Ad Widget

Collapse

Why am I getting "ERROR: The certificate of ‘repo.zabbix.com’ is not trusted."

Collapse
This topic has been answered.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Barra
    Junior Member
    • Jan 2023
    • 2
    #1

    Why am I getting "ERROR: The certificate of ‘repo.zabbix.com’ is not trusted."

    Hi,

    I am trying to install Zabbix on my Raspberry Pi 4 following this tutorial. Have installed NGINX and MySQL and am trying to download the repositories using
    Code:
    wget https://repo.zabbix.com/zabbix/6.2/raspbian/pool/main/z/zabbix-release/zabbix-release_6.2-2%2Bdebian11_all.deb
    .

    This is the output
    --2023-01-19 14:39:56-- https://repo.zabbix.com/zabbix/6.2/r...bian11_all.deb
    Resolving repo.zabbix.com (repo.zabbix.com)... 178.128.6.101, 2604:a880:2:d0::2062:d001
    Connecting to repo.zabbix.com (repo.zabbix.com)|178.128.6.101|:443... connected.
    ERROR: The certificate of ‘repo.zabbix.com’ is not trusted.
    ERROR: The certificate of ‘repo.zabbix.com’ doesn't have a known issuer.

    If I enter the URL into Chromium on the Pi I get an invalid certificate, yet using the same URL in Windows the certificate is valid. Why is this?

    I read that using
    Code:
    --no-check-certificate
    will bypass the check, so continuing
    Code:
    sudo dpkg -i zabbix-release_6.2-2+debian11_all.deb
    is fine,
    Code:
    sudo apt update
    , returns
    Hit:1 http://raspbian.raspberrypi.org/raspbian bullseye InRelease
    Hit:2 http://archive.raspberrypi.org/debian bullseye InRelease
    Err:3 https://repo.zabbix.com/zabbix-agent...ins/1/raspbian bullseye InRelease
    Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification. [IP: 178.128.6.101 443]
    Err:4 https://repo.zabbix.com/zabbix/6.2/raspbian bullseye InRelease
    Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification. [IP: 178.128.6.101 443]
    Reading package lists... Done
    Building dependency tree... Done
    Reading state information... Done
    All packages are up to date.
    W: Failed to fetch https://repo.zabbix.com/zabbix-agent...seye/InRelease Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification. [IP: 178.128.6.101 443]
    W: Failed to fetch https://repo.zabbix.com/zabbix/6.2/r...seye/InRelease Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification. [IP: 178.128.6.101 443]
    W: Some index files failed to download. They have been ignored, or old ones used instead.
    and
    Code:
    sudo apt install zabbix-server-mysql zabbix-frontend-php zabbix-nginx-conf zabbix-sql-scripts zabbix-agent
    is
    Reading package lists... Done
    Building dependency tree... Done
    Reading state information... Done
    E: Unable to locate package zabbix-nginx-conf
    E: Unable to locate package zabbix-sql-scripts​
    .

    What am I doing wrong?
    Thanks

    Tags: errors, install zabbix, raspberry pi
    • Answer selected by Barra at 24-01-2023, 11:55.
      Markku
      Senior Member
      Zabbix Certified SpecialistZabbix Certified ProfessionalZabbix Certified Expert
      • Sep 2018
      • 1781
      Most probably you (Pi) are behind a proxy, or there is a firewall that does TLS decrypt for deep inspection and the custom certificate is not installed on the Pi.

      Check with your network/security admins, and if needed, install the corresponding root/intermediate certificate on the Pi.

      Can you show the output of this command:

      echo | openssl s_client -servername repo.zabbix.com -connect repo.zabbix.com:443

      Markku
        • Selected Answer

        Comment

        • Markku
          Senior Member
          Zabbix Certified SpecialistZabbix Certified ProfessionalZabbix Certified Expert
          • Sep 2018
          • 1781
          #2
          Most probably you (Pi) are behind a proxy, or there is a firewall that does TLS decrypt for deep inspection and the custom certificate is not installed on the Pi.

          Check with your network/security admins, and if needed, install the corresponding root/intermediate certificate on the Pi.

