The apt package manager used in Debian, Ubuntu and other Debian Linux derivatives, allows to add custom repositories using either http or https URLs.
The "official" repositories are by default configured using a non encrypted http connection. Here a basic /etc/apt/sources.list of a Debian 10 (Buster) machine:
$ cat /etc/apt/sources.list
deb [arch=amd64] http://httpredir.debian.org/debian buster main contrib non-free
deb [arch=amd64] http://security.debian.org/ buster/updates main contrib non-free
With the installation of the apt-transport-https package, repositories using encrypted https URLs can be used. But there's a catch: The TLS certificates on the repository server might expire or might change the certificate chain. If the used Root CA of the chain is not in the list of local certificates (in /etc/ssl/certs managed by the ca-certificates package), the certificate validation will fail und apt will not be able to download the new package/updates list.
Here's a real life example with the custom repositories from InfluxDB (repos.influxdata.com). On a meanwhile EOL Ubuntu 16.04 (Xenial) machine, apt tried to update the repository lists but failed as soon as the InfluxDB repos were hit:
root@xenial:~# apt-get update
Ign:1 https://repos.influxdata.com/ubuntu xenial InRelease
Ign:2 https://repos.influxdata.com/ubuntu xenial Release
Hit:3 http://security.ubuntu.com/ubuntu xenial-security InRelease
Ign:4 https://repos.influxdata.com/ubuntu xenial/stable amd64 Packages.diff/Index
Ign:5 https://repos.influxdata.com/ubuntu xenial/stable all Packages
Ign:6 https://repos.influxdata.com/ubuntu xenial/stable Translation-en_US
Ign:7 https://repos.influxdata.com/ubuntu xenial/stable Translation-en
Ign:8 https://repos.influxdata.com/ubuntu xenial/stable amd64 Packages
Ign:5 https://repos.influxdata.com/ubuntu xenial/stable all Packages
Hit:9 http://archive.ubuntu.com/ubuntu xenial InRelease
Hit:10 http://archive.ubuntu.com/ubuntu xenial-updates InRelease
Ign:6 https://repos.influxdata.com/ubuntu xenial/stable Translation-en_US
Ign:7 https://repos.influxdata.com/ubuntu xenial/stable Translation-en
Ign:8 https://repos.influxdata.com/ubuntu xenial/stable amd64 Packages
Ign:5 https://repos.influxdata.com/ubuntu xenial/stable all Packages
Ign:6 https://repos.influxdata.com/ubuntu xenial/stable Translation-en_US
Ign:7 https://repos.influxdata.com/ubuntu xenial/stable Translation-en
Ign:8 https://repos.influxdata.com/ubuntu xenial/stable amd64 Packages
Ign:5 https://repos.influxdata.com/ubuntu xenial/stable all Packages
Ign:6 https://repos.influxdata.com/ubuntu xenial/stable Translation-en_US
Ign:7 https://repos.influxdata.com/ubuntu xenial/stable Translation-en
Ign:8 https://repos.influxdata.com/ubuntu xenial/stable amd64 Packages
Ign:5 https://repos.influxdata.com/ubuntu xenial/stable all Packages
Ign:6 https://repos.influxdata.com/ubuntu xenial/stable Translation-en_US
Ign:7 https://repos.influxdata.com/ubuntu xenial/stable Translation-en
Ign:8 https://repos.influxdata.com/ubuntu xenial/stable amd64 Packages
Ign:5 https://repos.influxdata.com/ubuntu xenial/stable all Packages
Ign:6 https://repos.influxdata.com/ubuntu xenial/stable Translation-en_US
Ign:7 https://repos.influxdata.com/ubuntu xenial/stable Translation-en
Ign:8 https://repos.influxdata.com/ubuntu xenial/stable amd64 Packages
Ign:5 https://repos.influxdata.com/ubuntu xenial/stable all Packages
Ign:6 https://repos.influxdata.com/ubuntu xenial/stable Translation-en_US
Ign:7 https://repos.influxdata.com/ubuntu xenial/stable Translation-en
Err:8 https://repos.influxdata.com/ubuntu xenial/stable amd64 Packages
server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Reading package lists... Done
W: The repository 'https://repos.influxdata.com/ubuntu xenial Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: Failed to fetch https://repos.influxdata.com/ubuntu/dists/xenial/stable/binary-amd64/Packages server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
E: Some index files failed to download. They have been ignored, or old ones used instead.
At the end, apt returns an error indicating that the server certificate could not be verified. There could be several reasons for this, for example (non complete list):
apt can be configured to skip the certificate verification on a given URL:
root@xenial:~# echo 'Acquire::https::repos.influxdata.com::Verify-Peer "false";' > /etc/apt/apt.conf.d/99influxdata-cert
Note that this should be your last option and only after a manual check that the repository seems in order (e.g. using SSL Labs)
After another apt update, the certificate error is now gone:
root@xenial:~# apt-get update
Get:1 https://repos.influxdata.com/ubuntu xenial InRelease [4,737 B]
Hit:2 http://archive.ubuntu.com/ubuntu xenial InRelease
Get:3 https://repos.influxdata.com/ubuntu xenial/stable amd64 Packages [1,068 B]
Hit:4 http://archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit:5 http://security.ubuntu.com/ubuntu xenial-security InRelease
Fetched 5,805 B in 0s (10.0 kB/s)
Reading package lists... Done
root@xenial:~#
And the new packages can be downloaded from the InfluxDB repositories:
root@xenial:~# apt-show-versions -u
influxdb:amd64/xenial 1.6.4-1 upgradeable to 1.8.6-1
On September 30th 2021, the Let's Encrypt Root CA (DST Root CA X3) has expired. As a lot of domains, including apt repositories, are using free Let's Encrypt certificates, this now has a huge effect on clients, trying to access these repositories. As long as the "local ca-certificates" still contain the now expired DST Root CA X3 certificate, apt will fail with an error "server certificate verification failed", as mentioned above.
Please take a look at a dedicated article Let's Encrypt Root CA expiry (server certificate verification failed): Make sure to remove DST Root CA X3 how to resolve this properly.
Aurelien from France wrote on Mar 7th, 2022:
Man, just... thank you. I tried everything and I couldn't find a way to skip my certificate verification on a specific trusted url. You saved me many hours.
Thanks !!
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office OpenSearch PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder