Apt repository expired certificate

jtbr · October 1, 2021, 2:59pm

I’m a longtime user and and fan of syncthing. I recently followed the instructions at https://apt.syncthing.net to add the syncthing ubuntu repository and install syncthing on a new computer. At the time, it succeeded. Now when updating repositories, I get this:

# apt-get update
Get:1 http://security.ubuntu.com/ubuntu bionic-security InRelease [88,7 kB]
 ...
Err:9 https://apt.syncthing.net syncthing Release                                                               
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 82.196.13.137 443]
Get:10 http://archive.ubuntu.com/ubuntu bionic-backports InRelease [74,6 kB]                                    
Reading package lists... Done                                  
E: The repository 'https://apt.syncthing.net syncthing Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

The issue remains even if I re-download the release-key.gpg, or if I remove the [signed-by=/usr/share/keyrings/syncthing-archive-keyring.gpg] part of the apt source line. I am using the stable channel.

I also notice that on another computer, the same apt line (without the signed-by part) seems to work (?!) so I’m not sure what gives.

calmh · October 1, 2021, 3:07pm

The letsencrypt intermediary certificates expired and you need to update your local ca certificate store and/or OpenSSL.

jtbr · October 1, 2021, 3:36pm

That was it. Thanks!

PieterLamers · October 3, 2021, 5:14am

I am having a similar problem:

Err:1 https://apt.syncthing.net syncthing/stable amd64 syncthing amd64 1.18.2
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 82.196.13.137 443]
W: https://apt.syncthing.net/dists/syncthing/stable/binary-amd64/syncthing_1.18.2_amd64.deb: No system certificates available. Try installing ca-certificates.
E: Failed to fetch https://apt.syncthing.net/dists/syncthing/stable/binary-amd64/syncthing_1.18.2_amd64.deb  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 82.196.13.137 443]

but do not know the specific commands to follow up on this. Is it possible to share the exact solution for this? I’ve checked our OpenSSL version to be 1.1.1f, so that should be ok shouldn’t it?

calmh · October 3, 2021, 7:17am

apt install ca-certificates

PieterLamers · October 10, 2021, 8:48am

Thanks, that helped.

chadianscot · October 11, 2021, 9:43am

I’m running Debian 9.13 and have this same issue. ca-certificates is installed and fully up to date. I re-downloaded the gpg key, still got the same issue as jtbr. Any suggestions of what I should try?

Nummer378 · October 11, 2021, 12:28pm

From my tests it looks like Debian has shipped GnuTLS patches to stretch. Check that the system is really up to date, especially the libgnutls30 package?

chadianscot · October 12, 2021, 8:12pm

I didn’t have libgnutls30 installed. Now it’s working! Thanks for the help.

system · November 11, 2021, 8:13pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.