          Can you show the output of this command:

          echo | openssl s_client -servername repo.zabbix.com -connect repo.zabbix.com:443

          Markku
            • Selected Answer

            Comment

            • misteric
              Junior Member
              • Feb 2023
              • 11
              #3
              I have the same problem.
              Debian 10

              How did you manage to solve it?​


              Code:
              # openssl s_client -servername repo.zabbix.com -connect repo.zabbix.com:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = repo.zabbix.com
verify return:1
---
Certificate chain
 0 s:CN = repo.zabbix.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFIjCCBAqgAwIBAgISA/M3G/GE2h3BQT1v0HhT134eMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzA0MTYxMTI2NTRaFw0yMzA3MTUxMTI2NTNaMBoxGDAWBgNVBAMT
D3JlcG8uemFiYml4LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AL4oj5ZbqnK90v6Nk1Cx/O88DSjOdFHAYM5Adh4kuGqssHBXDqJfyqpAlr1TE6+N
LaNVyXtiuukoJEhg4F+1hl9gj8w0bkHPl+otLfVfa8AznDcWsbwqpH5oEK7e0OEH
fXXYcaub4xrAVKsIEDmh2dYehMuso7HcGh2zLSX7yZAa69WfcUjBl0+i7MsoBCVV
WkQyzDAfuc4aCDx7RIeR2AlTFHL086BDa44g/ec3kvtFoE6j7DM/+hbP7fRDCoeR
SC1AAPI61aUQpLne44cFFpLxEGz7GwrqXbkb7G5YNbd1XP+NjRUAvRs+XxtFmqsD
PZ5E6j5JQymXrL8eJP+TogsCAwEAAaOCAkgwggJEMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNV
HQ4EFgQU4SH1j6BYtykBRYXJ9SMXeVczG+cwHwYDVR0jBBgwFoAUFC6zF7dYVsuu
UAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8v
cjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9y
Zy8wGgYDVR0RBBMwEYIPcmVwby56YWJiaXguY29tMEwGA1UdIARFMEMwCAYGZ4EM
AQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0
c2VuY3J5cHQub3JnMIIBAgYKKwYBBAHWeQIEAgSB8wSB8ADuAHQAtz77JN+cTbp1
8jnFulj0bF38Qs96nzXEnh0JgSXttJkAAAGHighWmQAABAMARTBDAh8gZLIIxEjG
8dxfeR7FwvDpqPP8+WpRScgHLysi4CYhAiBd7nIaMbcUAi1bV/ePzSHQSBTIf26h
at3F3cA0WXxt7wB2AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutSAAAB
h4oIVrIAAAQDAEcwRQIgUz3ap0+IgyOic6HCyVd5sRDiszNNsnCNgsFmb1oJ0bkC
IQCuJXPqwUh46YP2oIutXKcRRY1wuz/Pj4aum13rwLGy5jANBgkqhkiG9w0BAQsF
AAOCAQEANbyZ7Zk3ni1WSMbEHJP7bqHQypReYsct+wWnByyXgN8AJLs9mfQHAvTF
AxueOnM85Yn69Y/w4uwoNeBmn4RW+fNGBoZ4rsaQpV+fC1X/Q416yec1duPfklQ5
CbfCk03fkorhwNwlUY5g73obm3KSscy30IminVgqP4GJdqNwGbWPgWwYTDZ6xgJ+
6UkDyEaCSXxvmCSHx6k5NfjC7VTgr76N1c32fHCDAenSy7a/b8wBgsbMUU72c8N0
RNalH913JyU2sp+JgQq3utQvLZJTiIWNvlFUDhUDZcWx2GX8tMr86M6JxFembT7c
BrQzVy/db1Wbc8Q9+5P0yQKYeo8wsA==
-----END CERTIFICATE-----
subject=CN = repo.zabbix.com

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4488 bytes and written 400 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 72886B124D0C575CCE0BDA048251A475663C592DDA450317740C7E11DCA15807
    Session-ID-ctx:
    Master-Key: C13A0F71D3E76983DCAC79B73D67EF7DCA58766AF142F2D734C0D13DA2B58A983B3FD9E93CD7635EE7D35EC0C6788AEB
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1683022179
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
​
wget https://repo.zabbix.com/zabbix/6.4/debian/pool/main/z/zabbix-release/zabbix-release_6.4-1+debian10_all.deb
--2023-05-02 13:14:30--  https://repo.zabbix.com/zabbix/6.4/debian/pool/main/z/zabbix-release/zabbix-release_6.4-1+debian10_all.deb
Resolving repo.zabbix.com (repo.zabbix.com)... 2604:a880:2:d0::2062:d001, 178.128.6.101
Connecting to repo.zabbix.com (repo.zabbix.com)|2604:a880:2:d0::2062:d001|:443... connected.
ERROR: The certificate of ‘repo.zabbix.com’ is not trusted.
ERROR: The certificate of ‘repo.zabbix.com’ has expired.
​
​

                Comment

                • Barra
                  Junior Member
                  • Jan 2023
                  • 2
                  #4
                  We have a really weird network and SonicWall firewall which attaches it's own certificate. Had to get our MSP to add the Pi to a group that bypasses this rule on the firewall.

                    Comment

                    Previous template Next
                    Working...