apt-get update failed because certificate verification failed because handshake failed on nodesource
Running sudo apt-get update on my AWS EC2 Ubuntu 18.04.01 LTS instance fails:
Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknownwhen trying to access the bionic Release
Here is the result after running sudo apt-get update:
Hit:1 bionic InRelease
Get:2 bionic-updates InRelease [88.7 kB]
Ign:3 bionic InRelease
Get:4 bionic-backports InRelease [74.6 kB]
Err:5 bionic Release Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification. [IP: XX.XXX.XX.XX 443]
Get:6 bionic-security InRelease [83.2 kB]
Reading package lists... Done
W: No system certificates available. Try installing ca-certificates.
W: No system certificates available. Try installing ca-certificates.
E: The repository ' bionic Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.It seems like my current installation of Node.js is causing the problem.
I have tried installing and updating ca-certificates in etc/ssl/certs, however, this did not help. I'm not exactly sure how to proceed from here to resolve this issue.
I'm not looking for a quick workaround that would compromise the security of the server.
018 Answers
I experienced this error trying to add the keys for mongodb-org 4.0 to a docker container running Ubuntu 18.04. There was a problem with the certificates installed in this base image. I managed to fix it by install ca-certificates:
sudo apt install ca-certificatesYou can add [trusted=yes] in the sources.list. For example:
deb [trusted=yes] vivid main
deb-src [trusted=yes] vivid mainFor those still having this issue, here is a solution which I gleaned from the Ubuntu manpages.
The OP's post indicates a certificate verification error:
Err:5 bionic Release
Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification. [IP: XX.XXX.XX.XX 443]I was having similar issues on a VM which sits behind a corporate proxy. The proxy acts as a man-in-the-middle, decrypting and re-encrypting traffic as it flows through the proxy. Even though I had the trusted certificate installed on my VM for the proxy, this error was still happening, caused by an invalid OCSP response. To fix it, I ran this command:
touch /etc/apt/apt.conf.d/99verify-peer.conf \
&& echo >>/etc/apt/apt.conf.d/99verify-peer.conf "Acquire { https::Verify-Peer false }"This disables apt's OCSP verification, and is not recommended.
I chose a different solution, which may not be available to others. Our company maintains a non-decrypting proxy for use cases like this, so I switched to using it.
1Make sure your date and time are set correctly.
1You can replace https:// with http:// from setup script using sed.
curl -sL | sed 's| | sudo -E bash -This should be used as the last alternative of course.
1What caused the problem
I was originally trying to install Node.js on Ubuntu 18.04.01 LTS via PPA and curl via:
curl -sL -o nodesource_setup.shHowever, running this command generated a nodesource.list file in etc/apt/sources.list.d/ with the following contents:
deb xenial main
deb-src xenial mainSo when running sudo apt update these sources could not be trusted via SSL handshake which caused to the update to fail.
How I fixed it
- Navigated to
/etc/apt/nodesource.list.d Removed
nodesource.listfile from the system withsudo rm nodesource.listPurged the system of any current Node.js installation with
sudo apt-get purge nodejssudo apt-get autoremoveInstalled the Distro-Stable Version of Node.js for Ubuntu with:
sudo apt updatesudo apt install nodejssudo apt install npm
I was facing the same error on WSL2 Ubuntu and tried to install ca-certificates with no luck, as it was already installed.
Then I updated /etc/apt/sources.list to use the global servers, updated Apt, and now it works. After upgrading, I saw some updates were made in the /etc/ssl/certs directory; new certificates.
Out of curiosity, I changed sources.list file to use the mirror servers again, and everything works.
This issue can also occur due to corrupt cache. I resolved this by:
sudo apt cleanthen
sudo apt updatethen
sudo apt upgradeI meet same problem,
here fix (try) step by step.
// base on caffeinated.tech's answer,
// I guess something break my ca-certificates package.
