[Bug 1973654] Re: Using debian-installer on a server with a Let's Encrypt cert dies

Alex Murray 1973654 at bugs.launchpad.net
Tue May 17 05:39:55 UTC 2022 

I believe this is caused by debootstrap - it only uses packages from the
release pocket (and this is frozen from the time Ubuntu 20.04 LTS was
originally released). This is a known issue
https://askubuntu.com/questions/744684/latest-security-updates-with-
debootstrap but I am not sure if there is much you can do to get debian-
installer to say use multistrap instead of debootstrap.

** Package changed: ca-certificates (Ubuntu) => debian-installer
(Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to debian-installer in Ubuntu.
https://bugs.launchpad.net/bugs/1973654

Title:
  Using debian-installer on a server with a Let's Encrypt cert dies

Status in debian-installer package in Ubuntu:
  New

Bug description:
  While using debian-installer to install Ubuntu Focal, I get the
  following error:

      May 16 22:02:41 base-installer:   Certificate verification failed:
  The certificate is NOT trusted. The certificate chain uses expired
  certificate.  Could not handshake: Error in the certificate
  verification. [IP: 129.59.59.10 443]

  There was an issue in 2021, where the "DST_Root_CA_X3.crt" certificate
  used by Let's Encrypt expired.

      https://letsencrypt.org/docs/dst-root-ca-x3-expiration-
  september-2021/

  The problem is that the certificate is still included in the "ca-
  certificates_20190110ubuntu1_all.deb" that debian-installer fetches
  during install.

      May 16 22:02:17 debootstrap: Preparing to unpack .../ca-certificates_20190110ubuntu1_all.deb ...
      May 16 22:02:17 debootstrap: Unpacking ca-certificates (20190110ubuntu1) ...
      May 16 22:02:31 debootstrap: Setting up ca-certificates (20190110ubuntu1) ...
      May 16 22:02:40 debootstrap: Processing triggers for ca-certificates (20190110ubuntu1) ...
      May 16 22:02:40 debootstrap: Running hooks in /etc/ca-certificates/update.d...

  Because the certificate is expired, debian-installer dies with:

      May 16 22:02:41 base-installer:   Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 129.59.59.10 443]
  te is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 129.59.59.10 443]

  Can Ubuntu update the ca-certificate .deb pulled during install to one
  that does not have DST_Root_CA_X3.crt?   Thanks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/debian-installer/+bug/1973654/+subscriptions

More information about the foundations-bugs mailing list