misterperl has asked for the wisdom of the Perl Monks concerning the following question:

CPAN said I had an update this morning, so I performed it, to v2.36 . I THINK the previous version was around 1.96. I'm not sure because on the older systems, the command 
linux> cpan -v
linux>

[download]
does just that (nothing, no error, but no version either). On the updated system it reports v.2.36

Since the update, when I try to do almost anything, I get this message: 

CPAN: Net::SSLeay loaded ok (v1.55)
CPAN: IO::Socket::SSL loaded ok (v2.056)
Fetching with HTTP::Tiny:
https://cpan.org/authors/01mailrc.txt.gz
HTTP::Tiny failed with an internal error: SSL connection failed for cp
+an.org: SSL connect attempt failed error:14090086:SSL routines:ssl3_g
+et_server_certificate:certificate verify failed

[download]
I talked to CHATBOT AI, who suggested I edit ~/.cpan/CPAN/MyConfig.pm and change 'urllist' => [qhttps://cpan.org/] </code>to'urllist' => [q[http://cpan.org/]] (remove the "s") which I did; no effect.

I also tried to change it to both of these: 

'urllist' => [q[http://metacpan.org/]]
and
'urllist' => [q[http://cpantesters.org/]]

[download]
But the error remained. It STILL looked in https://cpan.org, no matter WHAT I set that line to.

I also deleted /.cpan/BUILD , which chatbotAI said would kill the cache. No change, still the same error. It's ignoring the config changes. Yet when I rm -f .cpan, it rebuilds it THERE. So it does expect the config to be there. I'm doing all of this as root. I also did an updatebb and then locate on .cpan and the only one on the box is under ~/. Surprisingly, even 

cpan -M https://cpan.cpantesters.org/ Crypt::RSA

[download]
results in the same error and STILL looks in cpan.org! 
Fetching with HTTP::Tiny:
https://cpan.org/modules/02packages.details.txt.gz

[download]

Friday, I have a ton of code to write, and down this rabbit-hole was the LAST thing I needed! Help is most appreciated- even help on going BACK to v1.9x ?

Replies are listed 'Best First'.
Re: CPAN broken after update
by hippo (Archbishop) on May 19, 2023 at 16:05 UTC
    I THINK the previous version was around 1.96

    1.96 is 12 years old. That's quite an upgrade jump.

    HTTP::Tiny failed with an internal error: SSL connection failed for cpan.org: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

    Have you also upgraded Mozilla::CA? You can do that by hand, it's pretty simple. Might be a bigger task if you also have to upgrade IO::Socket::SSL and/or Net::SSLeay and/or your O/S openssl libs.

    Try a simple openssl s_client -servername cpan.org -connect cpan.org:443 </dev/null and see if your O/S can even connect first.

    🦛

[reply]
[d/l]
[select]
      I get this: 
      openssl s_client -servername cpan.org -connect cpan.org:443 </dev/null
.
.
.
    Start Time: 1684513153
    Timeout   : 300 (sec)
    Verify return code: 10 (certificate has expired)
---
DONE

      [download]
      Is that the cert on my side or on the cpan side? Do I need to gen a new self-signed cert? I hate to get into that on a Friday who knows what sort of chaos might ensue!?
[reply]
[d/l]

        Well, I don't know how you achieved that because the cert is absolutely in date.

        Here's my output in full:

        CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X
+1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = cpan.org
verify return:1
---
Certificate chain
 0 s:CN = cpan.org
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFFjCCA/6gAwIBAgISBI1CNTTNrgtqrsF1DYyg6kAJMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzA0MTYxMDAyNThaFw0yMzA3MTUxMDAyNTdaMBMxETAPBgNVBAMT
CGNwYW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxo7+RU8N
GY5zahKQQpjBgsr5QhZOBpTd17P6MGLb+k5Dx7KLmbH0FjTFsYxLTB9ymyA0mz+l
W7xnlAQL8C6HURMtBHt/UG29SPC+MmQQ2eIASyZ2HDZxmWwZYyxC8ErZdiBJrhUm
WLQb8TjkEvXeuXoORjrHYiL395Py4TcXcKzbMhIIjUnWCFgwIMKas3DPfICC0ASc
9q68I0X50qtuU/DrEKKYM8+FlkoIUS7umGQq77YhmEvwi39hM/t+QyrP2Wkl0weX
UnSgba7jK3mh6EtA/u3kdG78YlAmDMiGGS/SOE1hd2HkdnmBUBSYDUyMob7wwPja
cgYqdbReL8xNyQIDAQABo4ICQzCCAj8wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQz
CQMWiEQdMrHhX0NQ16ICpL9QIDAfBgNVHSMEGDAWgBQULrMXt1hWy65QCUDmH6+d
ixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9yMy5vLmxl
bmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3JnLzATBgNV
HREEDDAKgghjcGFuLm9yZzBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLf
EwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCC
AQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2ALc++yTfnE26dfI5xbpY9Gxd/ELPep81
xJ4dCYEl7bSZAAABh4m7fM8AAAQDAEcwRQIgSjnEdR4d7aEsW2Ua/hPLsDhMOC2D
SqJUZBKAbn4WFsICIQDH7l1oyjBDXgSmrq6u8M/czAsWc7ubYelLnyrvGfUjjAB2
AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutSAAABh4m7fO4AAAQDAEcw
RQIhAPjcsFOOslmKXr3WcEniyFee/ektxFZFn9vXqleK874rAiACHosjshKzNdEq
CvloGawVWPsg1goLgQhnmMgz2y+NXDANBgkqhkiG9w0BAQsFAAOCAQEAt+op7ASD
jPL+wnr5phLRKv0pqNcjnZs3XSC+uM6Cp+fvDWDiuvsq8obJ+ODTLK9Yo3au7P9m
hHaiInKG7l3fj13KqTzUCQBdjE+8ogGJxDcdyQsKO40DtwYQeBtLOWpB8LMjJ9wZ
0JleHVBPjFFjGSVpKbWrd2dYlBTK3kygqyA1pfSq/UUuFpTdlwI1AxEyaDuHx5z8
MhiHoddSpg4T06zIB6b4eVPdaZVGZz8LN3LKewAalQbjmKjGe2JMhG7P2JW9sHLR
DGecniWGWMWhCuEiXPnDSz5wl3niHltl/xGJSiDxfWdWez9++3hAKcXIWEK/jz9k
B70ULOJ8beVodQ==
-----END CERTIFICATE-----
subject=CN = cpan.org

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4562 bytes and written 392 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE

        [download]

        Are you behind a proxy or something?

        🦛

[reply]
[d/l]
Re: CPAN broken after update
by Corion (Patriarch) on May 19, 2023 at 16:06 UTC

    Your machine / resp. HTTP::Tiny cannot verify the SSL certificates, and the new CPAN really wants to do that.

    My suggestion is to install appropriately recent SSL certificates, or to restore CPAN.pm from backup, or if that's not possible, to install an older version of CPAN.pm which does not verfiy SSL certificates.

[reply]
      Thanks guys I know the real fix is to get the SSL certs working as they should. But for today, can you suggest how to connect with http? I tried two methods (in thread) changing the config, and -M, neither works?
[reply]

        Given the urgency can't you just use cpanm to install what you need, and address the cpan issue later (if still required at all after using cpanm)?

[reply]
[reply]
      I copied CPAN.pm from an old system (1.98) but have the exact same error. Strangely.. And CPAN works on that system.. But it is not behind a proxy....
[reply]
Re: CPAN broken after update
by kcott (Archbishop) on May 19, 2023 at 16:48 UTC

    G'day misterperl,

    "CPAN said I had an update this morning, so I performed it, to v2.36 ."