1. mirror 1
sudo apt-get update
Ign:1 focal InRelease
Ign:2 focal-updates InRelease
Hit:3 stable InRelease
Ign:4 focal-backports InRelease
Ign:5 focal-security InRelease
Ign:6 focal-proposed InRelease
Hit:7 focal InRelease
Err:8 focal Release Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 218.104.71.170 443]
Err:9 focal-updates Release Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 218.104.71.170 443]
Err:10 focal-backports Release Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 218.104.71.170 443]
Err:11 focal-security Release Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 218.104.71.170 443]
Err:12 focal-proposed Release Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 218.104.71.170 443]
Hit:13 focal InRelease
Reading package lists... Done
E: The repository ' focal Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository ' focal-updates Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository ' focal-backports Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository ' focal-security Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository ' focal-proposed Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.2. mirror 2
sudo apt-get update
Ign:1 focal InRelease
Ign:2 focal-updates InRelease
Ign:3 focal-backports InRelease
Ign:4 focal-security InRelease
Err:5 stable InRelease Something wicked happened resolving 'dl.google.com:http' (-5 - No address associated with hostname)
Err:6 focal Release Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 101.6.15.130 443]
Hit:7 focal InRelease
Err:8 focal-updates Release Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 101.6.15.130 443]
Err:9 focal-backports Release Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 101.6.15.130 443]
Err:10 focal-security Release Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 101.6.15.130 443]
Hit:11 focal InRelease
Reading package lists... Done
E: The repository ' focal Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository ' focal-updates Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository ' focal-backports Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository ' focal-security Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.3. offical
sudo apt update
Hit:1 stable InRelease
Hit:2 focal-security InRelease
Hit:3 focal InRelease
Hit:4 focal InRelease
Hit:5 focal-updates InRelease
Hit:6 focal InRelease
Reading package lists... Done
Building dependency tree
Reading state information... Done
39 packages can be upgraded. Run 'apt list --upgradable' to see them.4. install ca-certificates
sudo apt install ca-certificates
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required: gir1.2-evince-3.0 libllvm11 libmusicbrainz5-2 linux-headers-5.8.0-43-generic linux-hwe-5.8-headers-5.8.0-43 linux-image-5.8.0-43-generic linux-modules-5.8.0-43-generic linux-modules-extra-5.8.0-43-generic
Use 'sudo apt autoremove' to remove them.
The following packages will be upgraded: ca-certificates
1 upgraded, 0 newly installed, 0 to remove and 39 not upgraded.
Need to get 145 kB of archives.
After this operation, 1,024 B disk space will be freed.
Get:1 focal-updates/main amd64 ca-certificates all 20210119~20.04.2 [145 kB]
Fetched 145 kB in 2s (87.6 kB/s)
Preconfiguring packages ...
(Reading database ... 363632 files and directories currently installed.)
Preparing to unpack .../ca-certificates_20210119~20.04.2_all.deb ...
Unpacking ca-certificates (20210119~20.04.2) over (20210119~20.04.1) ...
Setting up ca-certificates (20210119~20.04.2) ...
Updating certificates in /etc/ssl/certs...
0 added, 1 removed; done.
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for ca-certificates (20210119~20.04.2) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.// here found ca-certificates upgraded, // which was not found before (maybe something break old package)
5. mirror 1, again
sudo apt update
Hit:1 focal InRelease
Hit:2 stable InRelease
Hit:3 focal-updates InRelease
Hit:4 focal-backports InRelease
Hit:5 focal-security InRelease
Hit:6 focal-proposed InRelease
Hit:7 focal InRelease
Hit:8 focal InRelease
Reading package lists... Done
Building dependency tree
Reading state information... Done
55 packages can be upgraded. Run 'apt list --upgradable' to see them.this time it worked.
I have encountered a problem that is similar to yours, with the Ubuntu Server installed in a VM, but the underlying cause should be different. I put out the problem description and the solution in case that someone who encountered the same problem reaches here.
Brief Summary: The similar problem is caused by the network condition of our office. When the problem occurs, I used a bridged network for Internet access. After changing the VM network setting to the normal NAT, the problem is mitigated.
Background:
I have installed Ubuntu Server LTS 18.04.3 with VMWare Player. After the installation is completed, I have used the VM for several days, including upgrading the system with sudo apt update|upgrade and install new applications with sudo apt install <appname>.
Problem:
After a weekend, I reopen the VM and want to install some new software. So I first try to update the repository information with sudo apt update to see if there are something that is upgradable. However, after executing this command, I get the following results:
gary@ubuntu-vm:~$ sudo apt update
Ign:1 bionic InRelease
Ign:2 bionic-updates InRelease
Ign:3 bionic-backports InRelease
Ign:4 bionic-security InRelease
Err:5 bionic Release Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification. [IP: 101.6.8.193 443]
Err:6 bionic-updates Release Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification. [IP: 101.6.8.193 443]
Err:7 bionic-backports Release Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification. [IP: 101.6.8.193 443]
Err:8 bionic-security Release Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification. [IP: 101.6.8.193 443]
Reading package lists... Done
E: The repository ' bionic Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository ' bionic-updates Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository ' bionic-backports Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository ' bionic-security Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.which is similar to the aseked problem(e.g., Ign:3 and Err:5), but not the same.
Solution: I have searched the related topics on Google, and many said that the problem is caused by incorrect configuration of certificates. However, I should never change any certificate configuration after installation of the system. Besides, avoiding certificates authentication should not be a regular routine.
To make sure that I did not change related configurations, I reinstall the system. I found that the installation cannot be completed, with the error log similar to the above one. After finding this, I guess that this problem should be caused by the network connection problem, as in this point there is no configuration made to the system.
Therefore, I checked the configuration of the VM instance, and found that this VM uses a bridged network rather than NAT. So I changed the network setting to NAT, which is usually the default network setting, then everything returns to normal!
