[Bug 2046818] Re: APT: certificate validation failed (LE certificate)

Tuukka Pasanen 2046818 at bugs.launchpad.net
Tue Dec 19 09:58:07 UTC 2023 

Issue can be tested on 22.04 (Jammy) with gnutls-cli tool: gnutls-cli
mariadb.gb.ssimn.org which gives same error.

On Debian 23.04 (Lunar) issue have been patched from upstream issue:
https://gitlab.com/gnutls/gnutls/-/issues/1335 and Debian Salsa patches.

I've tested and these patches work just fine on 22.04 also.

** Bug watch added: gitlab.com/gnutls/gnutls/-/issues #1335
   https://gitlab.com/gnutls/gnutls/-/issues/1335

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/2046818

Title:
  APT: certificate validation failed (LE certificate)

Status in apt package in Ubuntu:
  Confirmed

Bug description:
  Hi!
  I am not sure if this is the correct place or package to report the issue to (maybe apt-transport-https or libgnutls?).

  Anyway, the https://mariadb.gb.ssimn.org/ mirror can not be used by
  APT and gives the following error:

  W: Failed to fetch https://mariadb.gb.ssimn.org/repo/11.3/ubuntu/dists/jammy/InRelease  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 81.0.219.146 443]
  W: Some index files failed to download. They have been ignored, or old ones used instead.

  But the Let's Encrypt certificate looks OK and wget or curl can
  establish TLS connection without pb, see below and
  https://mariadb.gb.ssimn.org/.

  This has been tested on Ubuntu 18.04 and Ubuntu 22.04 with the
  following commands (see https://mariadb.org/download/?t=repo-
  config&d=22.04+%22jammy%22&v=11.3+%5BRC%5D&r_m=starburst):

  $ podman run -it ubuntu:22.04 bash
  root at 288e75580b84:/# apt update
  root at 288e75580b84:/# apt-get install apt-transport-https curl
  root at 288e75580b84:/# mkdir -p /etc/apt/keyrings
  root at 288e75580b84:/# curl -o /etc/apt/keyrings/mariadb-keyring.pgp 'https://mariadb.org/mariadb_release_signing_key.pgp'

  Add the following in the `/etc/apt/sources.list.d/mariadb.sources`:

  # MariaDB 11.3 [RC] repository list - created 2023-12-18 15:09 UTC
  # https://mariadb.org/download/
  X-Repolib-Name: MariaDB
  Types: deb
  URIs: https://mariadb.gb.ssimn.org/repo/11.3/ubuntu
  Suites: jammy
  Components: main main/debug
  Signed-By: /etc/apt/keyrings/mariadb-keyring.pgp

  Apt update fails but curl works:

  root at 288e75580b84:/# curl -o /tmp/PublicKey https://mariadb.gb.ssimn.org/PublicKey
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
  100 14928  100 14928    0     0  97876      0 --:--:-- --:--:-- --:--:-- 98210

  I am not able to reproduce this either on Debian (10/11/12) or Ubuntu
  23.04.

  Regards,
  Faustin

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2046818/+subscriptions

More information about the foundations-bugs mailing list