Apt repository expired certificate

I’m a longtime user and and fan of syncthing. I recently followed the instructions at https://apt.syncthing.net to add the syncthing ubuntu repository and install syncthing on a new computer. At the time, it succeeded. Now when updating repositories, I get this:

# apt-get update
Get:1 http://security.ubuntu.com/ubuntu bionic-security InRelease [88,7 kB]
 ...
Err:9 https://apt.syncthing.net syncthing Release                                                               
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 82.196.13.137 443]
Get:10 http://archive.ubuntu.com/ubuntu bionic-backports InRelease [74,6 kB]                                    
Reading package lists... Done                                  
E: The repository 'https://apt.syncthing.net syncthing Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

The issue remains even if I re-download the release-key.gpg, or if I remove the [signed-by=/usr/share/keyrings/syncthing-archive-keyring.gpg] part of the apt source line. I am using the stable channel.

I also notice that on another computer, the same apt line (without the signed-by part) seems to work (?!) so I’m not sure what gives.

The letsencrypt intermediary certificates expired and you need to update your local ca certificate store and/or OpenSSL.

1 Like

That was it. Thanks!

2 Likes

I am having a similar problem:

Err:1 https://apt.syncthing.net syncthing/stable amd64 syncthing amd64 1.18.2
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 82.196.13.137 443]
W: https://apt.syncthing.net/dists/syncthing/stable/binary-amd64/syncthing_1.18.2_amd64.deb: No system certificates available. Try installing ca-certificates.
E: Failed to fetch https://apt.syncthing.net/dists/syncthing/stable/binary-amd64/syncthing_1.18.2_amd64.deb  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 82.196.13.137 443]

but do not know the specific commands to follow up on this. Is it possible to share the exact solution for this? I’ve checked our OpenSSL version to be 1.1.1f, so that should be ok shouldn’t it?

apt install ca-certificates

2 Likes

Thanks, that helped.

I’m running Debian 9.13 and have this same issue. ca-certificates is installed and fully up to date. I re-downloaded the gpg key, still got the same issue as jtbr. Any suggestions of what I should try?

From my tests it looks like Debian has shipped GnuTLS patches to stretch. Check that the system is really up to date, especially the libgnutls30 package?

I didn’t have libgnutls30 installed. Now it’s working! Thanks for the help.

1 Like