Ad Widget

Collapse

Server certificate verification failed when installing from Zabbix's repository

Collapse
This topic has been answered.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • lpossamai
    Senior Member
    • Jun 2018
    • 119
    #1

    Server certificate verification failed when installing from Zabbix's repository

    Hi,

    When installing downloading the Zabbix's Ubuntu repository with the below command, I get an error:
    Code:
    wget https://repo.zabbix.com/zabbix/5.4/ubuntu/pool/main/z/zabbix-release/zabbix-release_5.4-1+ubuntu16.04_all.deb

--2021-10-04 07:27:15-- https://repo.zabbix.com/zabbix/5.4/ubuntu/pool/main/z/zabbix-release/zabbix-release_5.4-1+ubuntu16.04_all.deb
Resolving repo.zabbix.com (repo.zabbix.com)... 178.128.6.101, 2604:a880:2:d0::2062:d001
Connecting to repo.zabbix.com (repo.zabbix.com)|178.128.6.101|:443... connected.
ERROR: cannot verify repo.zabbix.com's certificate, issued by ‘CN=R3,O=Let's Encrypt,C=US’:
Issued certificate has expired.
To connect to repo.zabbix.com insecurely, use `--no-check-certificate'.
    Maybe it is related to this issue?

    Using the "--no-check-certificate" option allows me to download. After installing the new repository, when performing an "apt update", I get the error:

    Code:
    Hit:1 http://ap-southeast-2.ec2.archive.ubuntu.com/ubuntu xenial InRelease
Hit:2 http://ap-southeast-2.ec2.archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit:3 http://ap-southeast-2.ec2.archive.ubuntu.com/ubuntu xenial-backports InRelease
Ign:4 http://apt.newrelic.com/debian newrelic InRelease
Hit:5 http://apt.newrelic.com/debian newrelic Release
Hit:6 https://download.newrelic.com/infrastructure_agent/linux/apt xenial InRelease
Hit:8 http://security.ubuntu.com/ubuntu xenial-security InRelease
Hit:9 http://apt.postgresql.org/pub/repos/apt xenial-pgdg InRelease
Ign:10 https://repo.zabbix.com/zabbix/5.4/ubuntu xenial InRelease
Err:11 https://repo.zabbix.com/zabbix/5.4/ubuntu xenial Release
server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Reading package lists... Done
E: The repository 'https://repo.zabbix.com/zabbix/5.4/ubuntu xenial Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
    Am I missing something? Thanks!
    Tags: install, installation, repository, zabbix
    • Answer selected by lpossamai at 14-12-2021, 06:34.
      lpossamai
      Senior Member
      • Jun 2018
      • 119
      Yeah, looks like indeed was something on my end.

      Steps I did for further reference:
      1. rm -rf /etc/apt/sources.d/zabbix
      2. apt clean
      3. apt update -y
      4. apt upgrade -y
      5. apt autoremove -y
      6. wget https://repo.zabbix.com/zabbix/5.4/u...u16.04_all.deb
      7. dpkg -i zabbix-release_5.4-1+ubuntu16.04_all.deb
      8. apt install zabbix_agent -y

      Cheers!
        • Selected Answer

        Comment

        • lpossamai
          Senior Member
          • Jun 2018
          • 119
          #2
          Yeah, looks like indeed was something on my end.

          Steps I did for further reference:
          1. rm -rf /etc/apt/sources.d/zabbix
          2. apt clean
          3. apt update -y
          4. apt upgrade -y
          5. apt autoremove -y
          6. wget https://repo.zabbix.com/zabbix/5.4/u...u16.04_all.deb
          7. dpkg -i zabbix-release_5.4-1+ubuntu16.04_all.deb
          8. apt install zabbix_agent -y

          Cheers!
            • Selected Answer

            Comment

            • tim.mooney
              Senior Member
              • Dec 2012
              • 1427
              #3
              Originally posted by cyber
              Something on your side... repo.zabbix.com cert is issued on 24.08.21 and will expire on 22.11.21
              That is not what I see:

              Code:
               $ wget https://repo.zabbix.com/zabbix/5.0.rhel/7/SRPMS/zabbix-5.0.16-1.el7.src.r>
--2021-10-06 18:58:49-- https://repo.zabbix.com/zabbix/5.0.rhel/7/SRPMS/zabbix-5.0.16-1.el7.src.rpm
Resolving repo.zabbix.com (repo.zabbix.com)... 2604:a880:2:d0::2062:d001, 178.128.6.101
Connecting to repo.zabbix.com (repo.zabbix.com)|2604:a880:2:d0::2062:d001|:443.. . connected.
ERROR: cannot verify repo.zabbix.com's certificate, issued by '/C=US/O=Let\'s Encrypt/CN=R3':
Issued certificate has expired.
To connect to repo.zabbix.com insecurely, use `--no-check-certificate'.

$openssl s_client -connect repo.zabbix.com:443 -showcerts
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
              Note the "notAfter".

              If they're doing load-balancing or have multiple CDNs involved, at least one of them has an expired cert. Note that because my environment has IPv6 enabled, my client is connecting to the IPv6 address they're advertising.

                Comment

                • tim.mooney
                  #3.1
                  tim.mooney commented
                  07-10-2021, 14:23
                  Editing a comment
                  You're correct, it's not the repo cert that was expired, it was part of the verification chain.
                • Atsushi
                  Senior Member
                  • Aug 2013
                  • 2028
                  #4
                  It seems that an error may occur if the version of OpenSSL is old. It may be improved by updating the OS you are using and updating the stored certificate.
                  404 Page not found | OpenSSL Library
                  https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

                    Comment

                    • tim.mooney
                      Senior Member
                      • Dec 2012
                      • 1427
                      #5
                      Thanks Atsushi. I found similar information from Let's Encrypt: Let's Encrypt new Root certificate


                      I was running 'wget' on a RHEL 7 system, and it's linked against OpenSSL 1.0.2k, so it is preferring the expired cert.


                        Comment

                        • Atsushi
                          Senior Member
                          • Aug 2013
                          • 2028
                          #6
                          If you are using RHEL 7 or CentOS 7, try updating the ca-certificates package.
                          Code:
                          # yum update ca-certificates

                            Comment

                            Previous template Next
                            Working...