114

Running sudo apt-get update on my AWS EC2 Ubuntu 18.04.01 LTS instance fails:

Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown

when trying to access the deb.nodesource.com/node_10.x bionic Release

Here is the result after running sudo apt-get update:

Hit:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu bionic InRelease
Get:2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
Ign:3 https://deb.nodesource.com/node_10.x bionic InRelease
Get:4 http://us-east-1.ec2.archive.ubuntu.com/ubuntu bionic-backports InRelease [74.6 kB]
Err:5 https://deb.nodesource.com/node_10.x bionic Release
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: XX.XXX.XX.XX 443]
Get:6 http://security.ubuntu.com/ubuntu bionic-security InRelease [83.2 kB]
Reading package lists... Done
W: https://deb.nodesource.com/node_10.x/dists/bionic/InRelease: No system certificates available. Try installing ca-certificates.
W: https://deb.nodesource.com/node_10.x/dists/bionic/Release: No system certificates available. Try installing ca-certificates.
E: The repository 'https://deb.nodesource.com/node_10.x bionic Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

It seems like my current installation of Node.js is causing the problem.

I have tried installing and updating ca-certificates in etc/ssl/certs, however, this did not help. I'm not exactly sure how to proceed from here to resolve this issue.

I'm not looking for a quick workaround that would compromise the security of the server.

vvvvv
  • 878
Joe
  • 1,279

19 Answers19

124

I experienced this error trying to add the keys for mongodb-org 4.0 to a docker container running Ubuntu 18.04. There was a problem with the certificates installed in this base image. I managed to fix it by install ca-certificates:

sudo apt install ca-certificates
caffeinated.tech
  • 1,515
  • 1
  • 12
  • 10
42

For those still having this issue, here is a solution which I gleaned from the Ubuntu manpages.

The OP's post indicates a certificate verification error:

Err:5 https://deb.nodesource.com/node_10.x bionic Release
Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: XX.XXX.XX.XX 443]

I was having similar issues on a VM which sits behind a corporate proxy. The proxy acts as a man-in-the-middle, decrypting and re-encrypting traffic as it flows through the proxy. Even though I had the trusted certificate installed on my VM for the proxy, this error was still happening, caused by an invalid OCSP response. To fix it, I ran this command:

touch /etc/apt/apt.conf.d/99verify-peer.conf \
&& echo >>/etc/apt/apt.conf.d/99verify-peer.conf "Acquire { https::Verify-Peer false }"

This disables apt's OCSP verification, and is not recommended.

I chose a different solution, which may not be available to others. Our company maintains a non-decrypting proxy for use cases like this, so I switched to using it.

WPWoodJr
  • 529
36

You can add [trusted=yes] in the sources.list. For example:

deb [trusted=yes] http://ppa.launchpad.net/repo_name/pkg/ubuntu vivid main
deb-src [trusted=yes] http://ppa.launchpad.net/repo_name/pkg/ubuntu vivid main
24

Make sure your date and time are set correctly.

Savlon
  • 349
11

This happened today to me on an old, poorly maintained Ubuntu 16 release.

The first problem was that the sources in /etc/apt were HTTP and not HTTPS, and they had been blocked. The HTTPS links failed verification, which was expected since I believe they use LetsEncrypt and they changed their certification path last October.

But I could not update ca-certificates because they were believed current -- and I could not make apt understand they weren't current because, you know, the update was not working.

So:

  1. Temporarily disable certificate verification by adding

    Acquire { https::Verify-Peer false }
    

    in /etc/apt/apt.conf.d/99verify-peer.conf.

  2. Run apt update to get the new ca-certificates info

  3. Run apt install ca-certificates

  4. Re-enable certificate verification

    Edit the file above and remove the peer-verification bypass. If the file is now empty, you may delete it.

Now everything should mostly work.

I then proceeded to clean the apt cache, and run a full dist-upgrade. This, in turn, unlocked the do-release-upgrade command. It did not work completely on the first time around, I had to run apt-get update again, clean unneeded packages and remove two packages that were conflicted, and update.

After a couple of hours and another release upgrade from 18, I got the system running Ubuntu 20.04-LTS and could reinstall the two missing packages from the previous stage. Everything is okay now.

muru
  • 207,228
LSerni
  • 523
  • 6
  • 9
6

You can replace https:// with http:// from setup script using sed.

curl -sL https://deb.nodesource.com/setup_10.x | sed 's|https://|http://|' | sudo -E bash -

This should be used as the last alternative of course.

Toilal
  • 209
3

What caused the problem

I was originally trying to install Node.js on Ubuntu 18.04.01 LTS via PPA and curl via:

curl -sL https://deb.nodesource.com/setup_10.x -o nodesource_setup.sh

However, running this command generated a nodesource.list file in etc/apt/sources.list.d/ with the following contents:

deb https://deb.nodesource.com/node_10.x xenial main
deb-src https://deb.nodesource.com/node_10.x xenial main

So when running sudo apt update these sources could not be trusted via SSL handshake which caused to the update to fail.

How I fixed it

  1. Navigated to /etc/apt/nodesource.list.d
  2. Removed nodesource.list file from the system with

    sudo rm nodesource.list

  3. Purged the system of any current Node.js installation with

    sudo apt-get purge nodejs

    sudo apt-get autoremove

  4. Installed the Distro-Stable Version of Node.js for Ubuntu with:

    sudo apt update

    sudo apt install nodejs

    sudo apt install npm

Joe
  • 1,279
3

This error can be caused by not having the certs in /etc/ssl/certs world-readable. I ran into this after restoring my certs from a backup: for me, the /etc/ssl directory itself was set to 750 instead of 755 making it's contents unreadable except to root.

Try these commands if you're having trouble and reinstalling ca-certificates doesn't help:

sudo chmod 755 /etc /etc/ssl /etc/ssl/certs
sudo chmod 644 /etc/ssl/certs/ca-certificates.crt
ki9
  • 546
3

This fixed it for me:

sudo dpkg-reconfigure tzdata
sudo date -s "$(wget -qSO- --max-redirect=0 google.com 2>&1 | grep Date: | cut -d' ' -f5-8)Z"
sudo apt update
sudo apt upgrade ca-certificates --fix-missing

Credits to:

balupton
  • 284
2

I was facing the same error on WSL2 Ubuntu and tried to install ca-certificates with no luck, as it was already installed.

Then I updated /etc/apt/sources.list to use the global servers, updated Apt, and now it works. After upgrading, I saw some updates were made in the /etc/ssl/certs directory; new certificates.

Out of curiosity, I changed sources.list file to use the mirror servers again, and everything works.

matigo
  • 24,752
  • 7
  • 50
  • 79
2

To summary all the response above, there are 3 possibilities:

1/ ca-certificates are not installed Solution:

apt install -y ca-certificates

But you say they are. So for you, that should not be an answer.

2/ disable https check (https::Verify-Peer) Solution: add this to /etc/apt/conf.d/

Acquire { https::Verify-Peer false }

but that reduce your security.

3/ find the certificate of your server and add it

jehon
  • 205
1

This issue can also occur due to corrupt cache. I resolved this by:

sudo apt clean

then

sudo apt update

then

sudo apt upgrade
kewlashu
  • 111
  • 2
1

I meet same problem,
here fix (try) step by step.

// base on caffeinated.tech's answer,
// I guess something break my ca-certificates package.

1. mirror 1

sudo apt-get update
Ign:1 https://mirrors.ustc.edu.cn/ubuntu focal InRelease
Ign:2 https://mirrors.ustc.edu.cn/ubuntu focal-updates InRelease
Hit:3 http://dl.google.com/linux/chrome/deb stable InRelease                                     
Ign:4 https://mirrors.ustc.edu.cn/ubuntu focal-backports InRelease                                               
Ign:5 https://mirrors.ustc.edu.cn/ubuntu focal-security InRelease                                                 
Ign:6 https://mirrors.ustc.edu.cn/ubuntu focal-proposed InRelease           
Hit:7 http://ppa.launchpad.net/jgmath2000/et/ubuntu focal InRelease
Err:8 https://mirrors.ustc.edu.cn/ubuntu focal Release
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 218.104.71.170 443]
Err:9 https://mirrors.ustc.edu.cn/ubuntu focal-updates Release
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 218.104.71.170 443]
Err:10 https://mirrors.ustc.edu.cn/ubuntu focal-backports Release                                       
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 218.104.71.170 443]
Err:11 https://mirrors.ustc.edu.cn/ubuntu focal-security Release                                        
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 218.104.71.170 443]
Err:12 https://mirrors.ustc.edu.cn/ubuntu focal-proposed Release
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 218.104.71.170 443]
Hit:13 http://ppa.launchpad.net/libretro/stable/ubuntu focal InRelease
Reading package lists... Done
E: The repository 'https://mirrors.ustc.edu.cn/ubuntu focal Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://mirrors.ustc.edu.cn/ubuntu focal-updates Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://mirrors.ustc.edu.cn/ubuntu focal-backports Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://mirrors.ustc.edu.cn/ubuntu focal-security Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://mirrors.ustc.edu.cn/ubuntu focal-proposed Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

2. mirror 2

 sudo apt-get update
Ign:1 https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal InRelease
Ign:2 https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal-updates InRelease        
Ign:3 https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal-backports InRelease      
Ign:4 https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal-security InRelease       
Err:5 http://dl.google.com/linux/chrome/deb stable InRelease
  Something wicked happened resolving 'dl.google.com:http' (-5 - No address associated with hostname)
Err:6 https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal Release                    
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 101.6.15.130 443]
Hit:7 http://ppa.launchpad.net/jgmath2000/et/ubuntu focal InRelease                
Err:8 https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal-updates Release
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 101.6.15.130 443]
Err:9 https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal-backports Release
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 101.6.15.130 443]
Err:10 https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal-security Release                                      
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 101.6.15.130 443]
Hit:11 http://ppa.launchpad.net/libretro/stable/ubuntu focal InRelease                                         
Reading package lists... Done                                
E: The repository 'https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal-updates Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal-backports Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal-security Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

3. offical

sudo apt update
Hit:1 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:2 http://security.ubuntu.com/ubuntu focal-security InRelease                                                                                           
Hit:3 http://cn.archive.ubuntu.com/ubuntu focal InRelease           
Hit:4 http://ppa.launchpad.net/jgmath2000/et/ubuntu focal InRelease
Hit:5 http://cn.archive.ubuntu.com/ubuntu focal-updates InRelease        
Hit:6 http://ppa.launchpad.net/libretro/stable/ubuntu focal InRelease    
Reading package lists... Done
Building dependency tree       
Reading state information... Done
39 packages can be upgraded. Run 'apt list --upgradable' to see them.

4. install ca-certificates

sudo apt install ca-certificates 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  gir1.2-evince-3.0 libllvm11 libmusicbrainz5-2 linux-headers-5.8.0-43-generic linux-hwe-5.8-headers-5.8.0-43 linux-image-5.8.0-43-generic linux-modules-5.8.0-43-generic
  linux-modules-extra-5.8.0-43-generic
Use 'sudo apt autoremove' to remove them.
The following packages will be upgraded:
  ca-certificates
1 upgraded, 0 newly installed, 0 to remove and 39 not upgraded.
Need to get 145 kB of archives.
After this operation, 1,024 B disk space will be freed.
Get:1 http://cn.archive.ubuntu.com/ubuntu focal-updates/main amd64 ca-certificates all 20210119~20.04.2 [145 kB]
Fetched 145 kB in 2s (87.6 kB/s)          
Preconfiguring packages ...
(Reading database ... 363632 files and directories currently installed.)
Preparing to unpack .../ca-certificates_20210119~20.04.2_all.deb ...
Unpacking ca-certificates (20210119~20.04.2) over (20210119~20.04.1) ...
Setting up ca-certificates (20210119~20.04.2) ...
Updating certificates in /etc/ssl/certs...
0 added, 1 removed; done.
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for ca-certificates (20210119~20.04.2) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

// here found ca-certificates upgraded, // which was not found before (maybe something break old package)

5. mirror 1, again

sudo apt update
Hit:1 https://mirrors.ustc.edu.cn/ubuntu focal InRelease
Hit:2 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:3 https://mirrors.ustc.edu.cn/ubuntu focal-updates InRelease
Hit:4 https://mirrors.ustc.edu.cn/ubuntu focal-backports InRelease
Hit:5 https://mirrors.ustc.edu.cn/ubuntu focal-security InRelease
Hit:6 https://mirrors.ustc.edu.cn/ubuntu focal-proposed InRelease
Hit:7 http://ppa.launchpad.net/jgmath2000/et/ubuntu focal InRelease
Hit:8 http://ppa.launchpad.net/libretro/stable/ubuntu focal InRelease
Reading package lists... Done
Building dependency tree       
Reading state information... Done
55 packages can be upgraded. Run 'apt list --upgradable' to see them.

this time it worked.

yurenchen
  • 471
1

touch /etc/apt/apt.conf.d/99verify-peer.conf
&& echo >>/etc/apt/apt.conf.d/99verify-peer.conf "Acquire { https::Verify-Peer false }"

Will disable Cert verification, and no error will be generated.

0

I have encountered a problem that is similar to yours, with the Ubuntu Server installed in a VM, but the underlying cause should be different. I put out the problem description and the solution in case that someone who encountered the same problem reaches here.

Brief Summary: The similar problem is caused by the network condition of our office. When the problem occurs, I used a bridged network for Internet access. After changing the VM network setting to the normal NAT, the problem is mitigated.

