Unable to update fedora

no i did not at all. as i was using everthing fine daily with the tor browser untill i was prompted by qubes update tool to update fedora and now debian which am having the same problems with.

i dont even know what IPV6 is to even mess with it

What’s the output of this command in sys-whonix?

sudo journalctl -b -u qubes-updates-proxy.service

this should be run in the whonix-gateway 17 template correct?

No, in sys-whonix qube.

[gateway user ~]% sudo journalctl -b -u qubes-updates-proxy.service
Sep 30 12:08:11 host systemd[1]: Starting qubes-updates-proxy.service - Qubes u>
Sep 30 12:08:11 host tinyproxy-config-patch[1168]: + set -e
Sep 30 12:08:11 host tinyproxy-config-patch[1168]: + true '/usr/lib/qubes-whoni>
Sep 30 12:08:11 host tinyproxy-config-patch[1168]: + append-once /etc/tinyproxy>
Sep 30 12:08:11 host tinyproxy-config-patch[1168]: + append-once /etc/tinyproxy>
Sep 30 12:08:11 host tinyproxy-config-patch[1168]: + append-once /etc/tinyproxy>
Sep 30 12:08:11 host tinyproxy-config-patch[1168]: + true '/usr/lib/qubes-whoni>
Sep 30 12:08:11 host systemd[1]: Started qubes-updates-proxy.service - Qubes up>
Sep 30 12:08:11 host tinyproxy-wrapper[1192]: Found tinyproxy at /usr/bin/tinyp>
Sep 30 12:08:11 host tinyproxy-wrapper[1192]: WARNING: obsolete config item on >
Sep 30 12:08:11 host tinyproxy-wrapper[1192]: WARNING: obsolete config item on >
Sep 30 12:08:11 host tinyproxy-wrapper[1192]: WARNING: obsolete config item on >
Sep 30 12:08:11 host tinyproxy-wrapper[1192]: WARNING: obsolete config item on >
Sep 30 12:08:11 host tinyproxy[1192]: Initializing tinyproxy …
Sep 30 12:08:11 host tinyproxy[1192]: Reloading config file
Sep 30 12:08:11 host tinyproxy[1192]: Reloading config file finished
Sep 30 12:08:00 host tinyproxy[1192]: Proxying refused on filtered domain "127.>
Sep 30 16:16:14 host tinyproxy[1192]: Proxying refused on filtered domain "127.>
lines 1-18/18 (END)

The output was truncated, use this command instead:

sudo journalctl -b -u qubes-updates-proxy.service | cat

[gateway user ~]% sudo journalctl -b -u qubes-updates-proxy.service | cat
Sep 30 12:08:11 host systemd[1]: Starting qubes-updates-proxy.service - Qubes updates proxy (tinyproxy)…
Sep 30 12:08:11 host tinyproxy-config-patch[1168]: + set -e
Sep 30 12:08:11 host tinyproxy-config-patch[1168]: + true ‘/usr/lib/qubes-whonix/tinyproxy-config-patch: START’
Sep 30 12:08:11 host tinyproxy-config-patch[1168]: + append-once /etc/tinyproxy/tinyproxy-updates.conf ‘## BEGIN: auto-generated configuration by /usr/lib/qubes-whonix/tinyproxy-config-patch’
Sep 30 12:08:11 host tinyproxy-config-patch[1168]: + append-once /etc/tinyproxy/tinyproxy-updates.conf ‘Upstream socks5 127.0.0.1:9104’
Sep 30 12:08:11 host tinyproxy-config-patch[1168]: + append-once /etc/tinyproxy/tinyproxy-updates.conf ‘## END: auto-generated configuration by /usr/lib/qubes-whonix/tinyproxy-config-patch’
Sep 30 12:08:11 host tinyproxy-config-patch[1168]: + true ‘/usr/lib/qubes-whonix/tinyproxy-config-patch: END’
Sep 30 12:08:11 host systemd[1]: Started qubes-updates-proxy.service - Qubes updates proxy (tinyproxy).
Sep 30 12:08:11 host tinyproxy-wrapper[1192]: Found tinyproxy at /usr/bin/tinyproxy
Sep 30 12:08:11 host tinyproxy-wrapper[1192]: WARNING: obsolete config item on line 14
Sep 30 12:08:11 host tinyproxy-wrapper[1192]: WARNING: obsolete config item on line 15
Sep 30 12:08:11 host tinyproxy-wrapper[1192]: WARNING: obsolete config item on line 16
Sep 30 12:08:11 host tinyproxy-wrapper[1192]: WARNING: obsolete config item on line 17
Sep 30 12:08:11 host tinyproxy[1192]: Initializing tinyproxy …
Sep 30 12:08:11 host tinyproxy[1192]: Reloading config file
Sep 30 12:08:11 host tinyproxy[1192]: Reloading config file finished
Sep 30 12:08:00 host tinyproxy[1192]: Proxying refused on filtered domain “127.0.0.1”
Sep 30 16:16:14 host tinyproxy[1192]: Proxying refused on filtered domain “127.0.0.1”
[gateway user ~]%

