Fedora 39-xfce update fails on R4.2 [CONNECT tunnel failed, response 403]

After installing fedora-39-xfce following the instructions in the documentation, I feel like I remember updating it once through the Qubes updater, but now the update fails with the error:

Updating fedora-39-xfce

Error: Failed to download metadata for repo ‘fedora’: Cannot prepare internal mirrorlist: Curl error (56): Failure when receiving data from the peer for https://mirrors.fedoraproject.org/metalink?repo=fedora-39&arch=x86_64 [CONNECT tunnel failed, response 403]

Error: Failed to download metadata for repo ‘fedora’: Cannot prepare internal mirrorlist: Curl error (56): Failure when receiving data from the peer for https://mirrors.fedoraproject.org/metalink?repo=fedora-39&arch=x86_64 [CONNECT tunnel failed, response 403]

Entering the template and trying to update it using sudo dnf upgrade results in the same error. I can visit the URL in a browser just fine, so I assume something is wrong with the updating proxy, but I don’t know how or what to do.

1 Like

It’s probably this bug:

It’s being fixed now; in that issue thread you can also find workarounds to fix it temporarily. I think rebasing your sys-net and sys-firewall to debian templates may also work.

6 Likes

Looks like that was posted after I tried to find it yesterday. I should’ve checked today. That looks exactly like my issue. Thank you very much :blush:

1 Like

@Dares Can you try if your Debian templates and HVM-qubes get updated? Because it seems i have the same problem, but it affects all of my templates, but not dom0 and HVM-qubes.

I do not have any debian templates, so I cannot help you with that.

The problem is fixed, but it requires a quirk to be solved faster, see this comment

One unfortunate thing is the fix will require updating twice:

1. run template update once - this will apply the fix, but the update itself will fail, since the fix isn't in sys-net at this point yet
2. restart sys-net
3. update again - now it will work

Worked for me :ok_hand:

Does this still require manually adding Allow ::1 tinyproxy-updates.conf on 4.2?

This seems to be the only way I can get updates to work again.

I added the above

  • updated, dom0 and fedora/debian templates.
  • rebooted
  • run update again, still broken til I readd Allow ::1
1 Like

It works too, but that’s not how the final fix was implemented.
qubes.UpdatesProxy now forces IPv4 because the new socat version prefers IPv6 when using TCP.

The fix should automatically implement this in the templates. Make sure you update dom0 first, since it is the updater itself that will change the service file the first time.

1 Like

[irrelevant comment retracted]

Qubes 4.1 was also affected. This issue was caused by a socat upgrade that broke qubes.UpdatesProxy on fedora-based templates.

2 Likes

Has the fix been released to all or is this just in testing branch?

Based on:

Apparently, it’s only available in the testing repo.

2 Likes

I’m likely being slow, but I can’t see how to fix Qubes 4.1? I’ve tried updating tinyproxy-upates.conf as suggested above but that’s made no difference :frowning:

1 Like

Yeah, fedora updates fail on 4.1 for me too: no Dom0 updates available, no communications on how to install a hotfix of some sort.

Well I know nothing about anything anymore. Tried an update this morning out of desperation more than anything, and the update went through fine and I can now install packages again. :person_shrugging:

this is what was supposed to happen :+1:

Didn’t work for me… any other ideas what to try?

try to update dom0 and your templates, reboot and try again?

If it doesn’t work, you could try to enable testing updates and try again the sequence above.

I was having the same problem in 4.2. I eventually made update work on my Fedora templates by:

  1. Opening Qubes Global Config in Qubes Tools - Updates tab
  2. ticking the bubble Enable all testing updates click APPLY
  3. open Qubes Tools , Qube Updates uncheck all then check only dom0 hit UPDATE
    4)after dom0 completes update (took longer than usual) shutdown and restart all services based on Fedora templates
  4. Update templates as usual
  5. Optional - Open Qubes Global Config in Qubes Tools Updates tab. tick the bubble Enable stable updates only click APPLY

I used the new tools that are provided in 4.2 but I believe the same could be done from terminal in 4.1 or 4.2

Hope it works for you

The other fix that worked for me, is I dropped back to the Fedora 38 template for sys-net. I always like to keep one older copy of the templates around in case I mess things up.

1 Like