How to solve apt error server certificate verification failed

Written by - 1 comments

Published on - last updated on September 8th 2023 - Listed in Linux TLS Security

The apt package manager used in Debian, Ubuntu and other Debian Linux derivatives, allows to add custom repositories using either http or https URLs.

The "official" repositories are by default configured using a non encrypted http connection. Here a basic /etc/apt/sources.list of a Debian 10 (Buster) machine:

$ cat /etc/apt/sources.list
deb [arch=amd64] http://httpredir.debian.org/debian buster main contrib non-free
deb [arch=amd64] http://security.debian.org/ buster/updates main contrib non-free

With the installation of the apt-transport-https package, repositories using encrypted https URLs can be used. But there's a catch: The TLS certificates on the repository server might expire or might change the certificate chain. If the used Root CA of the chain is not in the list of local certificates (in /etc/ssl/certs managed by the ca-certificates package), the certificate validation will fail und apt will not be able to download the new package/updates list.

server certificate verification failed

Here's a real life example with the custom repositories from InfluxDB (repos.influxdata.com). On a meanwhile EOL Ubuntu 16.04 (Xenial) machine, apt tried to update the repository lists but failed as soon as the InfluxDB repos were hit:

root@xenial:~# apt-get update
Ign:1 https://repos.influxdata.com/ubuntu xenial InRelease
Ign:2 https://repos.influxdata.com/ubuntu xenial Release
Hit:3 http://security.ubuntu.com/ubuntu xenial-security InRelease           
Ign:4 https://repos.influxdata.com/ubuntu xenial/stable amd64 Packages.diff/Index
Ign:5 https://repos.influxdata.com/ubuntu xenial/stable all Packages            
Ign:6 https://repos.influxdata.com/ubuntu xenial/stable Translation-en_US
Ign:7 https://repos.influxdata.com/ubuntu xenial/stable Translation-en
Ign:8 https://repos.influxdata.com/ubuntu xenial/stable amd64 Packages
Ign:5 https://repos.influxdata.com/ubuntu xenial/stable all Packages
Hit:9 http://archive.ubuntu.com/ubuntu xenial InRelease
Hit:10 http://archive.ubuntu.com/ubuntu xenial-updates InRelease
Ign:6 https://repos.influxdata.com/ubuntu xenial/stable Translation-en_US
Ign:7 https://repos.influxdata.com/ubuntu xenial/stable Translation-en
Ign:8 https://repos.influxdata.com/ubuntu xenial/stable amd64 Packages
Ign:5 https://repos.influxdata.com/ubuntu xenial/stable all Packages
Ign:6 https://repos.influxdata.com/ubuntu xenial/stable Translation-en_US
Ign:7 https://repos.influxdata.com/ubuntu xenial/stable Translation-en
Ign:8 https://repos.influxdata.com/ubuntu xenial/stable amd64 Packages
Ign:5 https://repos.influxdata.com/ubuntu xenial/stable all Packages
Ign:6 https://repos.influxdata.com/ubuntu xenial/stable Translation-en_US
Ign:7 https://repos.influxdata.com/ubuntu xenial/stable Translation-en
Ign:8 https://repos.influxdata.com/ubuntu xenial/stable amd64 Packages
Ign:5 https://repos.influxdata.com/ubuntu xenial/stable all Packages
Ign:6 https://repos.influxdata.com/ubuntu xenial/stable Translation-en_US
Ign:7 https://repos.influxdata.com/ubuntu xenial/stable Translation-en
Ign:8 https://repos.influxdata.com/ubuntu xenial/stable amd64 Packages
Ign:5 https://repos.influxdata.com/ubuntu xenial/stable all Packages
Ign:6 https://repos.influxdata.com/ubuntu xenial/stable Translation-en_US
Ign:7 https://repos.influxdata.com/ubuntu xenial/stable Translation-en
Ign:8 https://repos.influxdata.com/ubuntu xenial/stable amd64 Packages
Ign:5 https://repos.influxdata.com/ubuntu xenial/stable all Packages
Ign:6 https://repos.influxdata.com/ubuntu xenial/stable Translation-en_US
Ign:7 https://repos.influxdata.com/ubuntu xenial/stable Translation-en
Err:8 https://repos.influxdata.com/ubuntu xenial/stable amd64 Packages
  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Reading package lists... Done
W: The repository 'https://repos.influxdata.com/ubuntu xenial Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: Failed to fetch https://repos.influxdata.com/ubuntu/dists/xenial/stable/binary-amd64/Packages  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
E: Some index files failed to download. They have been ignored, or old ones used instead.

At the end, apt returns an error indicating that the server certificate could not be verified. There could be several reasons for this, for example (non complete list):

  • the server certificate (or a certificate from the certificate chain) has expired
  • the server certificate is self signed
  • the local ca-certificates package does not contain the used Root CA to successfully validate the chain
  • the local ca-certificates package is out of date
  • apt uses a http outgoing (forwarding) proxy which does SSL interception and puts its own certificate in place

Telling apt to skip certificate verification

apt can be configured to skip the certificate verification on a given URL:

root@xenial:~# echo 'Acquire::https::repos.influxdata.com::Verify-Peer "false";' > /etc/apt/apt.conf.d/99influxdata-cert

Note that this should be your last option and only after a manual check that the repository seems in order (e.g. using SSL Labs)

After another apt update, the certificate error is now gone:

root@xenial:~# apt-get update
Get:1 https://repos.influxdata.com/ubuntu xenial InRelease [4,737 B]
Hit:2 http://archive.ubuntu.com/ubuntu xenial InRelease
Get:3 https://repos.influxdata.com/ubuntu xenial/stable amd64 Packages [1,068 B]
Hit:4 http://archive.ubuntu.com/ubuntu xenial-updates InRelease                                           
Hit:5 http://security.ubuntu.com/ubuntu xenial-security InRelease       
Fetched 5,805 B in 0s (10.0 kB/s)                 
Reading package lists... Done
root@xenial:~# 

And the new packages can be downloaded from the InfluxDB repositories:

root@xenial:~# apt-show-versions -u
influxdb:amd64/xenial 1.6.4-1 upgradeable to 1.8.6-1

Update: Let's Encrypt Root CA expired

On September 30th 2021, the Let's Encrypt Root CA (DST Root CA X3) has expired. As a lot of domains, including apt repositories, are using free Let's Encrypt certificates, this now has a huge effect on clients, trying to access these repositories. As long as the "local ca-certificates" still contain the now expired DST Root CA X3 certificate, apt will fail with an error "server certificate verification failed", as mentioned above.

Please take a look at a dedicated article Let's Encrypt Root CA expiry (server certificate verification failed): Make sure to remove DST Root CA X3 how to resolve this properly.


Add a comment

Show form to leave a comment

Comments (newest first)

Aurelien from France wrote on Mar 7th, 2022:

Man, just... thank you. I tried everything and I couldn't find a way to skip my certificate verification on a specific trusted url. You saved me many hours.

Thanks !!

RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Office   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder