proxychains-ng icon indicating copy to clipboard operation
proxychains-ng copied to clipboard

Published 20 hours ago verified publisher icon rofl0r

proxychains4 throws error where proxychains3 works without issue (related to dehydrated)

Open dmilojevic opened this issue 5 years ago • 3 comments

Hello everybody.

I tried to find some more issues about this online but failed. Sorry if it has been addressed already.

I found out about proxychains4 few days ago. So far I've been using the default proxychains deployment from Raspbian (Debian for Raspberry Pi) Buster, which is 3.1-8.1. I started working on some scripts in which I wanted to parse the responses from the proxified and direct connections in the same way so I realized that only proxychains4 actually has a -q switch to help me achieve that easily. I am currently running proxychains4 version 4.13-4.

Anyway, everything else works fine except one (important) thing. Since this is running on Raspberry Pi constantly connected to the internet via VPN, I am using proxychains to renew my letsencrypt certificate via public IP assigned to me by my ISP (I am running SSH server on another device in my home network through which proxychains tunnels the request outside). I use dehydrated (https://github.com/lukas2511/dehydrated) for letsencrypt renewal and it worked fine for more than a year via proxychains3 but when I try to use it via proxychains4 there is an error message.

root@raspberrypi:/opt/dehydrated # proxychains /opt/dehydrated/dehydrated -c [proxychains] config file found: /etc/proxychains.conf [proxychains] preloading /usr/lib/arm-linux-gnueabihf/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.13 [proxychains] DLL init: proxychains-ng 4.13 [proxychains] DLL init: proxychains-ng 4.13 [proxychains] DLL init: proxychains-ng 4.13 INFO: Using main config file /opt/dehydrated/config [proxychains] DLL init: proxychains-ng 4.13 [proxychains] DLL init: proxychains-ng 4.13 [proxychains] DLL init: proxychains-ng 4.13 [proxychains] DLL init: proxychains-ng 4.13 [proxychains] DLL init: proxychains-ng 4.13 [proxychains] DLL init: proxychains-ng 4.13 [proxychains] DLL init: proxychains-ng 4.13 [proxychains] DLL init: proxychains-ng 4.13 [proxychains] DLL init: proxychains-ng 4.13 [proxychains] DLL init: proxychains-ng 4.13 [proxychains] DLL init: proxychains-ng 4.13 [proxychains] DLL init: proxychains-ng 4.13 [proxychains] Strict chain ... 127.0.0.1:7072 ... acme-staging-v02.api.letsencrypt.org:443 ... OK [proxychains] DLL init: proxychains-ng 4.13 bash: src/allocator_thread.c:235: getmessage: Assertion `hdr->datalen <= MSG_LEN_MAX' failed. Aborted [proxychains] DLL init: proxychains-ng 4.13

When I rerun dehydrated with proxychains3 or without proxychains, it works fully without any issues.

root@raspberrypi:/opt/dehydrated # /opt/dehydrated/dehydrated -c INFO: Using main config file /opt/dehydrated/config Unknown hook this_hookscript_is_broken__dehydrated_is_working_fine__please_ignore_unknown_hooks_in_your_script Processing mydomain.com with alternative names: myotherdomain.com Unknown hook this_hookscript_is_broken__dehydrated_is_working_fine__please_ignore_unknown_hooks_in_your_script

  • Checking domain name(s) of existing cert... unchanged.
  • Checking expire date of existing cert...
  • Valid till Feb 16 04:41:41 2020 GMT Certificate will not expire (Longer than 30 days). Skipping renew!

I would greatly appreciate if someone could help with this.

Thanks in advance!

dmilojevic avatar Nov 21 '19 08:11 dmilojevic

you could run the dehydrated script with proxychains4 bash -x /path/to/dehydrated so we can see which exact command is failing.

also please use latest git of proxychains, some issues have been fixed. that means you gotta compile it yourself.

rofl0r avatar Nov 21 '19 22:11 rofl0r

Hi. Thanks for the reply. I can't build proxychains on this installation from source at this moment, but will do soon on another one.

In the meantime, the following is the output of the command you suggested.