Background: I have installed Ubuntu Server LTS 18.04.3 with VMWare Player. After the installation is completed, I have used the VM for several days, including upgrading the system with sudo apt update|upgrade and install new applications with sudo apt install <appname>.

Problem: After a weekend, I reopen the VM and want to install some new software. So I first try to update the repository information with sudo apt update to see if there are something that is upgradable. However, after executing this command, I get the following results:

gary@ubuntu-vm:~$ sudo apt update
Ign:1 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic InRelease
Ign:2 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-updates InRelease
Ign:3 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-backports InRelease
Ign:4 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-security InRelease
Err:5 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic Release
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 101.6.8.193 443]
Err:6 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-updates Release
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 101.6.8.193 443]
Err:7 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-backports Release
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 101.6.8.193 443]
Err:8 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-security Release
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 101.6.8.193 443]
Reading package lists... Done
E: The repository 'https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-updates Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-backports Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-security Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

which is similar to the aseked problem(e.g., Ign:3 and Err:5), but not the same.

Solution: I have searched the related topics on Google, and many said that the problem is caused by incorrect configuration of certificates. However, I should never change any certificate configuration after installation of the system. Besides, avoiding certificates authentication should not be a regular routine.

To make sure that I did not change related configurations, I reinstall the system. I found that the installation cannot be completed, with the error log similar to the above one. After finding this, I guess that this problem should be caused by the network connection problem, as in this point there is no configuration made to the system.

Therefore, I checked the configuration of the VM instance, and found that this VM uses a bridged network rather than NAT. So I changed the network setting to NAT, which is usually the default network setting, then everything returns to normal!

After that, I recalled that when I first install the VM, I connect my computer to another computer to share the network (using NAT at the second computer). Later, I have my own network connection and I want the VM direct access to the physical network, so I changed the VM network setting to a bridged network, which then caused the problem (It's simply a network connection problem, because the physical network require authentication for network connection, while the VM does not have the credentials).

Gary Wang
  • 111
0

Try and update the GNU TLS-related packages.
I had the same problem with Ubuntu 16.04 LTS and the sublimetext APT repository, among others:

server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

I had tried all the proposed solutions to no avail.
The funny thing is that if I ran echo "" | gnutls-cli download.sublimetext.com -p 443 from another computer, the certificate was accepted, so I know it had to be a client problem.
Then, almost by chance, I checked the pending updates in Software Updater and there were two GNU TLS packages.
I updated them and magically all the errors disappeared. I don't remember the package names exactly but here are all the TLS libaries installed on my machine:

ii  gnutls-bin                        3.4.10-4ubuntu1.9     amd64                 GNU TLS library - commandline utilities
ii  libcurl3-gnutls:amd64             7.47.0-1ubuntu2.19    amd64                 easy-to-use client-side URL transfer library (GnuTLS flavour)
ii  libgnutls-dev:amd64               3.4.10-4ubuntu1.9     amd64                 GNU TLS library - development files
ii  libgnutls-openssl27:amd64         3.4.10-4ubuntu1.9     amd64                 GNU TLS library - OpenSSL wrapper
ii  libgnutls28-dev:amd64             3.4.10-4ubuntu1.9     amd64                 dummy transitional package for GNU TLS library - development files
ii  libgnutls30:amd64                 3.4.10-4ubuntu1.9     amd64                 GNU TLS library - main runtime library
ii  libgnutlsxx28:amd64               3.4.10-4ubuntu1.9     amd64                 GNU TLS library - C++ runtime library
ii  libneon27-gnutls:amd64            0.30.1-3build1        amd64                 HTTP and WebDAV client library (GnuTLS enabled)
0

This answer points apt-get at a custom cert store by using a config file and setting the APT_CONFIG environment variable to point at this new file.

echo 'Acquire::https {\
        CaInfo "/cacert.pem";\
}' > /apt.conf
APT_CONFIG=/apt.conf
r590
  • 101
-1

In my case, I moved to nvm installation steps... as the third party instance was not able to resolve this error, and I did not have sudo rights and other permissions in brief.

referred this URL for nvm steps ... https://linuxize.com/post/how-to-install-node-js-on-ubuntu-18.04/

-1

Err:14 https://apt.llvm.org/bionic llvm-toolchain-bionic-11 Release
Certificate verification failed: The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded. Could not handshake: Error in the certificate verification.

Time zone and date in ubuntu was configured manually. Browser was set to sync with ubuntu. This caused the error The revocation or OCSP data are old and have been superseded Set time and date to auto update. Works fine