    Thanks for the heads-up. 😉 CPAN is indeed showing version 2.36 (updated 4 days ago). In response, I did the following: 

    ken@titan ~/tmp
$ cpan
...
cpan[1]> install CPAN
...
  ANDK/CPAN-2.36.tar.gz
  /usr/bin/make install  -- OK

cpan[2]> q

$ perl -MCPAN -E 'say $CPAN::VERSION'
2.36

$ cpan -v
/home/ken/perl5/perlbrew/perls/perl-5.36.0/bin/cpan script version 1.6
+78, CPAN.pm version 2.36

ken@titan ~/tmp
$ cpan
...
cpan[1]> o conf urllist
    urllist
        0 [https://www.cpan.org/]
        1 [https://cpan.metacpan.org/]
...
cpan[2]> q

$ ls -l ~/.cpan/CPAN/MyConfig.pm
-rw-r--r-- 1 ken None 2286 May 31  2022 /home/ken/.cpan/CPAN/MyConfig.
+pm

$ grep urllist ~/.cpan/CPAN/MyConfig.pm
  'urllist' => [q[https://www.cpan.org/], q[https://cpan.metacpan.org/
+]],

$ perl -v | head -2 | tail -1
This is perl 5, version 36, subversion 0 (v5.36.0) built for cygwin-th
+read-multi

$ which perl
/home/ken/perl5/perlbrew/perls/perl-5.36.0/bin/perl

$ which cpan
/home/ken/perl5/perlbrew/perls/perl-5.36.0/bin/cpan

    [download]

    So, everything worked for me. Unfortunately, "I performed it", "when I try to do almost anything", and similarly vague statements, do not help us to help you. Please provide something along the same lines as I've shown above; then we'll have concrete information to work with.

    Please also use the "preview" button as many times as necessary to fix your markup; only then use the "create" button.

    If you're making changes, but they don't seem to be taking effect, it's possible that some misalignment is occurring between perl and cpan. See my "which" commands above which show perl and cpan in the same directory.

    See also the vulnerability "CVE-2020-16156: CPAN 2.28 allows Signature Verification Bypass" and, linked from there, "Addressing CPAN vulnerabilities related to checksums" which explains the problem and how to fix it.

    You could also look at "CPAN Testers Matrix: CPAN 2.36" to see if others, with the same O/S and Perl version as you have, are experiencing any problems.

    Another place to check is "Active bugs for CPAN". There are a lot there; I'll leave to wade through them to see if anything matches your problem.

    — Ken

[reply]
[d/l]
[select]
      I think its my proxy / SSL issues. Might be firewall. I did edit/PREVIEW like 21 times so its as pretty as I could get it! TY
[reply]
        "I did edit/PREVIEW like 21 times so its as pretty as I could get it!"

        I see these outstanding problems in your OP:

        "'urllist' => [qhttps://cpan.org/]"

        Square brackets ([...]) automatically generate a link within any markup except <code>...</code>, or equivalent <c>...</c>, tags. See "What shortcuts can I use for linking to other information?" for details.

        Better markup would've been 

        <c>'urllist' => [q[https://cpan.org/]]</c>

        [download]

        which renders as 'urllist' => [q[https://cpan.org/]]

        "</code>"

        You're missing an opening <code> tag. It actually looks like adding that, before "'urllist' => ...", would've fixed the issue above.

        "I also deleted /.cpan/BUILD , ...<multiple paragraphs and code blocks>... BACK to v1.9x ?"

        All of that is a later addition to your post. It wasn't there when I responded to what you originally posted. You need to provide advice of such changes. See "How do I change/delete my post?" for details.

        — Ken

[reply]
[d/l]
[select]
Re: CPAN broken after update
by Anonymous Monk on May 20, 2023 at 19:06 UTC

    Note that modern versions of the CPAN client ignore urllist unless pushy_https is explicitly set false.

[reply]
[d/l]
[select]

      ++ That's a very good point. I probably should've included in my original response: 

      ken@titan ~/tmp
$ cpan
...
cpan[1]> o conf pushy_https
    pushy_https        [0]
...

      [download]

      — Ken

[reply]
[d/l]
Re: CPAN broken after update
by Anonymous Monk on May 25, 2023 at 05:23 UTC

    You can set the proxy server like this:

    > cpan
> o conf http_proxy http://silly.corp.proxy:80/
[reply]

Back to Seekers of Perl Wisdom