root@raspberrypi:/opt/dehydrated # proxychains4 bash -x /opt/dehydrated/dehydrated -c
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/arm-linux-gnueabihf/libproxychains.so.4
+ set -e
+ set -u
+ set -o pipefail
+ [[ -n '' ]]
+ [[ -z '' ]]
+ shopt -s nullglob
+ set -f
+ umask 077
+ exec
+ exec
+ VERSION=0.6.5
+ SOURCE=/opt/dehydrated/dehydrated
+ '[' -h /opt/dehydrated/dehydrated ']'
+++ dirname /opt/dehydrated/dehydrated
++ cd -P /opt/dehydrated
++ pwd
+ SCRIPTDIR=/opt/dehydrated
+ BASEDIR=/opt/dehydrated
+ ORIGARGS=-c
++ uname
+ OSTYPE=Linux
+ [[ ! '' = \N\O\O\P ]]
+ main -c
+ COMMAND=
+ [[ -z -c ]]
+ ((  1  ))
+ case "${1}" in
+ set_command sign_domains
+ [[ -z '' ]]
+ COMMAND=sign_domains
+ shift 1
+ ((  0  ))
+ case "${COMMAND}" in
+ command_sign_domains
+ init_system
+ load_config
+ [[ -z '' ]]
+ for check_config in "/etc/dehydrated" "/usr/local/etc/dehydrated" "${PWD}" "${SCRIPTDIR}"
+ [[ -f /etc/dehydrated/config ]]
+ for check_config in "/etc/dehydrated" "/usr/local/etc/dehydrated" "${PWD}" "${SCRIPTDIR}"
+ [[ -f /usr/local/etc/dehydrated/config ]]
+ for check_config in "/etc/dehydrated" "/usr/local/etc/dehydrated" "${PWD}" "${SCRIPTDIR}"
+ [[ -f /opt/dehydrated/config ]]
+ BASEDIR=/opt/dehydrated
+ CONFIG=/opt/dehydrated/config
+ break
+ CA=https://acme-v02.api.letsencrypt.org/directory
+ OLDCA=
+ CERTDIR=
+ ALPNCERTDIR=
+ ACCOUNTDIR=
+ CHALLENGETYPE=http-01
+ CONFIG_D=
+ CURL_OPTS=
+ DOMAINS_D=
+ DOMAINS_TXT=
+ HOOK=
+ HOOK_CHAIN=no
+ RENEW_DAYS=30
+ KEYSIZE=4096
+ WELLKNOWN=
+ PRIVATE_KEY_RENEW=yes
+ PRIVATE_KEY_ROLLOVER=no
+ KEY_ALGO=rsa
+ OPENSSL=openssl
+ OPENSSL_CNF=
+ CONTACT_EMAIL=
+ LOCKFILE=
+ OCSP_MUST_STAPLE=no
+ OCSP_FETCH=no
+ OCSP_DAYS=5
+ IP_VERSION=
+ CHAINCACHE=
+ AUTO_CLEANUP=no
+ DEHYDRATED_USER=
+ DEHYDRATED_GROUP=
+ API=auto
+ [[ -z /opt/dehydrated/config ]]
+ [[ -f /opt/dehydrated/config ]]
+ echo '# INFO: Using main config file /opt/dehydrated/config'
# INFO: Using main config file /opt/dehydrated/config
++ dirname /opt/dehydrated/config
+ BASEDIR=/opt/dehydrated
+ . /opt/dehydrated/config
++ CHALLENGETYPE=dns-01
++ HOOK=/opt/dehydrated/hook.sh
++ CA=https://acme-staging-v02.api.letsencrypt.org/directory
+ [[ -n '' ]]
+ [[ -n '' ]]
+ [[ -n '' ]]
+ check_dependencies
+ openssl version
+ _sed ''
+ command -v grep
+ command -v mktemp
+ command -v diff
+ set +e
++ curl -V
++ head -n1
++ awk '{print $2}'
+ CURL_VERSION=7.64.0
+ retcode=0
+ set -e
+ [[ ! 0 = \0 ]]
+ [[ /opt/dehydrated != \/ ]]
+ BASEDIR=/opt/dehydrated
+ [[ -d /opt/dehydrated ]]
+ [[ -z '' ]]
+ [[ https://acme-staging-v02.api.letsencrypt.org/directory = \h\t\t\p\s\:\/\/\a\c\m\e\-\v\0\2\.\a\p\i\.\l\e\t\s\e\n\c\r\y\p\t\.\o\r\g\/\d\i\r\e\c\t\o\r\y ]]
++ echo https://acme-staging-v02.api.letsencrypt.org/directory
++ urlbase64
++ openssl base64 -e
++ tr -d '\n\r'
++ _sed -e 's:=*$::g' -e y:+/:-_:
++ [[ Linux = \L\i\n\u\x ]]
++ sed -r -e 's:=*$::g' -e y:+/:-_:
+ CAHASH=Hma4mHa4Lm4hm41maXmamampmmama4AmL4mwm3am3amaZamam8awmCa4macmZ2ma3ma0m6m5mg
+ [[ -z '' ]]
+ ACCOUNTDIR=/opt/dehydrated/accounts
+ [[ ! -e /opt/dehydrated/accounts/Hma4mHa4Lm4hm41maXmamampmmama4AmL4mwm3am3amaZamam8awmCa4macmZ2ma3ma0m6m5mg ]]
+ [[ -f /opt/dehydrated/accounts/Hma4mHa4Lm4hm41maXmamampmmama4AmL4mwm3am3amaZamam8awmCa4macmZ2ma3ma0m6m5mg/config ]]
+ ACCOUNT_KEY=/opt/dehydrated/accounts/Hma4mHa4Lm4hm41maXmamampmmama4AmL4mwm3am3amaZamam8awmCa4macmZ2ma3ma0m6m5mg/account_key.pem
+ ACCOUNT_KEY_JSON=/opt/dehydrated/accounts/Hma4mHa4Lm4hm41maXmamampmmama4AmL4mwm3am3amaZamam8awmCa4macmZ2ma3ma0m6m5mg/registration_info.json
