The certificate of 'packages.sury.org' has expired.

[GetoXs]

Describe the bug
Add sury gpg key return that certificate is expired

To Reproduce

1. build docker according to https://packages.sury.org/php/README.txt

FROM debian as base

RUN apt-get update
RUN apt-get -y install apt-transport-https lsb-release ca-certificates curl
RUN wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
RUN sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
RUN apt-get update

2. On add gpg there is error:

wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
--2022-03-02 08:47:06--  https://packages.sury.org/php/apt.gpg
Resolving packages.sury.org (packages.sury.org)... 51.83.238.53
Connecting to packages.sury.org (packages.sury.org)|51.83.238.53|:443... connected.
ERROR: The certificate of 'packages.sury.org' is not trusted.
ERROR: The certificate of 'packages.sury.org' has expired.

Expected behavior
Cert should be added

Distribution (please complete the following information):

• OS: Docker
• Architecture: amd64

[mrWodoo]

Got the same issue, found it yesterday, Docker with ubuntu 20.4 in WSL2

[oerdnj]

What's output of: dig IN A packages.sury.org and output of gnutls-cli packages.sury.org:443?

[oerdnj]

I see following:

$ gnutls-cli --sni-hostname=packages.sury.org --verify-hostname=packages.sury.org 51.83.238.53:443
Processed 127 CA certificate(s).
Resolving '51.83.238.53:443'...
Connecting to '51.83.238.53:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
 - subject `CN=packages.sury.org', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x04852782048aa8906fd31503ed7336ce7a16, RSA key 2048 bits, signed using RSA-SHA256, activated `2022-03-01 07:58:20 UTC', expires `2022-05-30 07:58:19 UTC', pin-sha256="Y7HBUYdTOeofVLlUc3OcL7RDZRuU/ZLgJrn9wGAXBP0="
	Public Key ID:
		sha1:a464aeb8fa6392ff35c82a1462a9cc2ad103ae03
		sha256:63b1c151875339ea1f54b95473739c2fb443651b94fd92e026b9fdc0601704fd
	Public Key PIN:
		pin-sha256:Y7HBUYdTOeofVLlUc3OcL7RDZRuU/ZLgJrn9wGAXBP0=

- Certificate[1] info:
 - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15 16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
- Certificate[2] info:
 - subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30 18:14:03 UTC', pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="
- Status: The certificate is trusted.
- Description: (TLS1.3-X.509)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
- Session ID: 50:7A:AA:1C:0B:2A:C1:1F:88:30:ED:EE:4D:7B:39:6A:9A:1A:7B:F6:99:95:9B:3D:81:0C:47:60:DE:4F:FB:06
- Options:
- Handshake was completed

- Simple Client Mode:

- Peer has closed the GnuTLS connection

[GetoXs]

dig IN A packages.sury.org

; <<>> DiG 9.11.5-P4-5.1+deb10u6-Debian <<>> IN A packages.sury.org 
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50718
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: b235661e2647f2ae (echoed)
;; QUESTION SECTION:
;packages.sury.org.             IN      A

;; ANSWER SECTION:
packages.sury.org.      284     IN      CNAME   debsuryorg.b-cdn.net.
debsuryorg.b-cdn.net.   35      IN      A       51.83.238.53
debsuryorg.b-cdn.net.   19      IN      A       51.83.238.53

;; Query time: 49 msec
;; SERVER: 192.168.65.5#53(192.168.65.5)
;; WHEN: Wed Mar 02 09:00:18 UTC 2022
;; MSG SIZE  rcvd: 181

gnutls-cli packages.sury.org:443

Processed 137 CA certificate(s).
Resolving 'packages.sury.org:443'...
Connecting to '51.83.238.53:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
 - subject `CN=packages.sury.org', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x04852782048aa8906fd31503ed7336ce7a16, RSA key 2048 bits, signed using RSA-SHA256, activated `2022-03-01 07:58:20 UTC', expires `2022-05-30 07:58:19 UTC', pin-sha256="Y7HBUYdTOeofVLlUc3OcL7RDZRuU/ZLgJrn9wGAXBP0="
        Public Key ID:
                sha1:a464aeb8fa6392ff35c82a1462a9cc2ad103ae03
                sha256:63b1c151875339ea1f54b95473739c2fb443651b94fd92e026b9fdc0601704fd
        Public Key PIN:
                pin-sha256:Y7HBUYdTOeofVLlUc3OcL7RDZRuU/ZLgJrn9wGAXBP0=

- Certificate[1] info:
 - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15 16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
- Certificate[2] info:
 - subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30 18:14:03 UTC', pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="
- Status: The certificate is trusted.
- Description: (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
- Options:
- Handshake was completed

[GetoXs]