What’s the output of these commands in debian template?

curl -v --proxy http://127.1:8082/ https://debian.org
curl -v --proxy http://127.1:8082/ https://9.9.9.9

ser@debian-12-xfce:~$ curl -v --proxy http://127.1:8082/ https://debian.org

  • Trying 127.0.0.1:8082…
  • Connected to 127.0.0.1 (127.0.0.1) port 8082 (#0)
  • allocate connect buffer
  • Establish HTTP proxy tunnel to debian.org:443

CONNECT debian.org:443 HTTP/1.1
Host: debian.org:443
User-Agent: curl/7.88.1
Proxy-Connection: Keep-Alive

curl -v --proxy http://127.1:8082/ https://9.9.9.9

user@debian-12-xfce:~$ curl -v --proxy http://127.1:8082/ https://9.9.9.9

  • Trying 127.0.0.1:8082…
  • Connected to 127.0.0.1 (127.0.0.1) port 8082 (#0)
  • allocate connect buffer
  • Establish HTTP proxy tunnel to 9.9.9.9:443

CONNECT 9.9.9.9:443 HTTP/1.1
Host: 9.9.9.9:443
User-Agent: curl/7.88.1
Proxy-Connection: Keep-Alive

< HTTP/1.0 200 Connection established
< Proxy-agent: tinyproxy/1.11.1
<

  • CONNECT phase completed
  • CONNECT tunnel established, response 200
  • ALPN: offers h2,http/1.1
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • CAfile: /etc/ssl/certs/ca-certificates.crt
  • CApath: /etc/ssl/certs
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
  • TLSv1.3 (IN), TLS handshake, CERT verify (15):
  • TLSv1.3 (IN), TLS handshake, Finished (20):
  • TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.3 (OUT), TLS handshake, Finished (20):
  • SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
  • ALPN: server accepted h2
  • Server certificate:
  • subject: C=CH; ST=Zurich; L=Zurich; O=Quad9; CN=dns.quad9.net
  • start date: Jul 17 00:00:00 2024 GMT
  • expire date: Jul 16 23:59:59 2025 GMT
  • subjectAltName: host “9.9.9.9” matched cert’s IP address!
  • issuer: C=US; O=DigiCert Inc; CN=DigiCert Global G3 TLS ECC SHA384 2020 CA1
  • SSL certificate verify ok.
  • using HTTP/2
  • h2h3 [:method: GET]
  • h2h3 [:path: /]
  • h2h3 [:scheme: https]
  • h2h3 [:authority: 9.9.9.9]
  • h2h3 [user-agent: curl/7.88.1]
  • h2h3 [accept: /]
  • Using Stream ID: 1 (easy handle 0x562e92490460)

GET / HTTP/2
Host: 9.9.9.9
user-agent: curl/7.88.1
accept: /

  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • old SSL session ID is stale, removing
    < HTTP/2 404
    < server: h2o/dnsdist
    < date: Mon, 30 Sep 2024 16:39:31 GMT
    < content-type: text/plain; charset=utf-8
    < content-length: 9
    <
  • Connection #0 to host 127.0.0.1 left intact
    not founduser@debian-12-xfce:~$

There seems to be some problem with DNS resolution.
What’s the output of this command in sys-whonix?

curl -v https://debian.org

[gateway user ~]% curl -v https://debian.org

  • Trying 151.101.66.132:443…
  • Connected to debian.org (151.101.66.132) port 443 (#0)
  • ALPN: offers h2,http/1.1
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • CAfile: /etc/ssl/certs/ca-certificates.crt
  • CApath: /etc/ssl/certs
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
  • TLSv1.3 (IN), TLS handshake, CERT verify (15):
  • TLSv1.3 (IN), TLS handshake, Finished (20):
  • TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.3 (OUT), TLS handshake, Finished (20):
  • SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
  • ALPN: server accepted h2
  • Server certificate:
  • subject: CN=www-fastly.debian.org
  • start date: Sep 3 00:37:42 2024 GMT
  • expire date: Dec 2 00:37:41 2024 GMT
  • subjectAltName: host “debian.org” matched cert’s “debian.org
  • issuer: C=US; O=Let’s Encrypt; CN=R11
  • SSL certificate verify ok.
  • using HTTP/2
  • h2h3 [:method: GET]
  • h2h3 [:path: /]
  • h2h3 [:scheme: https]
  • h2h3 [:authority: debian.org]
  • h2h3 [user-agent: curl/7.88.1]
  • h2h3 [accept: /]
  • Using Stream ID: 1 (easy handle 0x5ffc6ad2a910)

