On Fri, 19 Feb 2021 at 09:47, Simon Matter <simon.matter at invoca.ch> wrote: > > On Fri, 19 Feb 2021, Mathieu Baudier wrote: > > > >> Hello, > >> > >> On a remote server (in an IPv6-only infrastructure) I am getting the > >> following error when trying to update CentOS 8 Streams x86_64: > >> > >> $ sudo dnf upgrade --refresh > >> Failed to set locale, defaulting to C.UTF-8 > >> CentOS Stream 8 - AppStream > >> > >> 0.0 B/s | 0 B 00:16 > >> Errors during downloading metadata for repository 'appstream': > >> - Curl error (7): Couldn't connect to server for > >> > http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=AppStream&infra=stock > >> [Failed to connect to mirrorlist.centos.org port 80: Permission denied] > >> Error: Failed to download metadata for repo 'appstream': Cannot prepare > >> internal mirrorlist: Curl error (7): Couldn't connect to server for > >> > http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=AppStream&infra=stock > >> [Failed to connect to mirrorlist.centos.org port 80: Permission denied] > > > > Try using an https:// URL. > > Are you sure? At least from here over IPv4, http works well but https > doesn't work at all. Sounds strange if http would work only over IPv4 and > https would work only over IPv6. > > It wouldn't work anyway because CentOS mirrors do not have https. I tried this from my home system ``` [ssmoogen at localhost ~]$ for i in "2001:4178:5:200::10" "2600:1f16:c1:5e01:4180:6610:5482:c1c0" "2604:1380:2001:d00::3" "2604:1580:fe02:2::10" "2604:1380:1001:6c00::1"; do curl -v6 "https://[${i}]/?release=8-stream&arch=x86_64&repo=AppStream&infra=stock"; done * Trying 2001:4178:5:200::10:443... * connect to 2001:4178:5:200::10 port 443 failed: Permission denied * Failed to connect to 2001:4178:5:200::10 port 443: Permission denied * Closing connection 0 curl: (7) Failed to connect to 2001:4178:5:200::10 port 443: Permission denied * Trying 2600:1f16:c1:5e01:4180:6610:5482:c1c0:443... * connect to 2600:1f16:c1:5e01:4180:6610:5482:c1c0 port 443 failed: Permission denied * Failed to connect to 2600:1f16:c1:5e01:4180:6610:5482:c1c0 port 443: Permission denied * Closing connection 0 curl: (7) Failed to connect to 2600:1f16:c1:5e01:4180:6610:5482:c1c0 port 443: Permission denied * Trying 2604:1380:2001:d00::3:443... * connect to 2604:1380:2001:d00::3 port 443 failed: Permission denied * Failed to connect to 2604:1380:2001:d00::3 port 443: Permission denied * Closing connection 0 curl: (7) Failed to connect to 2604:1380:2001:d00::3 port 443: Permission denied * Trying 2604:1580:fe02:2::10:443... * connect to 2604:1580:fe02:2::10 port 443 failed: Permission denied * Failed to connect to 2604:1580:fe02:2::10 port 443: Permission denied * Closing connection 0 curl: (7) Failed to connect to 2604:1580:fe02:2::10 port 443: Permission denied * Trying 2604:1380:1001:6c00::1:443... * connect to 2604:1380:1001:6c00::1 port 443 failed: Permission denied * Failed to connect to 2604:1380:1001:6c00::1 port 443: Permission denied * Closing connection 0 curl: (7) Failed to connect to 2604:1380:1001:6c00::1 port 443: Permission denied ``` removing the -v gives the following error: ``` [ssmoogen at localhost ~]$ for i in "2001:4178:5:200::10" "2600:1f16:c1:5e01:4180:6610:5482:c1c0" "2604:1380:2001:d00::3" "2604:1580:fe02:2::10" "2604:1380:1001:6c00::1"; do curl -6 "https://[${i}]/?release=8-stream&arch=x86_64&repo=AppStream&infra=stock"; done curl: (7) Failed to connect to 2001:4178:5:200::10 port 443: Permission denied curl: (7) Failed to connect to 2600:1f16:c1:5e01:4180:6610:5482:c1c0 port 443: Permission denied curl: (7) Failed to connect to 2604:1380:2001:d00::3 port 443: Permission denied curl: (7) Failed to connect to 2604:1580:fe02:2::10 port 443: Permission denied curl: (7) Failed to connect to 2604:1380:1001:6c00::1 port 443: Permission denied ``` Notice that the permission denied is different from what was reported in the original email. I am not sure why that is. If I change that from https: to http all of the IP addresses work. So my guess is that something is blocking the originator IP to those mirror servers but it isn't clear what. -- Stephen J Smoogen.