Apt-cacher-ng and fedora: "Cannot prepare internal mirrorlist: Status code: 403"

parulin · December 15, 2023, 10:30pm

I’ve read a lot of topics about apt-cacher-ng and fedora and I still don’t understand why I can’t get it to work. So, this is my setup:

I followed the notes of unman, setting up a template for a test-cacher VM, editing qrexec policy, I’ve got a fedora-38-test-cached-3 and a debian-11-test-cached-3 VM (yes, I made several attempts). I’ve changed https:// into http://HTTPS/// in the debian template and I can update it and see it in the test-cacher logs.

With fedora, I used this command:

sudo sed -i "s^metalink=https://\(\S\+\)$basearch^metalink=http://HTTPS///\1$basearch\&protocol=http^" /etc/yum.repos.d/*.repo
sudo sed -i "s^https://^http://HTTPS///^" /etc/yum.repos.d/qubes-r4.repo

I copied the fedora_mirrors in test_cacher

Then, upgrading, I got this:

Error: Failed to download metadata for repo ‘fedora’: Cannot prepare internal mirrorlist: Status code: 403 for http://HTTPS///mirrors.fedoraproject.org/metalink?repo=fedora-38&arch=x86_64&protocol=http (IP: 127.0.0.1)

This is what I tried:

In fedora-38-cached-test-3:

sudo dnf upgrade --refresh

In test-cacher:

sudo rm -r /var/cache/apt-cacher-ng/fedora

Same error after adding some lines to acng.conf in test-cacher:

VfilePatternEx: .*fedora.*updateinfo.*xml.zck$
DontCache: .*fedora.*updates.*updateinfo.xml.zck

Copying the acng.conf from shaker don’t change the problem…

So, I think there is something I don’t understand but what?

unman · December 16, 2023, 5:01am

Status code 403 is a Forbidden error.
You will often see this with fedora mirrors accessed via Tor.
I also see it when using apt-cacher-ng via clearnet.

Since it is an error at the server side, there’s little you can do.
Sometimes a little patience is all you need.

Working with Fedora can be frustrating at times, but generally it will
work. Sometimes it’s necessary to clear the cacher before trying another
update.

parulin · December 16, 2023, 8:04am

Ok, thank you for clarifying the message. The thing is: I got this error while trying apt-cacher-ng during my other attempts so I wasn’t sure if there was a problem from my side or no.

I will consider changing some of my templates to debian because I really need to use apt-cache-ng.

unman · December 18, 2023, 3:30am

As an example, last night I could not update Fedora-38 based templates.
This morning, they updated using apt-cacher-ng.
In one case I had to intervene and manually run sudo dnf clean all
before updating. Then all was well.

I believe that a significant cause of these issues is the Fedora mirror
system, particularly for updates repositories.
With some patience (and cleaning), apt-cacher-ng works fine with Fedora
templates.

parulin · December 18, 2023, 7:44pm

Yeah but I couldn’t get it to work even once. I suspect that my most of the time poor connection is resulting in this 403 error.

By cleaning, you mean something more than this?

removing everything related to fedora in /var/cache/apt-cacher-ng in the cacher VM
running dnf clean all and removing everything in in /var/cache/dnf in the fedora template to update

whoami · December 6, 2025, 3:46pm

I tried to install SchildiChat Desktop with my apt-cacher configuration. Following the installation instruction, you have to download the repo key:

https://apt.supercable.onl/super-apt-repo.key

Download the key in the Debian template terminal

curl -vfsSL --proxy 127.0.0.1:8082 http://HTTPS///apt.supercable.onl/super-apt-repo.key --output test.asc

returns this error message:

*   Trying 127.0.0.1:8082...
* Connected to 127.0.0.1 (127.0.0.1) port 8082
* using HTTP/1.x
> GET http://HTTPS///apt.supercable.onl/super-apt-repo.key HTTP/1.1
> Host: HTTPS
> User-Agent: curl/8.14.1
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
* Request completely sent off
< HTTP/1.1 403 Forbidden file type or location
< Content-Length: 512
< Content-Type: text/html
< Date: Xxx, xx Dec XXXX xx:xx:xx GMT
< Server: Debian Apt-Cacher NG/3.7.4
* The requested URL returned error: 403
< 
* closing connection #0
curl: (22) The requested URL returned error: 403

Is this the same error?
Any workaround to get the key?

unman · December 7, 2025, 3:05am

It is not the same.
apt-cacher-ng has restrictions on what files it will deal with, and
allow to be downloaded.
This is why you see the “403 Forbidden file type or location” message.

The simplest way to deal with this is to add key to the list of
permitted files. There is a mechanism to do this under the
PFilePatternEx and VFilePatternExdirectives. I would use the latter
as it is possible that the key may be changed on the server, and the data
is therefore to be treated as volatile.
In the configuration file at /etc/apt-cacher-ng/acng.conf look for the
line that starts with VFilePatternEx, you will see entries separated by |.
Add this RE that will match the key - |.*super-apt-repo.key to that
line.
Restart the service with systemctl restart apt-cacher-ng.
Now you will be able to get the key.

I never presume to speak for the Qubes team. When I comment in the Forum I speak for myself.

whoami · December 7, 2025, 7:41am

Works!
Thanks a lot for the explanation.

Just a minor remark:

In my acng.conf file this line was commented out and had no entries.
Therefore, I changed # VfilePatternEx: to VfilePatternEx: .*super-apt-repo.key