GET / HTTP/2
Host: debian.org
user-agent: curl/7.88.1
accept: /

  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
    < HTTP/2 302
    < server: Varnish
    < retry-after: 0
    < location: https://www.debian.org/
    < accept-ranges: bytes
    < date: Mon, 30 Sep 2024 16:48:16 GMT
    < via: 1.1 varnish
    < x-served-by: cache-cph2320033-CPH
    < x-cache: HIT
    < x-cache-hits: 0
    < x-timer: S1727714896.331617,VS0,VE0
    < content-length: 0
    <
  • Connection #0 to host debian.org left intact
    [gateway user ~]%

What’s the output of this command in sys-whonix?

curl -v --proxy http://127.1:8082/ https://debian.org

[gateway user ~]% curl -v --proxy http://127.1:8082/ https://debian.org

  • Trying 127.0.0.1:8082…
  • Connected to 127.0.0.1 (127.0.0.1) port 8082 (#0)
  • allocate connect buffer
  • Establish HTTP proxy tunnel to debian.org:443

CONNECT debian.org:443 HTTP/1.1
Host: debian.org:443
User-Agent: curl/7.88.1
Proxy-Connection: Keep-Alive

< HTTP/1.0 200 Connection established
< Proxy-agent: tinyproxy/1.11.1
<

  • CONNECT phase completed
  • CONNECT tunnel established, response 200
  • ALPN: offers h2,http/1.1
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • CAfile: /etc/ssl/certs/ca-certificates.crt
  • CApath: /etc/ssl/certs
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
  • TLSv1.3 (IN), TLS handshake, CERT verify (15):
  • TLSv1.3 (IN), TLS handshake, Finished (20):
  • TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.3 (OUT), TLS handshake, Finished (20):
  • SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
  • ALPN: server accepted h2
  • Server certificate:
  • subject: CN=www-fastly.debian.org
  • start date: Sep 3 00:37:42 2024 GMT
  • expire date: Dec 2 00:37:41 2024 GMT
  • subjectAltName: host “debian.org” matched cert’s “debian.org
  • issuer: C=US; O=Let’s Encrypt; CN=R11
  • SSL certificate verify ok.
  • using HTTP/2
  • h2h3 [:method: GET]
  • h2h3 [:path: /]
  • h2h3 [:scheme: https]
  • h2h3 [:authority: debian.org]
  • h2h3 [user-agent: curl/7.88.1]
  • h2h3 [accept: /]
  • Using Stream ID: 1 (easy handle 0x5a09456e9910)

GET / HTTP/2
Host: debian.org
user-agent: curl/7.88.1
accept: /

  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
    < HTTP/2 302
    < server: Varnish
    < retry-after: 0
    < location: https://www.debian.org/
    < accept-ranges: bytes
    < date: Mon, 30 Sep 2024 17:15:50 GMT
    < via: 1.1 varnish
    < x-served-by: cache-fra-etou8220050-FRA
    < x-cache: HIT
    < x-cache-hits: 0
    < x-timer: S1727716550.417608,VS0,VE0
    < content-length: 0
    <
  • Connection #0 to host 127.0.0.1 left intact
    [gateway user ~]%

I don’t know at what point is DNS resolution breaking, I’ll try to look into it later, but you can ask about this issue on Whonix forum as well, maybe you’ll get the answer there faster:
http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/c/qubes-whonix/12

But I can’t reproduce the issue on my end so I guess it should be specific to your setup.

1 Like

ok

Try this:
Create sys-whonix-upd qube based on the debian-12-xfce template with net qube set to sys-whonix and “Provides network” option set.
Set the default update proxy for your templates to sys-whonix-upd in Qubes Global Config → Updates.
Start sys-whonix-upd and try to run these commands in debian-12-xfce template:

curl --proxy http://127.1:8082/ https://9.9.9.9
curl --proxy http://127.1:8082/ https://debian.org

which type should i create qube based off?

App qube.

user@debian-12-xfce:~$ curl --proxy http://127.1:8082/ https://9.9.9.9
not founduser@debian-12-xfce:~$

user@debian-12-xfce:~$ curl --proxy http://127.1:8082/ https://debian.org
user@debian-12-xfce:~$