@oerdnj I don't know if you change something but it started to work

wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
--2022-03-02 09:05:56--  https://packages.sury.org/php/apt.gpg
Resolving packages.sury.org (packages.sury.org)... 51.83.238.53
Connecting to packages.sury.org (packages.sury.org)|51.83.238.53|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1769 (1.7K) [application/octet-stream]
Saving to: '/etc/apt/trusted.gpg.d/php.gpg'

/etc/apt/trusted.gpg.d/php.gpg                  100%[====================================================================================================>]   1.73K  --.-KB/s    in 0s       

2022-03-02 09:05:56 (29.7 MB/s) - '/etc/apt/trusted.gpg.d/php.gpg' saved [1769/1769]

[oerdnj]

Nope, haven't touched a thing.

[GetoXs]

It's weird. The certificate only works with apt install gnutls-bin installed

[oerdnj]

I guess you are missing ca-certificates up-to-date package or something like that.

[todeveni]

FWIW, that Dockerfile works just fine. Just replaced wget with curl, since Debian doesn't come with wget preinstalled.

Your Dockerfile should've stopped already there.
Perhaps you're using cached old packages and Debian version from Docker build cache.

 => ERROR [4/6] RUN wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg                   0.4s
------
 > [4/6] RUN wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg:
#7 0.335 /bin/sh: 1: wget: not found

[oerdnj]

I don't see a problem on the server, closing the issue.

[GetoXs]

I found case. I used debian 10.4, with the newest 10.11 it works. You have a right old ca-certificates

[akaPipo]

I face the same problem.

lsb_release -a >

No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 9.13 (stretch)
Release: 9.13
Codename: stretch

gnutls-cli packages.sury.org:443 >

Processed` 127 CA certificate(s).
Resolving 'packages.sury.org:443'...
Connecting to '138.199.37.226:443'...

• Certificate type: X.509

• Got a certificate list of 3 certificates.

• Certificate[0] info:

• subject CN=packages.sury.org', issuer CN=R3,O=Let's Encrypt,C=US', serial 0x0391013a17469f7f084671ef20c765694d6e, RSA key 2048 bits, signed using RSA-SHA256, activated 2022-05-22 10:10:15 UTC', expires 2022-08-20 10:10:14 UTC', key-ID `sha256:8e0c0f05154de6233249ccc15b89b556a3330a6c3f113611453da32fea416570'
  Public Key ID:
  sha1:ed56dceb8acbaa62da327a6400abcc40b66540e7
  sha256:8e0c0f05154de6233249ccc15b89b556a3330a6c3f113611453da32fea416570
  Public key's random art:
  +--[ RSA 2048]----+
  |.o.. |
  |.ooo |
  |+.+E |
  |+. . . . |
  |=. S . o . |
  |.oo . . . |
  | o o . |
  | +.o o . . |
  |.o.=......+.... |
  +-----------------+

• Certificate[1] info:

• subject CN=R3,O=Let's Encrypt,C=US', issuer CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated 2020-09-04 00:00:00 UTC', expires 2025-09-15 16:00:00 UTC', key-ID `sha256:8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d'

• Certificate[2] info:

• subject CN=ISRG Root X1,O=Internet Security Research Group,C=US', issuer CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using RSA-SHA256, activated 2021-01-20 19:14:03 UTC', expires 2024-09-30 18:14:03 UTC', key-ID `sha256:0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3'

• Status: The certificate is NOT trusted. The certificate chain uses expired certificate.
  *** PKI verification of server certificate failed...
  *** Fatal error: Error in the certificate.
  *** handshake has failed: Error in the certificate.

[rfay]

@akaPipo Your system is out of date or misconfigured and that's the problem. A current system/browser shows a valid cert.

[akaPipo]

Thanks for your reply. Still can't find a reason. This repo was added years ago and worked well like a charm. I have already done apt-get upgrade && apt-get update. By the way, other non-debian (not official) repos works well, there is no such error.

[rfay]

I should note that Debian stretch goes out of support in 15 days :( So you have more work to do than just resolving this.

[oerdnj]

Yep, as documented here: #1785

I'll do one last update and send newsletter to the Patreon and GitHub Sponsors and then Debian stretch repositories will be decommissioned.

[akaPipo]

@oerdnj , @rfay Thanks .

[akaPipo]

I have finally fixed it!

The issue was the DST Root CA X3 cross-sign has expired

To fix it on debian:

1. run sudo dpkg-reconfigure ca-certificates
2. uncheck mozilla/DST_Root_CA_X3.crt
3. OK

found on Stackoverflow

---

[MarceloGoncalvesBraga]

resolvi com isto
echo "nameserver 8.8.8.8" | sudo tee /etc/resolv.conf > /dev/null