curl: (7) couldn't connect to host

[splurglepoof]

Yeah, so I have the newest super greatest "rpi-update" that uses curl instead of the ancient broken wget 1.13.4 and it still doesn't work. wget 1.15 on my debian 3.16-2-amd64 desktop works fine, curl 7.38.0 on the desktop works fine but curl 7.26.0 on the rpi doesn't. Time is fine, using the same time server for both machines.

pi@raspcam /tmp $ sudo apt-get install ca-certificates
Reading package lists... Done
Building dependency tree
Reading state information... Done
ca-certificates is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

sudo apt-get update && sudo apt-get install rpi-update gets me:
rpi-update is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

But

pi@raspcam /tmp $ sudo rpi-update
*** Raspberry Pi firmware updater by Hexxeh, enhanced by AndrewS and Dom
*** Performing self-update
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (7) couldn't connect to host
!!! Failed to download update for rpi-update!
!!! Make sure you have ca-certificates installed and that the time is set correctly

I've looked at bug #65, and I see that the consensus is that everything is fixed. This does not appear to be the case.

pi@raspcam /tmp $ uname -a
Linux raspcam 3.12.28+ #709 PREEMPT Mon Sep 8 15:28:00 BST 2014 armv6l GNU/Linux

[popcornmix]

What does:

curl https://raw.githubusercontent.com/Hexxeh/rpi-update/master/rpi-update

report on Pi? What do you get entering that url in a web browser (e.g. on Windows PC)

[splurglepoof]

pi@raspcam /tmp $ curl https://raw.githubusercontent.com/Hexxeh/rpi-update/master/rpi-update
curl: (7) couldn't connect to host

pi@raspcam /tmp $ ping raw.githubusercontent.com
PING github.map.fastly.net (199.27.79.133) 56(84) bytes of data.
64 bytes from 199.27.79.133: icmp_req=1 ttl=53 time=60.1 ms
64 bytes from 199.27.79.133: icmp_req=2 ttl=53 time=58.7 ms
64 bytes from 199.27.79.133: icmp_req=3 ttl=52 time=60.6 ms
^ C
--- github.map.fastly.net ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 58.746/59.862/60.665/0.861 ms

[popcornmix]

And the url in a web browser on PC?

[splurglepoof]

On the debian desktop:

[g:tmp]-> curl https://raw.githubusercontent.com/Hexxeh/rpi-update/master/rpi-update
# ! /bin/bash

set -o nounset
set -o errexit

...

do_update
[g:tmp]->

Same thing in Firefox (Iceweasel) on the desktop machine.

[popcornmix]

On Pi I get:

$ curl --version
curl 7.26.0 (arm-unknown-linux-gnueabihf) libcurl/7.26.0 OpenSSL/1.0.1e zlib/1.2.7 libidn/1.25 libssh2/1.4.2 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtmp rtsp scp sftp smtp smtps telnet tftp 
Features: Debug GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP 

and

$ curl https://raw.githubusercontent.com/Hexxeh/rpi-update/master/rpi-update | head
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
#!/bin/bash

set -o nounset
set -o errexit

REPO_URI=${REPO_URI:-"https://github.com/Hexxeh/rpi-firmware"}

UPDATE_SELF=${UPDATE_SELF:-1}
UPDATE_URI="https://raw.githubusercontent.com/Hexxeh/rpi-update/master/rpi-update"

100  7811  100  7811    0     0  19247      0 --:--:-- --:--:-- --:--:-- 31244

[splurglepoof]

pi@raspcam /tmp $ curl -V
curl 7.26.0 (arm-unknown-linux-gnueabihf) libcurl/7.26.0 OpenSSL/1.0.1e zlib/1.2.7 libidn/1.25 libssh2/1.4.2 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtmp rtsp scp sftp smtp smtps telnet tftp
Features: Debug GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP

Same curl same remote host: works for you, not for me. Different version of curl on debian desktop works.

Here is curl -v

pi@raspcam /tmp $ curl -v https://raw.githubusercontent.com/Hexxeh/rpi-update/master/rpi-update
* About to connect() to raw.githubusercontent.com port 443 (#0)
* Trying 23.235.47.133...
* Connection refused
* couldn't connect to host
* Closing connection #0
curl: (7) couldn't connect to host

[popcornmix]

So I get a different PI address:

$ curl -v https://raw.githubusercontent.com/Hexxeh/rpi-update/master/rpi-update |head
* About to connect() to raw.githubusercontent.com port 443 (#0)
*   Trying 185.31.19.133...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* connected
* Connected to raw.githubusercontent.com (185.31.19.133) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Server hello (2):
{ [data not shown]
* SSLv3, TLS handshake, CERT (11):
{ [data not shown]
* SSLv3, TLS handshake, Server key exchange (12):

What about:

curl -v --resolve raw.githubusercontent.com:443:185.31.19.133 https://raw.githubusercontent.com/Hexxeh/rpi-update/master/rpi-update

