Package Repository 401 Problem

Luitzifa · June 20, 2025, 6:32am

Hi,
I mirror your package repository on a daily basis and today i was confronted with a 401 HTTP error.
The file https://packages.icinga.com/debian/dists/icinga-bookworm/main/binary-amd64/Packages is referencing the package pool/main/i/icinga-dependencies-web/icinga-dependencies-web_1.0.0-1+debian12_all.deb which itself requires auth.

❯ curl -v https://packages.icinga.com/debian/pool/main/i/icinga-dependencies-web/icinga-dependencies-web_1.0.0-1+debian12_all.deb
* Host packages.icinga.com:443 was resolved.
* IPv6: 2a02:ed80:3:1700:f816:3eff:fec5:887b
* IPv4: 185.233.189.126
*   Trying [2a02:ed80:3:1700:f816:3eff:fec5:887b]:443...
* Connected to packages.icinga.com (2a02:ed80:3:1700:f816:3eff:fec5:887b) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519 / RSASSA-PSS
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: CN=*.icinga.com
*  start date: Apr  8 00:00:00 2025 GMT
*  expire date: May  9 23:59:59 2026 GMT
*  subjectAltName: host "packages.icinga.com" matched cert's "*.icinga.com"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (3072/128 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha384WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha384WithRSAEncryption
* using HTTP/1.x
> GET /debian/pool/main/i/icinga-dependencies-web/icinga-dependencies-web_1.0.0-1+debian12_all.deb HTTP/1.1
> Host: packages.icinga.com
> User-Agent: curl/8.5.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/1.1 401 Unauthorized
< Date: Fri, 20 Jun 2025 06:27:31 GMT
< Server: Apache
< WWW-Authenticate: Basic realm="Password Required"
< Content-Length: 381
< Content-Type: text/html; charset=iso-8859-1

Is this auth in place on purpose?

apenning · June 20, 2025, 8:47am

Thanks for posting.

This should indeed be desired since Icinga Dependencies Web requires a subscription, as described in the announcement blog post or the docs.

bsheqa · June 20, 2025, 11:12am

First of all, thank you for bringing this up and sorry for the trouble this has caused. I admit that we hadn’t thought about the problems this would cause for mirrors of our repository.

We are discussing possible ways to improve and will come up with a solution soon hopefully. Please understand that if we have to restructure the repositories it may take a while.

Luitzifa · June 20, 2025, 11:41am

Thanks for your responses.
The software i use to mirror your repository is capable of filtering out specific packages. But it probably wouldn’t be feasible for everyone to maintain such a blacklist. Perforce recently had kind of the same problem with their puppet package repository, as they transitioned to a subscription model for their packages. They decided to create a whole new repository where everything requires auth.

I’m looking forward to see what you come up with. Thank you so far.