We ran into a problem using mirror and pull pockets on our landscape (v23.03) installation.
After setting up our on-prem landscape server using the following commands
landscape-api create-distribution ubuntu
landscape-api create-series --pockets release,updates,security \``--components main,restricted,universe,multiverse --architectures amd64,i386 \``--gpg-key mirror-key --mirror-uri http://archive.ubuntu.com/ubuntu/ \``--mirror-series focal focal ubuntu
landscape-api sync-mirror-pocket release focal ubuntu
landscape-api sync-mirror-pocket updates focal ubuntu
landscape-api sync-mirror-pocket security focal ubuntu
Create staging and production pockets
landscape-api create-pocket --pull-pocket release release-staging focal ubuntu main,universe amd64,i386 pull mirror-key
landscape-api create-pocket --pull-pocket updates updates-staging focal ubuntu main,universe amd64,i386 pull mirror-key
landscape-api create-pocket --pull-pocket security security-staging focal ubuntu main,universe amd64,i386 pull mirror-key
landscape-api create-pocket --pull-pocket release-staging release-production focal ubuntu main,universe amd64,i386 pull mirror-key
landscape-api create-pocket --pull-pocket updates-staging updates-production focal ubuntu main,universe amd64,i386 pull mirror-key
landscape-api create-pocket --pull-pocket security-staging security-production focal ubuntu main,universe amd64,i386 pull mirror-key
Create repository profiles
landscape-api create-repository-profile --description "Staging profile used to evaluate" staging-profile
landscape-api associate-repository-profile --tags staging staging-profile
landscape-api create-repository-profile --description "Production profile used for production system" production-profile
landscape-api associate-repository-profile --tags production production-profile
Associate pockets with profiles
landscape-api add-pockets-to-repository-profile staging-profile release-staging,updates-staging,security-staging focal ubuntu
landscape-api add-pockets-to-repository-profile production-profile release-production,updates-production,security-production focal ubuntu
We then configured the SSL certifcates using certbot
However when we try to update our clients using “apt update” we get the following errors
The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification
While not ideal we got around this issue by removing the verification step via:
touch /etc/apt/apt.conf.d/99verify-peer.conf && echo >>/etc/apt/apt.conf.d/99verify-peer.conf "Acquire { https::Verify-Peer false }
With the certificate issue out of the way we are now seeing the following errors on the clients:
E: The repository ‘http://landscape.X.com/repository/standalone/ubuntu focal-release-production Release’ does not have a Release file.
N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository ‘http://landscape.X.com/repository/standalone/ubuntu focal-updates-production Release’ does not have a Release file.
N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository ‘http://landscape.X.com/repository/standalone/ubuntu focal-security-production Release’ does not have a Release file.
N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
We are able to apply updates to the clients, just strange that we are seeing these errors.
On the landscape server we see the following message in the apache access log
[24/May/2023:04:57:16 +0000] “GET /repository/standalone/ubuntu/dists/focal-release-production/InRelease HTTP/1.1” 301 710 “-” “Debian APT-HTTP/1.3 (2.0.2ubuntu0.2) non-interactive”
[24/May/2023:04:57:16 +0000] “GET /repository/standalone/ubuntu/dists/focal-updates-production/InRelease HTTP/1.1” 301 710 “-” “Debian APT-HTTP/1.3 (2.0.2ubuntu0.2) non-interactive”
[24/May/2023:04:57:16 +0000] “GET /repository/standalone/ubuntu/dists/focal-security-production/InRelease HTTP/1.1” 301 712 “-” “Debian APT-HTTP/1.3 (2.0.2ubuntu0.2) non-interactive”
[24/May/2023:04:57:16 +0000] “GET /repository/standalone/ubuntu/dists/focal-release-production/InRelease HTTP/1.1” 404 15691 “-” “Debian APT-HTTP/1.3 (2.0.2ubuntu0.2) non-interactive”
[24/May/2023:04:57:17 +0000] “GET /repository/standalone/ubuntu/dists/focal-release-production/Release HTTP/1.1” 301 706 “-” “Debian APT-HTTP/1.3 (2.0.2ubuntu0.2) non-interactive”
[24/May/2023:04:57:17 +0000] “GET /repository/standalone/ubuntu/dists/focal-updates-production/InRelease HTTP/1.1” 404 11280 “-” “Debian APT-HTTP/1.3 (2.0.2ubuntu0.2) non-interactive”
[24/May/2023:04:57:17 +0000] “GET /repository/standalone/ubuntu/dists/focal-updates-production/Release HTTP/1.1” 301 706 “-” “Debian APT-HTTP/1.3 (2.0.2ubuntu0.2) non-interactive”
[24/May/2023:04:57:17 +0000] “GET /repository/standalone/ubuntu/dists/focal-security-production/InRelease HTTP/1.1” 404 11280 “-” “Debian APT-HTTP/1.3 (2.0.2ubuntu0.2) non-interactive”
[24/May/2023:04:57:17 +0000] “GET /repository/standalone/ubuntu/dists/focal-security-production/Release HTTP/1.1” 301 708 “-” “Debian APT-HTTP/1.3 (2.0.2ubuntu0.2) non-interactive”
[24/May/2023:04:57:17 +0000] “GET /repository/standalone/ubuntu/dists/focal-release-production/Release HTTP/1.1” 404 11280 “-” “Debian APT-HTTP/1.3 (2.0.2ubuntu0.2) non-interactive”
[24/May/2023:04:57:17 +0000] “GET /repository/standalone/ubuntu/dists/focal-updates-production/Release HTTP/1.1” 404 11280 “-” “Debian APT-HTTP/1.3 (2.0.2ubuntu0.2) non-interactive”
[24/May/2023:04:57:18 +0000] “GET /repository/standalone/ubuntu/dists/focal-security-production/Release HTTP/1.1” 404 11280 “-” “Debian APT-HTTP/1.3 (2.0.2ubuntu0.2) non-interactive”
When removing the tag from the affected hosts and dissociating it from the staging / production pull-pockets the error is not present. It appears that pull-pocket are the cause of this issue.