After that, I recalled that when I first install the VM, I connect my computer to another computer to share the network (using NAT at the second computer). Later, I have my own network connection and I want the VM direct access to the physical network, so I changed the VM network setting to a bridged network, which then caused the problem (It's simply a network connection problem, because the physical network require authentication for network connection, while the VM does not have the credentials).
This error can be caused by not having the certs in /etc/ssl/certs world-readable. I ran into this after restoring my certs from a backup: for me, the /etc/ssl directory itself was set to 750 instead of 755 making it's contents unreadable except to root.
Try these commands if you're having trouble and reinstalling ca-certificates doesn't help:
sudo chmod 755 /etc /etc/ssl /etc/ssl/certs
sudo chmod 644 /etc/ssl/certs/ca-certificates.crttouch /etc/apt/apt.conf.d/99verify-peer.conf
&& echo >>/etc/apt/apt.conf.d/99verify-peer.conf "Acquire { https::Verify-Peer false }"
Will disable Cert verification, and no error will be generated.
0Try and update the GNU TLS-related packages.
I had the same problem with Ubuntu 16.04 LTS and the sublimetext APT repository, among others:
server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: noneI had tried all the proposed solutions to no avail.
The funny thing is that if I ran echo "" | gnutls-cli download.sublimetext.com -p 443 from another computer, the certificate was accepted, so I know it had to be a client problem.
Then, almost by chance, I checked the pending updates in Software Updater and there were two GNU TLS packages.
I updated them and magically all the errors disappeared.
I don't remember the package names exactly but here are all the TLS libaries installed on my machine:
ii gnutls-bin 3.4.10-4ubuntu1.9 amd64 GNU TLS library - commandline utilities
ii libcurl3-gnutls:amd64 7.47.0-1ubuntu2.19 amd64 easy-to-use client-side URL transfer library (GnuTLS flavour)
ii libgnutls-dev:amd64 3.4.10-4ubuntu1.9 amd64 GNU TLS library - development files
ii libgnutls-openssl27:amd64 3.4.10-4ubuntu1.9 amd64 GNU TLS library - OpenSSL wrapper
ii libgnutls28-dev:amd64 3.4.10-4ubuntu1.9 amd64 dummy transitional package for GNU TLS library - development files
ii libgnutls30:amd64 3.4.10-4ubuntu1.9 amd64 GNU TLS library - main runtime library
ii libgnutlsxx28:amd64 3.4.10-4ubuntu1.9 amd64 GNU TLS library - C++ runtime library
ii libneon27-gnutls:amd64 0.30.1-3build1 amd64 HTTP and WebDAV client library (GnuTLS enabled)This answer points apt-get at a custom cert store by using a config file and setting the APT_CONFIG environment variable to point at this new file.
echo 'Acquire::https {\ CaInfo "/cacert.pem";\
}' > /apt.conf
APT_CONFIG=/apt.confThis happened today to me on an old, poorly maintained Ubuntu 16 release.
The first problem was that the sources in /etc/apt were HTTP and not HTTPS, and they had been blocked. The HTTPS links failed verification, which was expected since I believe they use LetsEncrypt and they changed their certification path last October.
But I could not update ca-certificates because they were believed current -- and I could not make apt understand they weren't current because, you know, the update was not working.
So:
Temporarily disable certificate verification by adding
Acquire { https::Verify-Peer false }in
/etc/apt/apt.conf.d/99verify-peer.conf.Run
apt updateto get the new ca-certificates infoRun
apt install ca-certificatesRe-enable certificate verification
Edit the file above and remove the peer-verification bypass. If the file is now empty, you may delete it.
Now everything should mostly work.
I then proceeded to clean the apt cache, and run a full dist-upgrade. This, in turn, unlocked the do-release-upgrade command. It did not work completely on the first time around, I had to run apt-get update again, clean unneeded packages and remove two packages that were conflicted, and update.
After a couple of hours and another release upgrade from 18, I got the system running Ubuntu 20.04-LTS and could reinstall the two missing packages from the previous stage. Everything is okay now.
Err:14 llvm-toolchain-bionic-11 Release
Certificate verification failed: The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded. Could not handshake: Error in the certificate verification.
Time zone and date in ubuntu was configured manually. Browser was set to sync with ubuntu. This caused the error The revocation or OCSP data are old and have been supersededSet time and date to auto update. Works fine
To summary all the response above, there are 3 possibilities:
1/ ca-certificates are not installed Solution:
apt install -y ca-certificatesBut you say they are. So for you, that should not be an answer.
2/ disable https check (https::Verify-Peer) Solution: add this to /etc/apt/conf.d/
Acquire { https::Verify-Peer false }but that reduce your security.
3/ find the certificate of your server and add it
In my case, I moved to nvm installation steps... as the third party instance was not able to resolve this error, and I did not have sudo rights and other permissions in brief.
referred this URL for nvm steps ...
0
