Repository not working for me

server-linux

#1

Im using debian TESTING (buster or what its called) and my plexmediaserver.list is
deb https://downloads.plex.tv/repo/deb ./public main
everytime i do apt update i get
Err:9 https://downloads.plex.tv/repo/deb ./public InRelease
403 Forbidden [IP: 2400:cb00:2048:1::6814:609 443]
Reading package lists... Done
E: Failed to fetch https://downloads.plex.tv/repo/deb/dists/./public/InRelease 403 Forbidden [IP: 2400:cb00:2048:1::6814:609 443]
E: Some index files failed to download. They have been ignored, or old ones used instead.

I think it stopped working after debian upgraded testing to buster but im not sure. Could'nt find any threads to this, anyone have a clue whats wrong here?


#2

Try disabling IPv6 on that machine and attempt to get the package via IPv4. Or download it manually.

Also, I have read reports elsewhere that that repo is running very slow today and timing out for some users.


#3

To force APT to use ipv4 only should be able to do the following:

echo 'Acquire::ForceIPv4 "true";' | sudo tee /etc/apt/apt.conf.d/99force-ipv4

#4

When i run it with apt update -o Acquire::ForceIPv4=true i get the same with an ipv4 address


#5

I haven’t seen an answer for this. I’m getting 403/Forbidden with ipv4 as well.

Err:7 https://downloads.plex.tv/repo/deb ./public InRelease
403 Forbidden [IP: 104.20.7.9 443]

Any help is appreciated. Plex UI is yelling at me to upgrade my version and this is a blocker. I realize I can do it manually but would like to get apt-get working again.


#6

Non-secure http also fails:

Err:8 http://downloads.plex.tv/repo/deb ./public InRelease
403 Forbidden [IP: 104.20.7.9 80]


#7

I’ve double checked with Engineering. HTTPS is the norm.

There is something about either the server your at or your package manager. If it were more widespread, there would be a lot of folks with the same issue


#8

Like the OP, I’m running Debian testing and the past week or so that became “buster” with a slew of updates. I’m going to assume it’s related to that.

I tried openssl in client mode and it accepts my cert:
openssl s_client -connect downloads.plex.tv:443
…so the HTTP server is rejecting me afterwards for some reason. Admittedly, I’m not an expert on HTTPS. I’ll have to look into this more and get back to everyone.

Here is the apt-get version if that’s helpful, although all of my other repo’s are working fine with the exception of Plex. I have a mixture of Debian mirrors and third party repo’s (Pale Moon, Plex):
$ apt-get --version
apt 1.5~beta2 (amd64)
Supported modules:
*Ver: Standard .deb
*Pkg: Debian dpkg interface (Priority 30)
Pkg: Debian APT solver interface (Priority -1000)
Pkg: Debian APT planner interface (Priority -1000)
S.L: ‘deb’ Debian binary tree
S.L: ‘deb-src’ Debian source tree
Idx: Debian Source Index
Idx: Debian Package Index
Idx: Debian Translation Index
Idx: Debian dpkg status file
Idx: Debian deb file
Idx: Debian dsc file
Idx: Debian control file
Idx: EDSP scenario file
Idx: EIPP scenario file


#9

Sorry, but as far as I can tell, this is a server issue. Here’s what I found.

It’s not an apt-get issue.
curl --verbose --silent https://downloads.plex.tv/repo/deb
also returns a 403. So apt-get is off the hook.

Likewise if I paste https://downloads.plex.tv/ into multiple browser platforms (Pale Moon, Firefox, Edge), all get a 403.

I don’t know what it could be but I think someone needs to dig a little bit in the HTTP server logs. I can see they’re running nginx based on the headers, and I’m not terribly familiar with that to point in the direction of log locations or snippets. However I’d bet my IP address is logged as I post this message, and they could search for multiple hits from the same IP over the previous hour. Perhaps there’s a block of IP’s blacklisted or something else glaringly wrong.


#10

BTW - The buster upgrade should not be a factor either, because the browser clients are ignorant to that. I tried the browsers from Windows 10, and curl was run on the buster box.


#11

Did you install the plex key?

