Can not add new repo to apt because of certificate issue - installing Jenkins doesn't work

Question

I have an issue to install Jenkins from https://share.jenkins.io as described on https://phoenixnap.com/kb/install-jenkins-ubuntu.

I tried to follow the instructions I found, but apt does not accept the certificates. This is doubtlessly because of our companies proxy which is playing man-in-the-middle and exchanges SSL keys.

I could not add the GPG key into the keyring directory with

curl -fsSL https://pkg.jenkins.io/debian-stable/jenkins.io.key | sudo tee /usr/share/keyrings/jenkins-keyring.asc > /dev/null

because the curl request was not successful:

curl: (60) SSL certificate problem: self-signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Here I could simply add switch -k to ignore certificate issues:

curl -kfsSL https://pkg.jenkins.io/debian-stable/jenkins.io.key | sudo tee /usr/share/keyrings/jenkins-keyring.asc > /dev/null

After that I added the repo to the source list with

echo deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] https://pkg.jenkins.io/debian-stable binary/ | sudo tee /etc/apt/sources.list.d/jenkins.list > /dev/null

which worked.

However, when I execute sudo apt update it is not successfull:

It ignores the Jenkins repository because of a certificate issue:

Ign:1 https://pkg.jenkins.io/debian-stable binary/ InRelease
Ign:1 https://pkg.jenkins.io/debian-stable binary/ InRelease
Err:1 https://pkg.jenkins.io/debian-stable binary/ InRelease
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 151.101.2.133 443]
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
128 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: Failed to fetch https://pkg.jenkins.io/debian-stable/binary/InRelease  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 151.101.2.133 443]
W: Some index files failed to download. They have been ignored, or old ones used instead.

-EDIT- A simple update of the CA certificates as found via

sudo apt install ca-certificates

does not solve the issue, and I neither want to disable certificates nor the GPG check, e.g. via sudo apt-get --allow-unauthenticated upgrade,

sudo apt -o Acquire::AllowInsecureRepositories=true \
-o Acquire::AllowDowngradeToInsecureRepositories=true \
update

or apt-get -o APT::Get::AllowUnauthenticated=true.

Answer 1

As our enterprise proxy is playing man-in-the-middle the SSL certificates is not matching/valid.

I wrote (or actually modified partially) a little one-liner script inspired by other threads (s. https://serverfault.com/questions/934532/how-to-install-company-proxy-certificate/1164315#1164315) to download the certificates of our enterprise proxy:

host=pkg.jenkins.io; \
echo "" | openssl s_client -showcerts -connect ${host}:443 | \
awk '/-----BEGIN CERTIFICATE-----/ { i++; } /-----BEGIN CERTIFICATE-----/, /-----END CERTIFICATE-----/ { print > "cert-" i ".crt"  }'; \
for cert in *.crt; do \
    newname=$( \
        openssl x509 -noout -subject -in $cert | \
        sed -nE 's/.*CN ?= ?(.*)/\1/; s/\s/_/g; s/[^[:alnum:]]/_/g; s/__+/_/g; s/^_//g; s/_$//g; p' | \
        tr -s '[:upper:]' '[:lower:]'\
    ).crt; \
    echo "${newname}"; \
    mv "${cert}" "${newname}"; \
done

The variable host is of course just "nice-to-have", you can directly edit the host in the first openssl command.

The echo "" reduces waiting time for openssl.

The first openssl fetches all certificates, thes second identifies the CN of the cert.

The awk extracts the certificates and puts each by incremented index in a separate file with file name suffix .crt.

The for iterates over all downloaded/found certificate (.crt) files.

The sed and tr removes all clutter from the name iterates over all downloaded/found certificates.

You need to put the downloaded/prepared CRT files into /etc/ssl/certs/:

sudo cp -f *.crt /etc/ssl/certs/

(or actually I guess you should rather create a own folder in /usr/share/ca-certificates/ and add symbolic links from /etc/ssl/certs/ to your new enterprise-proxy-certificates folder).

Then run sudo update-ca-certificates afterwards.

Now the execution of sudo apt update does not fail:

Hit:1 http://security.ubuntu.com/ubuntu jammy-security InRelease
Ign:2 https://pkg.jenkins.io/debian-stable binary/ InRelease
Get:3 https://pkg.jenkins.io/debian-stable binary/ Release [2044 B]
Get:4 https://pkg.jenkins.io/debian-stable binary/ Release.gpg [833 B]
Hit:5 http://archive.ubuntu.com/ubuntu jammy InRelease
Get:6 https://pkg.jenkins.io/debian-stable binary/ Packages [27.6 kB]
Get:7 http://archive.ubuntu.com/ubuntu jammy-updates InRelease [128 kB]
Hit:8 http://archive.ubuntu.com/ubuntu jammy-backports InRelease
Fetched 158 kB in 1s (164 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
128 packages can be upgraded. Run 'apt list --upgradable' to see them.

Also sudo apt install jenkins works:

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  net-tools
The following NEW packages will be installed:
  jenkins net-tools
0 upgraded, 2 newly installed, 0 to remove and 128 not upgraded.
Need to get 91.4 MB of archives.
After this operation, 94.2 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:2 http://archive.ubuntu.com/ubuntu jammy/main amd64 net-tools amd64 1.60+git20181103.0eebece-1ubuntu5 [204 kB]
Get:1 https://pkg.jenkins.io/debian-stable binary/ jenkins 2.462.1 [91.2 MB]
Fetched 91.4 MB in 19s (4732 kB/s)
Selecting previously unselected package net-tools.
(Reading database ... 41551 files and directories currently installed.)
Preparing to unpack .../net-tools_1.60+git20181103.0eebece-1ubuntu5_amd64.deb ...
Unpacking net-tools (1.60+git20181103.0eebece-1ubuntu5) ...
Selecting previously unselected package jenkins.
Preparing to unpack .../jenkins_2.462.1_all.deb ...
Unpacking jenkins (2.462.1) ...
Setting up net-tools (1.60+git20181103.0eebece-1ubuntu5) ...
Setting up jenkins (2.462.1) ...
Created symlink /etc/systemd/system/multi-user.target.wants/jenkins.service → /lib/systemd/system/jenkins.service.
Processing triggers for man-db (2.10.2-1) ...