Package: onionprobe
Version: 1.2.0+ds-1
Severity: normal
Tags: upstream patch
Hello,
I've just tried setting up onionprobe 1.2.0 on a trixie host to make it
monitor a .onion service with https (on port 443). After some delay,
onionprobe checked the site and showed the following errors:
May 12 20:13:48 hetzner-nbg1-01 onionprobe[584091]: 2025-05-12
20:13:48,480 INFO: Trying to do a TLS connection to
v236xhqtyullodhf26szyjepvkbv6iitrhjgrqj4avaoukebkk6n6syd.onion on port
443 (attempt 1)...
May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]: 2025-05-12
20:13:50,194 INFO: TLS connection succeeded at
v236xhqtyullodhf26szyjepvkbv6iitrhjgrqj4avaoukebkk6n6syd.onion on port 443
May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]: 2025-05-12
20:13:50,194 INFO: Retrieving certificate information for
v236xhqtyullodhf26szyjepvkbv6iitrhjgrqj4avaoukebkk6n6syd.onion on port 443
May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]:
/usr/lib/python3/dist-packages/onionprobe/certificate.py:212:
CryptographyDeprecationWarning: Properties that return a naïve datetime
object have been deprecated. Please switch to not_valid_before_utc.
May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]: not_valid_before =
cert.not_valid_before.timestamp()
May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]:
/usr/lib/python3/dist-packages/onionprobe/certificate.py:213:
CryptographyDeprecationWarning: Properties that return a naïve datetime
object have been deprecated. Please switch to not_valid_after_utc.
May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]: not_valid_after =
cert.not_valid_after.timestamp()
May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]:
/usr/lib/python3/dist-packages/onionprobe/certificate.py:142:
CryptographyDeprecationWarning: Properties that return a naïve datetime
object have been deprecated. Please switch to not_valid_after_utc.
May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]: 'notAfter'
: cert.not_valid_after.replace(
May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]:
/usr/lib/python3/dist-packages/onionprobe/certificate.py:144:
CryptographyDeprecationWarning: Properties that return a naïve datetime
object have been deprecated. Please switch to not_valid_before_utc.
May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]: 'notBefore'
: cert.not_valid_before.replace(
May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]:
/usr/lib/python3/dist-packages/onionprobe/certificate.py:177:
CryptographyDeprecationWarning: Properties that return a naïve datetime
object have been deprecated. Please switch to not_valid_after_utc.
May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]: not_valid_after =
cert.not_valid_after.replace(tzinfo=timezone.utc).timestamp()
May 12 20:13:50 hetzner-nbg1-01 onionprobe[584091]: 2025-05-12
20:13:50,198 ERROR: module 'ssl' has no attribute 'match_hostname'
the result is a metric onion_service_valid_certificate exported to
prometheus with a value of 2 indicating that the certificate is invalid,
but curl is able to reach the website without erors. really the issue
seems to be that the code failed to run its verification.
upstream has already addressed the errors above so we could backport the
patches:
https://gitlab.torproject.org/tpo/onion-services/onionprobe/-/commit/26b18404cdd3bb64d73eba0df6b09b014232d3ae
https://gitlab.torproject.org/tpo/onion-services/onionprobe/-/merge_requests/110/commits
cheers!
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.12.22-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE
not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages onionprobe depends on:
ii adduser 3.150
ii init-system-helpers 1.68
ii python3 3.13.3-1
ii python3-cryptography 43.0.0-2
ii python3-prometheus-client 0.21.1+ds1-1
ii python3-requests 2.32.3+dfsg-5
ii python3-socks 1.7.1+dfsg-1
pn python3-stem <none>
ii python3-yaml 6.0.2-1+b2
ii tor 0.4.8.16-1
onionprobe recommends no packages.
Versions of packages onionprobe suggests:
pn prometheus <none>
