Error in the certificate verification WSL2

Question

From my personal computer (Win 11) where I have installed WSL2 with Ubuntu 20.04, I am having some difficulties installing programs.

I tried to install OpenFoam and Geogebra and with both I get an error related to certificates.

Could anyone help me understand why and how to solve?

When installing GEOGEBRA with:

sudo apt-add-repository -u 'deb http://www.geogebra.net/linux/ stable main'

I get the error:

...
Err:17 https://sourceforge.net/projects/openfoam/files/repos/deb focal Release
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 204.68.111.105 443]
Get:20 http://archive.ubuntu.com/ubuntu focal-updates/universe Translation-en [207 kB]
Get:21 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 c-n-f Metadata [20.7 kB]
Reading package lists... Done
W: GPG error: http://www.geogebra.net/linux stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY C072A32983A736CF
E: The repository 'http://www.geogebra.net/linux stable InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://dl.openfoam.com/repos/deb focal Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

With OpenFOAM:

Add the repository

curl https://dl.openfoam.com/add-debian-repo.sh | sudo bash
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3862  100  3862    0     0  11392      0 --:--:-- --:--:-- --:--:-- 11358
Detected distribution code-name: focal
Overwrote /etc/apt/sources.list.d/openfoam.list
Importing openfoam gpg key... done
Overwrote /etc/apt/trusted.gpg.d/openfoam.gpg
Running apt-get update... done
The repository is setup! You can now install packages.

Install preferred package:

sudo apt-get install openfoam2112-default
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package openfoam2112-default

At this link they proposed this solution:

sudo apt install ca-certificates

And for geogebra I found this proposed solution.

But before proceeding I would like to understand the problem better.

Can someone help me understand it better please?

Answer 1

So the two are related, but different. There are a few different topics to cover here:

PPA keys on Ubuntu 20.04

Both applications are being installed from a PPA, a "Personal Package Archive". This is a repository set up by the maintainers of those applications to simplify the installation under Ubuntu.

As a security measure, apt requires that packages in these private repositories be signed with the maintainers' private key. In order to verify the signatures, apt needs the corresponding public key. That's the purpose of the apt-key command that you see in the Geogebra answer you mentioned. Google/search "public-key cryptography" for more details if you are interested.

OpenFOAM is doing the same thing, but there the script that you ran via:

curl https://dl.openfoam.com/add-debian-repo.sh | sudo bash

... actually did the apt-key add for their key.

After adding the key, you also need to update your local repo cache with sudo apt update. Again, that's mentioned in the Geogebra answer and also done automatically by the OpenFOAM script.

PPA keys after 20.04

Note that Ubuntu 20.04 is the last major release where this particular process works exactly like that. In 20.04, adding a key would allow any software signed with that key to be trusted. This was somewhat of a security risk, since if the private key ever got out, it could be used to sign malicious software which your system would then trust. That said, it's been like that for many years. I'm happy they've changed it, personally.

Now, in 20.10 and later, you have to configure each repository to have a trusted key. Software signed by that keypair that lives in a different repository will no longer be trusted. See this excellent answer for the details. But also realize that the method of configuring the key for repositories will probably change and improve over time.

So with their respective apt keys installed on your system, Geogebra and OpenFOAM should install.

OpenFOAM error

However, you are seeing an interesting error with OpenFOAM:

E: Unable to locate package openfoam2112-default

That's not going to be resolved with the installation of ca-certificates, which actually are part of the default Ubuntu 20.04 installation on WSL anyway.

I can tell you that I just tried it on my WSL/Ubuntu 20.04 and it worked properly, so there are two possibilities that I can think of:

• The repo didn't get updated properly on your system.
• There was a temporary failure in the repo when you were trying to install.

Since I was able to do it successfully, I'd suggest you just try again:

sudo apt update
sudo apt-get install openfoam2112-default

If that doesn't work, run the script one more time, then try again:

curl https://dl.openfoam.com/add-debian-repo.sh | sudo bash
sudo apt-get install openfoam2112-default

Running a script downloaded from the web

Okay, that also brings us to the topic of a script like that. Since we're talking "security" topics here, and you've expressed an interest, keep in mind that running scripts from the web, especially passing them to sudo, is a pretty big security risk.

You have to:

• Trust that the maintainer isn't doing something nefarious.
• Trust that the site hasn't been taken over.
• Trust that the project hasn't been sold to or handed over to a new maintainer who is a "bad actor" doing something nefarious (it's happened).

Or:

• You need to examine the script being run and make sure it appears safe. You can do this by first issuing the curl https://dl.openfoam.com/add-debian-repo.sh without passing it to sudo bash.

For this reason, I'd typically be happier with a project on a PPA that simply provides instructions on installing their key, rather than one who provides a "easier to use" script that automates it.

ca-certificates

And finally, since you asked about the:

sudo apt install ca-certificates

That's really covered in this answer already (which happens to be the top Google search result as well).

But it's not going to help in this case. The OpenFOAM thread you linked to was due to:

expired certificates of sourceforge.net so I was not able to create repository so system could not be installed

That's not the problem (or error) you are having.