+ ACCOUNT_ID_JSON=/opt/dehydrated/accounts/Hma4mHa4Lm4hm41maXmamampmmama4AmL4mwm3am3amaZamam8awmCa4macmZ2ma3ma0m6m5mg/account_id.json
+ [[ -f /opt/dehydrated/private_key.pem ]]
+ [[ -f /opt/dehydrated/private_key.json ]]
+ [[ -z '' ]]
+ CERTDIR=/opt/dehydrated/certs
+ [[ -z '' ]]
+ ALPNCERTDIR=/opt/dehydrated/alpn-certs
+ [[ -z '' ]]
+ CHAINCACHE=/opt/dehydrated/chains
+ [[ -z '' ]]
+ DOMAINS_TXT=/opt/dehydrated/domains.txt
+ [[ -z '' ]]
+ WELLKNOWN=/var/www/dehydrated
+ [[ -z '' ]]
+ LOCKFILE=/opt/dehydrated/lock
+ [[ -z '' ]]
++ openssl version -d
++ cut '-d"' -f2
+ OPENSSL_CNF=/usr/lib/ssl/openssl.cnf
+ [[ -n '' ]]
+ [[ -n '' ]]
+ [[ -n '' ]]
+ [[ -n '' ]]
+ [[ -n '' ]]
+ [[ -n '' ]]
+ [[ -n '' ]]
+ [[ -n '' ]]
+ [[ -n '' ]]
+ '[' '!' '' = noverify ']'
+ verify_config
+ [[ dns-01 == \h\t\t\p\-\0\1 ]]
+ [[ dns-01 == \d\n\s\-\0\1 ]]
+ [[ dns-01 = \d\n\s\-\0\1 ]]
+ [[ -z /opt/dehydrated/hook.sh ]]
+ [[ dns-01 = \h\t\t\p\-\0\1 ]]
+ [[ rsa == \r\s\a ]]
+ [[ -n '' ]]
+ [[ auto == \a\u\t\o ]]
+ [[ 5 =~ ^[0-9]+$ ]]
+ store_configvars
+ __KEY_ALGO=rsa
+ __OCSP_MUST_STAPLE=no
+ __PRIVATE_KEY_RENEW=yes
+ __KEYSIZE=4096
+ __CHALLENGETYPE=dns-01
+ __HOOK=/opt/dehydrated/hook.sh
+ __WELLKNOWN=/var/www/dehydrated
+ __HOOK_CHAIN=no
+ __OPENSSL_CNF=/usr/lib/ssl/openssl.cnf
+ __RENEW_DAYS=30
+ __IP_VERSION=
+ [[ -n /opt/dehydrated/lock ]]
++ dirname /opt/dehydrated/lock
+ LOCKDIR=/opt/dehydrated
+ [[ -w /opt/dehydrated ]]
+ trap remove_lock EXIT
++ http_request get https://acme-staging-v02.api.letsencrypt.org/directory
+++ _mktemp
+++ mktemp /tmp/dehydrated-XXXXXX
++ tempcont=/tmp/dehydrated-VgGoAi
+++ _mktemp
+++ mktemp /tmp/dehydrated-XXXXXX
++ tempheaders=/tmp/dehydrated-5qE9da
++ [[ -n '' ]]
++ set +e
++ [[ get = \h\e\a\d ]]
++ [[ get = \g\e\t ]]
+++ curl -A 'dehydrated/0.6.5 curl/7.64.0' -L -s -w '%{http_code}' -o /tmp/dehydrated-VgGoAi -D /tmp/dehydrated-5qE9da https://acme-staging-v02.api.letsencrypt.org/directory
++ statuscode=200
++ curlret=0
++ set -e
++ [[ ! 0 = \0 ]]
++ [[ ! 2 = \2 ]]
++ cat /tmp/dehydrated-5qE9da
bash: src/allocator_thread.c:235: getmessage: Assertion `hdr->datalen 

Please note that cat of the second tmp files remains on the command line when the app crashes.


The contents of the 2 temporary files mentioned are as follows.


/tmp/dehydrated-VgGoAi


{
  "BSaGI17Bhr6": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/17162",
  "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
  "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}


/tmp/dehydrated-5qE9da


HTTP/2 200
server: nginx
date: Fri, 22 Nov 2019 07:16:23 GMT
content-type: application/json
content-length: 724
cache-control: public, max-age=0, no-cache
x-frame-options: DENY
strict-transport-security: max-age=604800

dmilojevic avatar Nov 22 '19 08:11 dmilojevic

thanks, the isolated curl command seems to work fine here on both debian and sabotage linux hosts, with latest git and both socks5/http proxies.

the issue you're facing could be either due to a bug fixed since, or some platform-specific issue (for example, on arm, abi for "char" is "unsigned char" unlike on other archs, which breaks some things - if that's the reason you could compile proxychains like CFLAGS=-fsigned-char ./configure ... etc...), or maybe it's due to all the other stuff the script does. in the latter case, if you try the curl command manually, it would work.

rofl0r avatar Nov 22 '19 16:11 rofl0r