That should take care of the denied.

I am seeing another issue now with it. Chcking with engineering… again :frowning:


#12

I had the parameters incorrect.


#13

Yeah I did install the Plex key. The repo was working for me until recently.

Here’s the curl output to confirm the Plex key is working:
$ curl --verbose --silent https://downloads.plex.tv/repo/deb

  • Trying 104.20.7.9…
  • TCP_NODELAY set
  • Connected to downloads.plex.tv (104.20.7.9) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • TLSv1.2 (OUT), TLS header, Certificate Status (22):
  • TLSv1.2 (OUT), TLS handshake, Client hello (1):
  • TLSv1.2 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Client hello (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS change cipher, Client hello (1):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
  • ALPN, server accepted to use h2
  • Server certificate:
  • subject: C=US; ST=California; L=Los Gatos; O=Plex, Inc; CN=*.plex.tv
  • start date: Feb 10 00:00:00 2017 GMT
  • expire date: May 10 12:00:00 2020 GMT
  • subjectAltName: host “downloads.plex.tv” matched cert’s “*.plex.tv”
  • issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
  • SSL certificate verify ok.
  • Using HTTP2, server supports multi-use
  • Connection state changed (HTTP/2 confirmed)
  • Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
  • Using Stream ID: 1 (easy handle 0x563b99655db0)

GET /repo/deb HTTP/2
Host: downloads.plex.tv
User-Agent: curl/7.55.0
Accept: /

  • Connection state changed (MAX_CONCURRENT_STREAMS updated)!
    < HTTP/2 403
    < date: Wed, 30 Aug 2017 14:49:53 GMT
    < content-type: application/xml
    < set-cookie: __cfduid=d6ac5c80e807dfae65bedd36eb668bf601504104592; expires=Thu, 30-Aug-18 14:49:52 GMT; path=/; domain=.plex.tv; HttpOnly
    < x-amz-request-id: 8554A23EEA27C9F3
    < x-amz-id-2: EYBYzutfuXZUXsS/uxCSOMaWJOg540bKKDN7f7+IXA+P7Qgn3tBbjyEpl2WCbC/7yRvy/lQ4E2w=
    < cf-cache-status: EXPIRED
    < server: cloudflare-nginx
    < cf-ray: 39688f294a23801c-SAN
    <
<?xml version="1.0" encoding="UTF-8"?>
  • Connection #0 to host downloads.plex.tv left intact
    AccessDeniedAccess Denied8554A23EEA27C9F3EYBYzutfuXZUXsS/uxCSOMaWJOg540bKKDN7f7+IXA+P7Qgn3tBbjyEpl2WCbC/7yRvy/lQ4E2w=

Note the “SSL certificate verify ok.” which indicates we’ve humored the SSL layer and the key is OK. It looks like the server immediately rejects us after the SSL handshake succeeds.

Thanks for looking into this, and I can help as needed.


#14

Sorry for the oddly formatted curl output. I’ve attached the raw text output in a file here (UNIX line endings). I couldn’t figure out how to format it any better with the message board editor.


#15

would you try accessing the repo as I have shown as the first step?

I’m trying to determine if the cloudflare server is at issue or not.


#16

If I understand your question, I think I was already doing that:

$ cat /etc/apt/sources.list.d/plexmediaserver.list
deb https://downloads.plex.tv/repo/deb ./public main

…and here’s the “apt-get update” output:

