can't update. Cerificate errors

Troubleshooting
1

Hi

I suddenly get certificate errors when trying to check for updates.

apt update && apt full-upgrade
Err:1 https://deb.debian.org/debian bullseye InRelease
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 199.232.182.132 443]
Err:2 https://deb.debian.org/debian bullseye-updates InRelease
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 199.232.182.132 443]
Err:3 https://deb.debian.org/debian-security bullseye-security InRelease
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 199.232.182.132 443]
Err:4 https://deb.debian.org/debian bullseye-backports InRelease
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 199.232.182.132 443]
Err:5 https://download.webmin.com/download/repository sarge InRelease
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 108.60.199.109 443]
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
W: Failed to fetch https://deb.debian.org/debian/dists/bullseye/InRelease  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 199.232.182.132 443]
W: Failed to fetch https://deb.debian.org/debian/dists/bullseye-updates/InRelease  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 199.232.182.132 443]
W: Failed to fetch https://deb.debian.org/debian-security/dists/bullseye-security/InRelease  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 199.232.182.132 443]
W: Failed to fetch https://deb.debian.org/debian/dists/bullseye-backports/InRelease  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 199.232.182.132 443]
W: Failed to fetch https://download.webmin.com/download/repository/dists/sarge/InRelease  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 108.60.199.109 443]
W: Some index files failed to download. They have been ignored, or old ones used instead.
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

How can I update the certs?

Thx in advance

2

You could have used search function within this forum to get an answer already. Because this is a known issue at global Debian server side. Pls try follow

sed -i 's/https:/http:/' /etc/apt/sources.list
apt update
apt upgrade
sed -i 's/http:/https:/' /etc/apt/sources.list
apt update
3

Sorry, looked for something in the last posts only…

Thx! I also had to change the webmin one.

4

p.S.

After
sed -i ‘s/http:/https:/’ /etc/apt/sources.list
apt update

it fails again. It has to stay with http for now I guess.

5

Did you completed the upgrade before? Does it fail on Debian repository only or as well on webmin after apt upgrade?

6

I did the last update check last week and it was fine.
Today is the first time I encountered this.
Also webmin was failing.
Err:5 https://download.webmin.com/download/repository sarge InRelease
Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification. [IP: 108.60.199.109 443]

7

If I understood correct, there is a broken certificate chain somewhere at Debian repository server side. But that’s out of our control. We simply could switch to HTTPS to get apt update done. Usually after completing apt upgrade it should be fine to switch back to HTTPS. Not 100% sure but maybe cache to be cleaned as well before switching back

/boot/dietpi/func/dietpi-set_software apt-cache clean
8

Tried /boot/dietpi/func/dietpi-set_software apt-cache clean
rebooted but still issue remains. Will stay with http for now…

9

I guess the question you did not answer. You completed apt update && apt upgrade? Correct? And is it still failing on Debian repository only or as well on Webmin repository after upgrade completed?

10

Yes, I did complete after changing all to http.
After changing back to https it’s failing on debian and webmin.

11

Confusing that this is even an issue on Bullseye :thinking:. Can you show the following:

dpkg -l | grep ssl
12 
ii  libnet-ssleay-perl            1.88-3+b1                      amd64        Perl module for Secure Sockets Layer (SSL)
ii  libssl1.1:amd64               1.1.1k-1+deb11u1               amd64        Secure Sockets Layer toolkit - shared libraries
ii  libxmlsec1-openssl:amd64      1.2.31-1                       amd64        Openssl engine for the XML security library
ii  libzstd1:amd64                1.4.8+dfsg-2.1                 amd64        fast lossless compression algorithm
ii  openssl                       1.1.1k-1+deb11u1               amd64        Secure Sockets Layer toolkit - cryptographic utility
ii  perl-openssl-defaults:amd64   5                              amd64        version compatibility baseline for Perl OpenSSL packages
13

Could you try switching back to HTTPS pls. We got feedback from Debian System Administrators and issue should have been fixed. At least for their repository.

14

Tried again.

Debian seems fixed now. Webmin still gives error.

15

I guess something Webmin guys would need to fix, same way as Debian guys did

16

btw issue has been reported to webmin https://github.com/webmin/webmin/issues/1533

17

I’ve read the whole thread.

