.com wrote:

I will have to look into this. We want to support you, but when wget can't
securely connect to our server, that is a problem. And I will not blindly
add --no-check-certificate because that opens a security hole.

—
Reply to this email directly or view it on GitHub
#5 (comment)
.

Answer 17 · 2015-11-12T07:30:13.000Z

I'm definitely will try to find a solution ;)
Can you check if ca-certificates is installed?

dpkg --list | grep ca-certificates

Answer 18 · 2015-11-16T16:35:12.000Z

Okey, we have implemented a fix for your version of wget. It is because that version doesn't support SNI. We implemented a fallback configuration. Now it should work ;)

Answer 19 · 2015-11-16T20:16:10.000Z

It's working, thanks a lot!

Answer 20 · 2017-03-02T17:15:22.000Z

Hello dolfje,

I'm getting same error :
`> Hi root,

PatrolServer.com at your service.
I'm starting...

patrolserver.com is not reachable, contact us (3)
`

I'm running debian 2.6.32-5-amd64

I ran the above code, it returned "Verified OK"

Any idea ?