Yours works for me:

curl -v --resolve raw.githubusercontent.com:443:23.235.47.133 https://raw.githubusercontent.com/Hexxeh/rpi-update/master/rpi-update
* Added raw.githubusercontent.com:443:23.235.47.133 to DNS cache
* Hostname was found in DNS cache
*   Trying 23.235.47.133...
* Connected to raw.githubusercontent.com (23.235.47.133) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/cacert.pem
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
*    subject: C=US; ST=California; L=San Francisco; O=Fastly, Inc.; CN=www.github.com
*    start date: 2014-02-25 00:00:00 GMT
*    expire date: 2015-03-02 12:00:00 GMT
*    subjectAltName: raw.githubusercontent.com matched
*    issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert High Assurance CA-3
*    SSL certificate verify ok.
> GET /Hexxeh/rpi-update/master/rpi-update HTTP/1.1
> User-Agent: curl/7.39.0
> Host: raw.githubusercontent.com
> Accept: */*

[splurglepoof]

Trying HTP instead of HTTPS:

pi@raspcam /tmp $ curl -v http://raw.githubusercontent.com/Hexxeh/rpi-update/master/rpi-update
* About to connect() to raw.githubusercontent.com port 80 (#0)
* Trying 199.27.79.133...
* connected
* Connected to raw.githubusercontent.com (199.27.79.133) port 80 (#0)
> GET /Hexxeh/rpi-update/master/rpi-update HTTP/1.1
> User-Agent: curl/7.26.0
> Host: raw.githubusercontent.com
> Accept: */*
>
* additional stuff not fine transfer.c:1037: 0 0
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 404 Not Found
< Server: GitHub.com
< Content-Type: text/html; charset=utf-8
< Content-Length: 9152
< Accept-Ranges: bytes
< Date: Sun, 07 Dec 2014 17:44:34 GMT
< Via: 1.1 varnish
< Age: 0
< Connection: keep-alive
< X-Served-By: cache-lax1422-LAX
< X-Cache: MISS
< X-Cache-Hits: 0
< X-Timer: S1417974274.561996,VS0,VE68
< Vary: Accept-Encoding
<
<!DOCTYPE html>
< html >
< head >
< meta http-equiv="Content-type" content="text/html; charset=utf-8" >
< title>Page not found &middot; GitHub Pages</title >
< style type="text/css" media="screen" >
...

[splurglepoof]

pi@raspcam /tmp $ curl -v --resolve raw.githubusercontent.com:443:185.31.19.133 https://raw.githubusercontent.com/Hexxeh/rpi-update/master/rpi-update
* Added raw.githubusercontent.com:443:185.31.19.133 to DNS cache
* About to connect() to raw.githubusercontent.com port 443 (#0)
* Trying 185.31.19.133...
* Connection refused
* couldn't connect to host
* Closing connection #0
curl: (7) couldn't connect to host

I'm getting the idea that it is a certificate/HTTPS protocol problem.

[popcornmix]

curl --insecure
curl --L
(or any other options from curl --help)?

[splurglepoof]

Neither -k nor -L had any effect.

When trying curl -v --resolve raw.githubusercontent.com:443:185.31.19.133 https://raw.githubusercontent.com/Hexxeh/rpi-update/master/rpi-update

pi@raspcam /tmp $ sudo tcpdump -i eth0 -s 1024 -vvv -X host 185.31.19.133
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1024 bytes
08:08:04.422043 IP (tos 0x0, ttl 64, id 19067, offset 0, flags [DF], proto TCP (6), length 60) raspcam.16paws.com.53357 > 185.31.19.133.https: Flags [S], cksum 0xd7de (incorrect -> 0xe2d0), seq 3668545551, win 29200, options [mss 1460,sackOK,TS val 68803188 ecr 0,nop,wscale 6], length 0
0x0000: 4500 003c 4a7b 4000 4006 1891 0a00 010c E..<J{@.@.......
0x0010: b91f 1385 d06d 01bb daa9 900f 0000 0000 .....m..........
0x0020: a002 7210 d7de 0000 0204 05b4 0402 080a ..r.............
0x0030: 0419 da74 0000 0000 0103 0306 ...t........
08:08:04.422648 IP (tos 0x10, ttl 64, id 29122, offset 0, flags [DF], proto TCP (6), length 40) 185.31.19.133.https > raspcam.16paws.com.53357: Flags [R.], cksum 0x9b3d (correct), seq 0, ack 3668545552, win 0, length 0
0x0000: 4510 0028 71c2 4000 4006 f14d b91f 1385 E..(q.@[email protected]....
0x0010: 0a00 010c 01bb d06d 0000 0000 daa9 9010 .......m........
0x0020: 5014 0000 9b3d 0000 0000 0000 0000 P....=........

[splurglepoof]

Yeah, so "nothing" hasn't worked either. So thanks for that.

Niether does midori nor iceweasel: "Cannot connect to destination (www.google.com)"

However, connecting to '''http://74.125.224.148''' works just fine. IPv6 is disabled. Other websites, internal and external, that use plain HTTP seem to work fine. But google, like most everyone else, is moving to HTTPS, and that is where the wheels come off the rpi wagon.

nslookup works, pings work, and yet, at the application level, raspberrian/rasperry pi is nearly nonfunctional and useless on the web. The common denominator appears to be SSL, but I don't have time to dig into that bottomless rabbit hole. It seems that I must be the only person on the planet with this problem, so there is no point addressing it. This was my first, and likely my last, attempt to use the raspberry pi hardware for anything interesting. It works OK as a webcam on my internal network, and I guess that's about all it good for. It is a toy.

[Ruffio]

@splurglepoof so this can be closed?

[popcornmix]

rpi-update just uses curl for network access. It sounds like a general networking/DNS issue, and would be better discussed in the forum.