The issue here was the ssl inspection of our Fortigate (at newest firmware and fully updated).
It cancelled the connections due to the certificate issues.
We had to disable ssl inspection for the time being.
It is not only old Ubuntu etc installations but up to date firewalls.

As I don’t have a login to post there you might inform them.

Thx!

18

I also got the certificate failure message. I am behind a Fortigate managed firewall.

Your installer produced the following message:

Can I copy the key from another of my servers that are running Webmin?
Where would I put it?

dietpi@DietPi:~$ sudo dietpi-software
[ OK ] DietPi-Software | Initialised database
[ OK ] DietPi-Software | Reading database
[ OK ] DietPi-Software | Free space check: path=/ | available=113728 MiB | required=500 MiB
[ OK ] DietPi-Software | DietPi-Userdata validation: /mnt/dietpi_userdata
[ OK ] DietPi-Software | Checking network connectivity
[ OK ] DietPi-Software | Checking DNS resolver
[ OK ] Network time sync | Completed
[ SUB1 ] DietPi-Services > unmask
[ OK ] DietPi-Services | unmask : mariadb
[ OK ] DietPi-Services | unmask : apache2
[ OK ] DietPi-Services | unmask : cron
[ SUB1 ] DietPi-Services > stop
[ OK ] DietPi-Services | stop : cron
[ OK ] DietPi-Services | stop : apache2
[ OK ] DietPi-Services | stop : mariadb
[ OK ] DietPi-Software | mkdir -p /mnt/dietpi_userdata/Music /mnt/dietpi_userdata/Pictures /mnt/dietpi_userdata/Video /mnt/dietpi_userdata/downloads /var/www /opt /usr/local/bin
[ OK ] DietPi-Software | chown dietpi:dietpi /mnt/dietpi_userdata/Music /mnt/dietpi_userdata/Pictures /mnt/dietpi_userdata/Video /mnt/dietpi_userdata/downloads
[ OK ] DietPi-Software | chmod 0775 /mnt/dietpi_userdata/Music /mnt/dietpi_userdata/Pictures /mnt/dietpi_userdata/Video /mnt/dietpi_userdata/downloads
[ INFO ] DietPi-Software | APT update, please wait…
Hit:1 https://deb.debian.org/debian bullseye InRelease
Hit:2 https://deb.debian.org/debian bullseye-updates InRelease
Hit:3 https://deb.debian.org/debian-security bullseye-security InRelease
Hit:4 https://archive.raspberrypi.org/debian bullseye InRelease
Hit:5 https://deb.debian.org/debian bullseye-backports InRelease
Reading package lists…
[ OK ] DietPi-Software | APT update

DietPi-Software
─────────────────────────────────────────────────────
Step: Checking for prerequisite software


DietPi-Software
─────────────────────────────────────────────────────
Step: Installing Webmin: web interface system management

[FAILED] DietPi-Software | Checking URL: https://webmin.com/jcameron-key.asc

Details:

  • Date | Mon Nov 8 17:38:10 EST 2021
  • Bug report | 9e085c75-1cd2-4dc0-8516-d8b60ca49d52
  • DietPi version | v7.7.3 (MichaIng/master)
  • Image creator | DietPi Core Team
  • Pre-image | From scratch
  • Hardware | RPi 4 Model B (aarch64) (ID=4)
  • Kernel version | Linux DietPi 5.10.63-v8+ #1459 SMP PREEMPT Wed Oct 6 16:42:49 BST 2021 aarch64 GNU/Linux
  • Distro | bullseye (ID=6,RASPBIAN=0)
  • Command | curl -ILfvm 10 https://webmin.com/jcameron-key.asc
  • Exit code | 60
  • Software title | DietPi-Software

Steps to reproduce:

  1. I am running behind a Fortigate firewall router.
  2. I selected only WebMin to install

Expected behaviour:

Actual behaviour:

  • … See the message below

    \

Extra details:

Additional logs:

% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
Dload  Upload   Total   Spent    Left  Speed
0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 216.105.38.11:443...
* Connected to webmin.com (216.105.38.11) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [85 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [3061 bytes data]
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
} [2 bytes data]
* SSL certificate problem: self signed certificate in certificate chain
0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

[FAILED] DietPi-Software | Unable to continue, DietPi-Software will now terminate.

dietpi@DietPi:~$

19

Personally I don’t have any issues to open the key. Could you have a look at your Firewall if it is doing anything with that key? Maybe some package inspection?