You are not logged in.

#1 2021-10-02 20:23:54

dmitrymyadzelets
Member
Registered: 2017-12-30
Posts: 8

[SOLVED] apt update - server certificate verification failed

Couldn't find what to do. Seems like a serious malfunction.

Linux  4.9.0-15-686-pae #1 SMP Debian 4.9.258-1 (2021-03-08) i686 GNU/Linux

Hit:1 http://deb.debian.org/debian stretch-backports InRelease
Ign:3 https://deb.debian.org/debian stretch InRelease
Hit:2 http://eu.pkg.bunsenlabs.org/debian stretch-backports InRelease
Ign:4 https://pkg.bunsenlabs.org/debian helium InRelease
Ign:5 https://deb.debian.org/debian-security stretch/updates InRelease
Ign:6 https://deb.debian.org/debian stretch-updates InRelease
Err:7 https://pkg.bunsenlabs.org/debian helium Release
  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Err:8 https://deb.debian.org/debian stretch Release
  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Err:9 https://deb.debian.org/debian-security stretch/updates Release
  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Err:10 https://deb.debian.org/debian stretch-updates Release
  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Reading package lists... Done
E: The repository 'https://pkg.bunsenlabs.org/debian helium Release' does no longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://deb.debian.org/debian stretch Release' does no longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://deb.debian.org/debian-security stretch/updates Release' does no longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://deb.debian.org/debian stretch-updates Release' does no longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled

Last edited by twoion (2021-10-03 12:41:40)

Offline

#2 2021-10-02 20:58:00

twoion
一期一会
Registered: 2015-08-10
Posts: 3,355

Re: [SOLVED] apt update - server certificate verification failed

This seems to be a helium/stretch system, and you're using the HTTPS transport (https://).

All the sites that give you certificate verification errors use the Let's Encrypt SSL certificate authority, including BunsenLabs and the deb.debian.org CDN domain.

The old root certificate Let's Encrypt was using has expired on September 30th, 2021. This is an epochal change. This means that all systems which do not include the updated CA root in the system's certificate store have started failing to validate sites that have Let's Encrypt certificates based on their updated CA on September 30th. You can read about it on the internet if you search for these terms.

Step 1: Change the https:// transport for all existing sources.list entries to http://.

Step 2: Try again.

However, you'll likely see more warnings/errors regarding missing distros because at least deb.debian.org/debian-security stretch/updates has also been retired by the Debian project. Try referencing the oldoldstable distro alias from here instead: http://security.debian.org/debian-security/dists/.

If you wanted to continue using this system with SSL properly working in apt and tools like curl, you'd need to look into adding the new let's encrypt CA into the system CA store. IDK if Debian have continued to update ca-certificates in oldoldstable aka stretch. You could try updating  all packages and see if they have supplied an update.

Note that if you use Firefox builds by Mozilla directly, it won't have any problem, as Firefox/Chrome include their own certificate stores they validate against.

Perhaps I can look into this tomorrow and make an announcement post, as likely everybody on oldoldstable/helium will have seen this problem if they were using https:// apt sources.list for BL and/or Debian.

Online

#3 2021-10-03 00:22:35

DeepDayze
Like sands through an hourglass...
From: In Linux Land
Registered: 2017-05-28
Posts: 1,357

Re: [SOLVED] apt update - server certificate verification failed

Would there be a manual way to get the updated Let's Encrypt certificate imported and installed on older systems?


Real Men Use Linux

Offline

#4 2021-10-03 07:53:40

dmitrymyadzelets
Member
Registered: 2017-12-30
Posts: 8

Re: [SOLVED] apt update - server certificate verification failed

Step 1: Change the https:// transport for all existing sources.list entries to http://.
Step 2: Try again.

gives a little different output:

Ign:1 http://deb.debian.org/debian stretch InRelease
Hit:2 http://deb.debian.org/debian-security stretch/updates InRelease
Hit:3 http://deb.debian.org/debian stretch-updates InRelease
Hit:4 http://deb.debian.org/debian stretch-backports InRelease
Hit:5 http://deb.debian.org/debian stretch Release 
Hit:6 http://eu.pkg.bunsenlabs.org/debian stretch-backports InRelease
Ign:7 https://pkg.bunsenlabs.org/debian helium InRelease
Err:8 https://pkg.bunsenlabs.org/debian helium Release
  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Reading package lists... Done
E: The repository 'https://pkg.bunsenlabs.org/debian helium Release' does no longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.

The /var/apt/sources.list (original, with https) provided by the distribution:

deb https://deb.debian.org/debian stretch main non-free contrib
# Debian security updates
deb https://deb.debian.org/debian-security stretch/updates main contrib non-free
# stretch-updates, previously known as 'volatile'
deb https://deb.debian.org/debian stretch-updates main contrib non-free

An attempt to update the certificates:

> sudo apt install ca-certificates
ca-certificates is already the newest version (20200601~deb9u2).

