[Bug 2046818] Re: APT: certificate validation failed (LE certificate)

Faustin 2046818 at bugs.launchpad.net
Mon Dec 18 15:33:43 UTC 2023 

** Description changed:

  Hi!
  I am not sure if this is the correct place or package to report the issue to (maybe apt-transport-https or libgnutls?).
  
  Anyway, the https://mariadb.gb.ssimn.org/ mirror can not be used by APT
  and gives the following error:
  
  W: Failed to fetch https://mariadb.gb.ssimn.org/repo/11.3/ubuntu/dists/jammy/InRelease  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 81.0.219.146 443]
  W: Some index files failed to download. They have been ignored, or old ones used instead.
  
  But the Let's Encrypt certificate looks OK and wget or curl can
  establish TLS connection without pb, see below and
  https://mariadb.gb.ssimn.org/.
  
  This has been tested on Ubuntu 18.04 and Ubuntu 22.04 with the following
  commands (see https://mariadb.org/download/?t=repo-
  config&d=22.04+%22jammy%22&v=11.3+%5BRC%5D&r_m=starburst):
  
  $ podman run -it ubuntu:22.04 bash
  root at 288e75580b84:/# apt update
  root at 288e75580b84:/# apt-get install apt-transport-https curl
  root at 288e75580b84:/# mkdir -p /etc/apt/keyrings
- root at 288e75580b84:/# curl -o /etc/apt/keyrings/mariadb-keyring.pgp 'https://mariadb.org mariadb_release_signing_key.pgp'
- 
+ root at 288e75580b84:/# curl -o /etc/apt/keyrings/mariadb-keyring.pgp 'https://mariadb.org/mariadb_release_signing_key.pgp'
  
  Add the following in the `/etc/apt/sources.list.d/mariadb.sources`:
  
  # MariaDB 11.3 [RC] repository list - created 2023-12-18 15:09 UTC
  # https://mariadb.org/download/
  X-Repolib-Name: MariaDB
  Types: deb
  URIs: https://mariadb.gb.ssimn.org/repo/11.3/ubuntu
  Suites: jammy
  Components: main main/debug
  Signed-By: /etc/apt/keyrings/mariadb-keyring.pgp
  
  Apt update fails but curl works:
  
  root at 288e75580b84:/# curl -o /tmp/PublicKey https://mariadb.gb.ssimn.org/PublicKey
-   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
-                                  Dload  Upload   Total   Spent    Left  Speed
+   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                  Dload  Upload   Total   Spent    Left  Speed
  100 14928  100 14928    0     0  97876      0 --:--:-- --:--:-- --:--:-- 98210
  
  I am not able to reproduce this either on Debian (10/11/12) or Ubuntu
  23.04.
  
  Regards,
  Faustin

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/2046818

Title:
  APT: certificate validation failed (LE certificate)

Status in apt package in Ubuntu:
  Confirmed

Bug description:
  Hi!
  I am not sure if this is the correct place or package to report the issue to (maybe apt-transport-https or libgnutls?).

  Anyway, the https://mariadb.gb.ssimn.org/ mirror can not be used by
  APT and gives the following error:

  W: Failed to fetch https://mariadb.gb.ssimn.org/repo/11.3/ubuntu/dists/jammy/InRelease  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 81.0.219.146 443]
  W: Some index files failed to download. They have been ignored, or old ones used instead.

  But the Let's Encrypt certificate looks OK and wget or curl can
  establish TLS connection without pb, see below and
  https://mariadb.gb.ssimn.org/.

  This has been tested on Ubuntu 18.04 and Ubuntu 22.04 with the
  following commands (see https://mariadb.org/download/?t=repo-
  config&d=22.04+%22jammy%22&v=11.3+%5BRC%5D&r_m=starburst):

  $ podman run -it ubuntu:22.04 bash
  root at 288e75580b84:/# apt update
  root at 288e75580b84:/# apt-get install apt-transport-https curl
  root at 288e75580b84:/# mkdir -p /etc/apt/keyrings
  root at 288e75580b84:/# curl -o /etc/apt/keyrings/mariadb-keyring.pgp 'https://mariadb.org/mariadb_release_signing_key.pgp'

  Add the following in the `/etc/apt/sources.list.d/mariadb.sources`:

  # MariaDB 11.3 [RC] repository list - created 2023-12-18 15:09 UTC
  # https://mariadb.org/download/
  X-Repolib-Name: MariaDB
  Types: deb
  URIs: https://mariadb.gb.ssimn.org/repo/11.3/ubuntu
  Suites: jammy
  Components: main main/debug
  Signed-By: /etc/apt/keyrings/mariadb-keyring.pgp

  Apt update fails but curl works:

  root at 288e75580b84:/# curl -o /tmp/PublicKey https://mariadb.gb.ssimn.org/PublicKey
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
  100 14928  100 14928    0     0  97876      0 --:--:-- --:--:-- --:--:-- 98210

  I am not able to reproduce this either on Debian (10/11/12) or Ubuntu
  23.04.

  Regards,
  Faustin

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2046818/+subscriptions

More information about the foundations-bugs mailing list