Running sudo apt-get update on my AWS EC2 Ubuntu 18.04.01 LTS instance fails:
Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown
when trying to access the deb.nodesource.com/node_10.x bionic Release
Here is the result after running sudo apt-get update:
Hit:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu bionic InRelease
Get:2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
Ign:3 https://deb.nodesource.com/node_10.x bionic InRelease
Get:4 http://us-east-1.ec2.archive.ubuntu.com/ubuntu bionic-backports InRelease [74.6 kB]
Err:5 https://deb.nodesource.com/node_10.x bionic Release
Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification. [IP: XX.XXX.XX.XX 443]
Get:6 http://security.ubuntu.com/ubuntu bionic-security InRelease [83.2 kB]
Reading package lists... Done
W: https://deb.nodesource.com/node_10.x/dists/bionic/InRelease: No system certificates available. Try installing ca-certificates.
W: https://deb.nodesource.com/node_10.x/dists/bionic/Release: No system certificates available. Try installing ca-certificates.
E: The repository 'https://deb.nodesource.com/node_10.x bionic Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
It seems like my current installation of Node.js is causing the problem.
I have tried installing and updating ca-certificates in etc/ssl/certs, however, this did not help. I'm not exactly sure how to proceed from here to resolve this issue.
I'm not looking for a quick workaround that would compromise the security of the server.
I experienced this error trying to add the keys for mongodb-org 4.0 to a docker container running Ubuntu 18.04. There was a problem with the certificates installed in this base image. I managed to fix it by install
ca-certificates:You can add
[trusted=yes]in thesources.list. For example:For those still having this issue, here is a solution which I gleaned from the Ubuntu manpages.
The OP's post indicates a certificate verification error:
I was having similar issues on a VM which sits behind a corporate proxy. The proxy acts as a man-in-the-middle, decrypting and re-encrypting traffic as it flows through the proxy. Even though I had the trusted certificate installed on my VM for the proxy, this error was still happening, caused by an invalid OCSP response. To fix it, I ran this command:
This disables apt's OCSP verification, and is not recommended.
I chose a different solution, which may not be available to others. Our company maintains a non-decrypting proxy for use cases like this, so I switched to using it.
Make sure your date and time are set correctly.
You can replace
https://withhttp://from setup script using sed.This should be used as the last alternative of course.
What caused the problem
I was originally trying to install Node.js on Ubuntu 18.04.01 LTS via PPA and curl via:
However, running this command generated a
nodesource.listfile inetc/apt/sources.list.d/with the following contents:So when running
sudo apt updatethese sources could not be trusted via SSL handshake which caused to the update to fail.How I fixed it
/etc/apt/nodesource.list.dRemoved
nodesource.listfile from the system withsudo rm nodesource.listPurged the system of any current Node.js installation with
sudo apt-get purge nodejssudo apt-get autoremoveInstalled the Distro-Stable Version of Node.js for Ubuntu with:
sudo apt updatesudo apt install nodejssudo apt install npmI was facing the same error on WSL2 Ubuntu and tried to install
ca-certificateswith no luck, as it was already installed.Then I updated
/etc/apt/sources.listto use the global servers, updated Apt, and now it works. After upgrading, I saw some updates were made in the/etc/ssl/certsdirectory; new certificates.Out of curiosity, I changed
sources.listfile to use the mirror servers again, and everything works.This issue can also occur due to corrupt cache. I resolved this by:
then
then
I meet same problem,
here fix (try) step by step.
// base on
caffeinated.tech's answer,// I guess something break my
ca-certificatespackage.1. mirror 1
2. mirror 2
3. offical
4. install ca-certificates
// here found ca-certificates upgraded, // which was not found before (maybe something break old package)
5. mirror 1, again
this time it worked.
This happened today to me on an old, poorly maintained Ubuntu 16 release.
The first problem was that the sources in /etc/apt were HTTP and not HTTPS, and they had been blocked. The HTTPS links failed verification, which was expected since I believe they use LetsEncrypt and they changed their certification path last October.
But I could not update
ca-certificatesbecause they were believed current -- and I could not make apt understand they weren't current because, you know, the update was not working.So:
Temporarily disable certificate verification by adding
in
/etc/apt/apt.conf.d/99verify-peer.conf.Run
apt updateto get the new ca-certificates infoRun
apt install ca-certificatesRe-enable certificate verification
Edit the file above and remove the peer-verification bypass. If the file is now empty, you may delete it.
Now everything should mostly work.
I then proceeded to clean the apt cache, and run a full dist-upgrade. This, in turn, unlocked the
do-release-upgradecommand. It did not work completely on the first time around, I had to runapt-get updateagain, clean unneeded packages and remove two packages that were conflicted, and update.After a couple of hours and another release upgrade from 18, I got the system running Ubuntu 20.04-LTS and could reinstall the two missing packages from the previous stage. Everything is okay now.