apt-get: server certificate verification failed

[mbourqui]

Describe the bug

Hi,

I encounter an issue similar to #797, but simply re-installing the ca-certificates is not sufficient:

Err https://packages.sury.org jessie/main amd64 Packages
  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Ign https://packages.sury.org jessie/main Translation-en_US
Ign https://packages.sury.org jessie/main Translation-en
Fetched 715 kB in 3s (182 kB/s)
W: Failed to fetch https://packages.sury.org/php/dists/jessie/main/binary-amd64/Packages  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

I already tried the following:

•   sudo apt-get clean
    sudo apt-get -f install
    sudo dpkg --purge --force-depends ca-certificates
    sudo apt-get -f install
  

• Removed the php.gpg key and the php.list, re-applied the commands from the https://packages.sury.org/php/README.txt (but had to use the -k option of curl).

• wget -q https://packages.sury.org/php/apt.gpg -O - | sudo apt-key add -

• https://www.brightbox.com/blog/2014/03/04/add-cacert-ubuntu-debian/

• update-ca-certificates -f

But the problem is still the same. curl and wget say that the certificate is expired.

Am I missing something?

To Reproduce
apt-get update

Expected behavior
Successfully update package repositories

Distribution

• OS: Debian 8.11
• Architecture: amd64
• Repository: packages.sury.org

Package(s)

Package files:
 100 /var/lib/dpkg/status
     release a=now
 500 https://deb.nodesource.com/node_10.x/ jessie/main amd64 Packages
     release o=Node Source,n=jessie,l=Node Source,c=main
     origin deb.nodesource.com
 500 http://dl.google.com/linux/chrome/deb/ stable/main amd64 Packages
     release v=1.0,o=Google LLC,a=stable,n=stable,l=Google,c=main
     origin dl.google.com
 500 http://packages.dotdeb.org/ jessie/all amd64 Packages
     release o=packages.dotdeb.org,a=jessie,n=jessie,l=packages.dotdeb.org,c=all
     origin packages.dotdeb.org
 500 http://ftp.debian.org/debian/ jessie-backports/main Translation-en
 100 http://ftp.debian.org/debian/ jessie-backports/main amd64 Packages
     release o=Debian Backports,a=jessie-backports,n=jessie-backports,l=Debian Backports,c=main
     origin ftp.debian.org
 500 http://ftp.ch.debian.org/debian/ jessie-updates/main Translation-en
 500 http://ftp.ch.debian.org/debian/ jessie-updates/main amd64 Packages
     release o=Debian,a=oldstable-updates,n=jessie-updates,l=Debian,c=main
     origin ftp.ch.debian.org
 500 http://security.debian.org/ jessie/updates/main Translation-en
 500 http://security.debian.org/ jessie/updates/main amd64 Packages
     release v=8,o=Debian,a=oldstable,n=jessie,l=Debian-Security,c=main
     origin security.debian.org
 500 http://ftp.ch.debian.org/debian/ jessie/main Translation-en
 500 http://ftp.ch.debian.org/debian/ jessie/main amd64 Packages
     release v=8.11,o=Debian,a=oldstable,n=jessie,l=Debian,c=main
     origin ftp.ch.debian.org

[oerdnj]

What's output of:

sudo apt-get install gnutls-bin ca-certificates
echo "" | gnutls-cli packages.sury.org -p 443

It should be something like this:

# echo "" | gnutls-cli packages.sury.org -p 443
Processed 152 CA certificate(s).
Resolving 'packages.sury.org'...
Connecting to '2001:19f0:5001:192f:ec4:7aff:fe8e:f981:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `CN=packages.sury.org', issuer `C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3', RSA key 2048 bits, signed using RSA-SHA256, activated `2019-02-07 17:48:27 UTC', expires `2019-05-08 17:48:27 UTC', SHA-1 fingerprint `3adb4059d65814e1f9995df94d1089ef72fd9356'
	Public Key ID:
		282798be55c80198b74121f979aafd358bfd00d0
	Public key's random art:
		+--[ RSA 2048]----+
		|.=+.             |
		|+.oo             |
		| o.+E            |
		|  +=.o .         |
		|  oo* + S        |
		| ..  *           |
		| o. . +          |
		|. .o + +         |
		|  ..o o..        |
		+-----------------+

- Certificate[1] info:
 - subject `C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3', issuer `O=Digital Signature Trust Co.,CN=DST Root CA X3', RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', SHA-1 fingerprint `e6a3b45b062d509b3382282d196efe97d5956ccb'
- Status: The certificate is trusted.
- Description: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-GCM)
- Session ID: 7A:7C:09:24:18:8E:16:B3:FF:10:86:C7:D3:76:22:CE:FD:97:38:B9:0C:43:B5:2A:24:46:A4:84:E4:7E:5D:98
- Ephemeral EC Diffie-Hellman parameters
 - Using curve: SECP256R1
 - Curve size: 256 bits
- Version: TLS1.2
- Key Exchange: ECDHE-RSA
- Server Signature: RSA-SHA256
- Cipher: AES-128-GCM
- MAC: AEAD
- Compression: NULL
- Handshake was completed

- Simple Client Mode:

[oerdnj]

It works in clean jessie chroot. If you can reproduce the issue in clean jessie chroot, feel free to reopen the bug. Otherwise, it's your local configuration problem.

[mbourqui]

Somehow my machine is not able to get the right certificate (the one it gets is expired), not sure if there is some cache somewhere on the/my network:

# echo "" | gnutls-cli packages.sury.org -p 443
Processed 157 CA certificate(s).
Resolving 'packages.sury.org'...
Connecting to '217.31.192.150:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `CN=packages.sury.org', issuer `C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3', RSA key 4096 bits, signed using RSA-SHA256, activated `2018-06-06 09:19:20 UTC', expires `2018-09-04 09:19:20 UTC', SHA-1 fingerprint `6c48d572d5ad9406b0aa06b841f302eed45aea21'

[oerdnj]

It’s pretty obvious (to me), where the problem is. Do you waNt hintS?

[mbourqui]

Think I got it. My local DNS cache is serving me a stale content.

For reference, I ran sudo /etc/init.d/nscd restart, and sudo apt-get update just ran fine again.

Thanks!

[IztokKlanecek]

I just want to thank you for solution.

sudo apt-get install gnutls-bin ca-certificates
echo "" | gnutls-cli packages.sury.org -p 443

You really save my day. I have been couple days seeking why my Debian 9 server won't update.
Thank you very much.

Iztok

[jchook]

Thanks!

Changing /etc/resolv.conf to use nameserver 1.1.1.1 resolved the issue for me on Linode.

[nyroDev]

In my case, the problem was an old cert files without the recent root certificates used by let's encrypt.

To fix it, I did the following:

echo 'Acquire::https::packages.sury.org::Verify-Peer "false";' > /etc/apt/apt.conf.d/99php-sury

Which tell apt to ignore invalid certs for packages.sury.org

[akaPipo]

I have fixed it this way #1729 (comment)

[sleemanj]

I added this to the FAQ last night ( @akaPipo suggested way ).

https://github.com/oerdnj/deb.sury.org/wiki/Frequently-Asked-Questions#i-get-an-ssl-certificate-expired--invalid-certificate-error

Seems a few people are getting caught out with the expired X3 cert still in their certificate store.