[Bug 2046818] Re: APT: certificate validation failed (LE certificate)

Julian Andres Klode 2046818 at bugs.launchpad.net
Wed Jan 22 14:18:52 UTC 2025 

** Also affects: gnutls28 (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: apt (Ubuntu)
       Status: Confirmed => Fix Released

** Changed in: gnutls28 (Ubuntu)
       Status: New => Fix Released

** Also affects: apt (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: gnutls28 (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: apt (Ubuntu Jammy)
   Importance: Undecided
       Status: New

** Also affects: gnutls28 (Ubuntu Jammy)
   Importance: Undecided
       Status: New

** No longer affects: apt (Ubuntu Focal)

** No longer affects: apt (Ubuntu Jammy)

** Tags added: rls-jj-incoming

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/2046818

Title:
  APT: certificate validation failed (LE certificate)

Status in apt package in Ubuntu:
  Fix Released
Status in gnutls28 package in Ubuntu:
  Fix Released
Status in gnutls28 source package in Focal:
  New
Status in gnutls28 source package in Jammy:
  New

Bug description:
  Hi!
  I am not sure if this is the correct place or package to report the issue to (maybe apt-transport-https or libgnutls?).

  Anyway, the https://mariadb.gb.ssimn.org/ mirror can not be used by
  APT and gives the following error:

  W: Failed to fetch https://mariadb.gb.ssimn.org/repo/11.3/ubuntu/dists/jammy/InRelease  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 81.0.219.146 443]
  W: Some index files failed to download. They have been ignored, or old ones used instead.

  But the Let's Encrypt certificate looks OK and wget or curl can
  establish TLS connection without pb, see below and
  https://mariadb.gb.ssimn.org/.

  This has been tested on Ubuntu 18.04 and Ubuntu 22.04 with the
  following commands (see https://mariadb.org/download/?t=repo-
  config&d=22.04+%22jammy%22&v=11.3+%5BRC%5D&r_m=starburst):

  $ podman run -it ubuntu:22.04 bash
  root at 288e75580b84:/# apt update
  root at 288e75580b84:/# apt-get install apt-transport-https curl
  root at 288e75580b84:/# mkdir -p /etc/apt/keyrings
  root at 288e75580b84:/# curl -o /etc/apt/keyrings/mariadb-keyring.pgp 'https://mariadb.org/mariadb_release_signing_key.pgp'

  Add the following in the `/etc/apt/sources.list.d/mariadb.sources`:

  # MariaDB 11.3 [RC] repository list - created 2023-12-18 15:09 UTC
  # https://mariadb.org/download/
  X-Repolib-Name: MariaDB
  Types: deb
  URIs: https://mariadb.gb.ssimn.org/repo/11.3/ubuntu
  Suites: jammy
  Components: main main/debug
  Signed-By: /etc/apt/keyrings/mariadb-keyring.pgp

  Apt update fails but curl works:

  root at 288e75580b84:/# curl -o /tmp/PublicKey https://mariadb.gb.ssimn.org/PublicKey
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
  100 14928  100 14928    0     0  97876      0 --:--:-- --:--:-- --:--:-- 98210

  I am not able to reproduce this either on Debian (10/11/12) or Ubuntu
  23.04.

  Regards,
  Faustin

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2046818/+subscriptions

More information about the foundations-bugs mailing list