How to solve apt error server certificate verification failed

Written by - 0 comments

Published on June 4th 2021 - Listed in Linux TLS


The apt package manager used in Debian, Ubuntu and other Debian Linux derivatives, allows to add custom repositories using either http or https URLs.

The "official" repositories are by default configured using a non encrypted http connection. Here a basic /etc/apt/sources.list of a Debian 10 (Buster) machine:

$ cat /etc/apt/sources.list
deb [arch=amd64] http://httpredir.debian.org/debian buster main contrib non-free
deb [arch=amd64] http://security.debian.org/ buster/updates main contrib non-free

With the installation of the apt-transport-https package, repositories using encrypted https URLs can be used. But there's a catch: The TLS certificates on the repository server might expire or might change the certificate chain. If the used Root CA of the chain is not in the list of local certificates (in /etc/ssl/certs managed by the ca-certificates package), the certificate validation will fail und apt will not be able to download the new package/updates list.

server certificate verification failed

Here's a real life example with the custom repositories from InfluxDB (repos.influxdata.com). On a meanwhile EOL Ubuntu 16.04 (Xenial) machine, apt tried to update the repository lists but failed as soon as the InfluxDB repos were hit:

root@xenial:~# apt-get update
Ign:1 https://repos.influxdata.com/ubuntu xenial InRelease
Ign:2 https://repos.influxdata.com/ubuntu xenial Release
Hit:3 http://security.ubuntu.com/ubuntu xenial-security InRelease           
Ign:4 https://repos.influxdata.com/ubuntu xenial/stable amd64 Packages.diff/Index
Ign:5 https://repos.influxdata.com/ubuntu xenial/stable all Packages            
Ign:6 https://repos.influxdata.com/ubuntu xenial/stable Translation-en_US
Ign:7 https://repos.influxdata.com/ubuntu xenial/stable Translation-en
Ign:8 https://repos.influxdata.com/ubuntu xenial/stable amd64 Packages
Ign:5 https://repos.influxdata.com/ubuntu xenial/stable all Packages
Hit:9 http://archive.ubuntu.com/ubuntu xenial InRelease
Hit:10 http://archive.ubuntu.com/ubuntu xenial-updates InRelease
Ign:6 https://repos.influxdata.com/ubuntu xenial/stable Translation-en_US
Ign:7 https://repos.influxdata.com/ubuntu xenial/stable Translation-en
Ign:8 https://repos.influxdata.com/ubuntu xenial/stable amd64 Packages
Ign:5 https://repos.influxdata.com/ubuntu xenial/stable all Packages
Ign:6 https://repos.influxdata.com/ubuntu xenial/stable Translation-en_US
Ign:7 https://repos.influxdata.com/ubuntu xenial/stable Translation-en
Ign:8 https://repos.influxdata.com/ubuntu xenial/stable amd64 Packages
Ign:5 https://repos.influxdata.com/ubuntu xenial/stable all Packages
Ign:6 https://repos.influxdata.com/ubuntu xenial/stable Translation-en_US
Ign:7 https://repos.influxdata.com/ubuntu xenial/stable Translation-en
Ign:8 https://repos.influxdata.com/ubuntu xenial/stable amd64 Packages
Ign:5 https://repos.influxdata.com/ubuntu xenial/stable all Packages
Ign:6 https://repos.influxdata.com/ubuntu xenial/stable Translation-en_US
Ign:7 https://repos.influxdata.com/ubuntu xenial/stable Translation-en
Ign:8 https://repos.influxdata.com/ubuntu xenial/stable amd64 Packages
Ign:5 https://repos.influxdata.com/ubuntu xenial/stable all Packages
Ign:6 https://repos.influxdata.com/ubuntu xenial/stable Translation-en_US
Ign:7 https://repos.influxdata.com/ubuntu xenial/stable Translation-en
Ign:8 https://repos.influxdata.com/ubuntu xenial/stable amd64 Packages
Ign:5 https://repos.influxdata.com/ubuntu xenial/stable all Packages
Ign:6 https://repos.influxdata.com/ubuntu xenial/stable Translation-en_US
Ign:7 https://repos.influxdata.com/ubuntu xenial/stable Translation-en
Err:8 https://repos.influxdata.com/ubuntu xenial/stable amd64 Packages
  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

Reading package lists... Done
W: The repository 'https://repos.influxdata.com/ubuntu xenial Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: Failed to fetch https://repos.influxdata.com/ubuntu/dists/xenial/stable/binary-amd64/Packages  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
E: Some index files failed to download. They have been ignored, or old ones used instead.

At the end, apt returns an error indicating that the server certificate could not be verified. There could be several reasons for this, for example (non complete list):

  • the server certificate (or a certificate from the certificate chain) has expired
  • the server certificate is self signed
  • the local ca-certificates package does not contain the used Root CA to successfully validate the chain
  • the local ca-certificates package is out of date

Telling apt to skip certificate verification

apt can be configured to skip the certificate verification on a given URL:

root@xenial:~# echo 'Acquire::https::repos.influxdata.com::Verify-Peer "false";' > /etc/apt/apt.conf.d/99influxdata-cert

Note that this should be your last option and only after a manual check that the repository seems in order (e.g. using SSL Labs)

After another apt update, the certificate error is now gone:

root@xenial:~# apt-get update
Get:1 https://repos.influxdata.com/ubuntu xenial InRelease [4,737 B]
Hit:2 http://archive.ubuntu.com/ubuntu xenial InRelease
Get:3 https://repos.influxdata.com/ubuntu xenial/stable amd64 Packages [1,068 B]
Hit:4 http://archive.ubuntu.com/ubuntu xenial-updates InRelease                                           
Hit:5 http://security.ubuntu.com/ubuntu xenial-security InRelease       
Fetched 5,805 B in 0s (10.0 kB/s)                 
Reading package lists... Done
root@xenial:~# 

And the new packages can be downloaded from the InfluxDB repositories:

root@xenial:~# apt-show-versions -u
influxdb:amd64/xenial 1.6.4-1 upgradeable to 1.8.6-1


Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.