Offline

#5 2021-10-03 09:44:36

twoion
一期一会
Registered: 2015-08-10
Posts: 3,355

Re: [SOLVED] apt update - server certificate verification failed

You need to change all https:// in sources.list from https to http, regardless what they are. However:

I just tested a Debian stretch container, and it looks like their latest ca-certificates package works correctly with the latest Let's Encrypt CA root.

So, I recommend:

Download this package: https://security.debian.org/debian-secu … u2_all.deb, for example with a browser, and install the package, for example by double-clicking or running sudo dpkg -i /path/to/the/package.

Then, change the sources.list entries that reference "debian-security" to this:

deb https://security.debian.org/ stretch/updates main contrib non-free

Then pull all pending updates:

sudo apt-get update && sudo apt-get upgrade

The location of debian-security seems to have changed. This new domain is what they seem to be using now, see docs at https://www.debian.org/security/.

Online

#6 2021-10-03 11:42:30

dmitrymyadzelets
Member
Registered: 2017-12-30
Posts: 8

Re: [SOLVED] apt update - server certificate verification failed

I've done what all you've suggested, twoion.

Trying to pull the file directly

wget https://security.debian.org/debian-security/pool/main/c/ca-certificates/ca-certificates_20200601~deb9u2_all.deb

fails with the error:

ERROR: The certificate of ‘security.debian.org’ is not trusted.
ERROR: The certificate of ‘security.debian.org’ has expired.

I used another host to download the certificates, and installed it on the target host, though it doesn't look that there was any update:

Preparing to unpack ca-certificates_20200601~deb9u2_all.deb ...
Unpacking ca-certificates (20200601~deb9u2) over (20200601~deb9u2) ...
Setting up ca-certificates (20200601~deb9u2) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.

Though the apt update fails the apt upgrade does upgrade some packages.

I've done two or three runs of apt update && apt upgrade before it stopped failing.

Now I've changed back the protocols http to https in the sources.list file, and it works with no errors:

Hit:1 http://deb.debian.org/debian stretch-backports InRelease
Hit:2 http://eu.pkg.bunsenlabs.org/debian stretch-backports InRelease
Ign:3 https://deb.debian.org/debian stretch InRelease
Hit:4 https://deb.debian.org/debian stretch-updates InRelease
Hit:5 https://deb.debian.org/debian stretch Release
Hit:6 https://security.debian.org stretch/updates InRelease
Hit:7 https://eu.pkg.bunsenlabs.org/debian helium InRelease
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.

The problem is solved. Thank you, twoion!

Offline

#7 2021-10-03 12:41:18

twoion
一期一会
Registered: 2015-08-10
Posts: 3,355

Re: [SOLVED] apt update - server certificate verification failed

Seems then it was a bad APT cache, or your system time was out of sync. Should've thought of time issues first.

Online

#8 2021-10-03 12:44:04

dmitrymyadzelets
Member
Registered: 2017-12-30
Posts: 8

Re: [SOLVED] apt update - server certificate verification failed

Concluding, if some has the same problem I'd suggest to run "sudo apt update" and "sudo apt upgrade" 2-3 times. Every time some packages are installed, and this chained update seems to resolve the problem.

I was unaware of such behavior, and didn't run "apt upgrade" when "apt update" failed.

Offline

#9 2021-10-03 23:23:42

DeepDayze
Like sands through an hourglass...
From: In Linux Land
Registered: 2017-05-28
Posts: 1,357

Re: [SOLVED] apt update - server certificate verification failed

This sounds like a good fix, Twoion...this works on an old Stretch VM, after also  making the changes to the sources.list. Looks like Debian team has updated the "new" Stretch repos with the new certificates so once the changes were made and apt is synced with it then future updates should work on these old systems.

Also the sources.list changes may need to be done if doing a clean stretch install.

Last edited by DeepDayze (2021-10-03 23:25:14)


Real Men Use Linux

Offline

#10 2021-10-08 06:48:23

cosysco
New Member
Registered: 2019-06-23
Posts: 1

Re: [SOLVED] apt update - server certificate verification failed

Hi dudes! these command lines can help, works like A charm for this problem.

First: Disable HTTPS in sources.list AND bunsen.list config files.

sudo sed -i 's/https/http/g' /etc/apt/sources.list /etc/apt/sources.list.d/bunsen.list

Second: Update with bl-welcome

bl-welcome

or if you prefer with apt-get

sudo apt-get update && sudo apt-get upgrade

After then, enable again HTTPS in the last config files changed.

sudo sed -i 's/http/https/g' /etc/apt/sources.list /etc/apt/sources.list.d/bunsen.list

To finish and check, update again.

Cheers!

Last edited by cosysco (2021-10-08 06:52:59)

Offline

#11 2021-10-08 12:33:01

unklar
Back to the roots 1.9
From: #! BL
Registered: 2015-10-31
Posts: 1,581

Re: [SOLVED] apt update - server certificate verification failed

@cosysco

No.
The error remains even after that.  sad

Offline

Board footer

Powered by FluxBB