$ apt-get update
Hit:1 http://mirrors.namecheap.com/debian testing InRelease
Get:2 http://debian.gtisc.gatech.edu/debian testing InRelease [135 kB]
Hit:3 http://mirrors.cat.pdx.edu/debian testing InRelease
Hit:4 http://mirrors.kernel.org/debian testing InRelease
Hit:5 http://mirror.cc.columbia.edu/debian testing InRelease
Ign:6 http://download.opensuse.org/repositories/home:/stevenpusser/Debian_8.0 InRelease
Get:7 http://security.debian.org testing/updates InRelease [25.5 kB]
Get:8 http://debian.gtisc.gatech.edu/debian testing/main amd64 Packages.diff/Index [27.9 kB]
Get:9 http://debian.gtisc.gatech.edu/debian testing/main Translation-en.diff/Index [27.9 kB]
Get:10 http://debian.gtisc.gatech.edu/debian testing/main amd64 Contents (deb).diff/Index [28.0 kB]
Get:11 http://debian.gtisc.gatech.edu/debian testing/main amd64 Packages 2017-08-30-1423.36.pdiff [95 B]
Get:12 http://debian.gtisc.gatech.edu/debian testing/main Translation-en 2017-08-30-1423.36.pdiff [92 B]
Hit:13 http://download.opensuse.org/repositories/home:/stevenpusser/Debian_8.0 Release
Get:11 http://debian.gtisc.gatech.edu/debian testing/main amd64 Packages 2017-08-30-1423.36.pdiff [95 B]
Get:12 http://debian.gtisc.gatech.edu/debian testing/main Translation-en 2017-08-30-1423.36.pdiff [92 B]
Err:14 https://downloads.plex.tv/repo/deb ./public InRelease
403 Forbidden [IP: 104.20.6.9 443]
Get:15 http://debian.gtisc.gatech.edu/debian testing/main amd64 Contents (deb) 2017-08-30-1423.36.pdiff [447 B]
Get:15 http://debian.gtisc.gatech.edu/debian testing/main amd64 Contents (deb) 2017-08-30-1423.36.pdiff [447 B]
Fetched 245 kB in 7s (31.4 kB/s)
Reading package lists… Done
E: Failed to fetch https://downloads.plex.tv/repo/deb/dists/./public/InRelease 403 Forbidden [IP: 104.20.6.9 443]
E: Some index files failed to download. They have been ignored, or old ones used instead.

Hopefully I understood the question. Let me know if I need to provide more details.


#17

This shouldn’t be the URL to use.

E: Failed to fetch https://downloads.plex.tv/repo/deb/dists/./public/InRelease 403 Forbidden [IP: 104.20.6.9 443]
E: Some index files failed to download. They have been ignored, or old ones used instead.

Change InRelease to main in the sources file :slight_smile:


#18

InRelease is a Debian/Ubuntu protocol thing. It will change to “main” once we successfully connect to the remote server. I don’t think this is an issue.

So for example, here is another repo declaration in my sources.list:
deb http://debian.gtisc.gatech.edu/debian/ testing main contrib non-free

Observe “InRelease” in the “Get” step yet I didn’t call that out in the repo configuration:
Get:2 http://debian.gtisc.gatech.edu/debian testing InRelease [135 kB]

I successfully connected to the repo, so now we continue.

apt-get is told that there is a change and it’s going to fetch the branches now - note “InRelease” is not present now:
Get:8 http://debian.gtisc.gatech.edu/debian testing/main amd64 Packages.diff/Index [27.9 kB]
Get:9 http://debian.gtisc.gatech.edu/debian testing/main Translation-en.diff/Index [27.9 kB]
Get:10 http://debian.gtisc.gatech.edu/debian testing/main amd64 Contents (deb).diff/Index [28.0 kB]
Get:11 http://debian.gtisc.gatech.edu/debian testing/main amd64 Packages 2017-08-30-1423.36.pdiff [95 B]
Get:12 http://debian.gtisc.gatech.edu/debian testing/main Translation-en 2017-08-30-1423.36.pdiff [92 B]
Get:11 http://debian.gtisc.gatech.edu/debian testing/main amd64 Packages 2017-08-30-1423.36.pdiff [95 B]
Get:12 http://debian.gtisc.gatech.edu/debian testing/main Translation-en 2017-08-30-1423.36.pdiff [92 B]

So the InRelease is a step it takes for all repositories, but there is nothing to change on my end.


#19

Also re-pasting above, but here’s my Plex repo config:

$ cat /etc/apt/sources.list.d/plexmediaserver.list
deb https://downloads.plex.tv/repo/deb ./public main


#20

We both see the definitions are right.
I’ve shown the repo is working.

I don’t know what’s happening with Debian.

Perhaps one of the other Debian folks can help?

Plex doesn’t officially support it so I won’t be able to get any further traction from Engineering.