Update OS: The certificate chain uses expired certificate

buser · July 28, 2021, 3:21pm

hi,

“$ sudo apt update” currently fails. Message “Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification.” shows.

Has this been noted and will the certificates been updates shortly?

Kind regards,

dos · July 28, 2021, 4:14pm

Is your date & time set right?

irvinewade · July 28, 2021, 11:14pm

Data point: works fine for me.

After checking the date/time as the previous post suggests, if still not resolved then …

For starters you should confirm what host is being accessed e.g.

# apt update
Hit:1 https://repo.pureos.net/pureos amber InRelease
Get:2 https://repo.pureos.net/pureos amber-updates InRelease [5,843 B]
Get:3 https://repo.pureos.net/pureos amber-security InRelease [5,845 B]
Get:4 https://repo.pureos.net/pureos amber-phone InRelease [5,839 B]
Fetched 17.5 kB in 10s (1,812 B/s)

and you should confirm what IP address that is
nslookup repo.pureos.net.
Address: 138.201.228.45

The above is on a Librem 5. YMMV if on a different device.

buser · July 29, 2021, 7:12am

Thank you very much for your prompt reply.

Today updates were not an issue anymore.

Holen:5 https://mirror.linux.pizza/pureos amber InRelease [5.784 B]
Holen:6 https://mirror.linux.pizza/pureos amber-security InRelease [5.845 B]
Holen:7 https://mirror.linux.pizza/pureos amber-updates InRelease [5.843 B]

Still, I keep you suggestions in mind, if this issues shows again.

Kind regards!

irvinewade · July 29, 2021, 7:55am

Just remember that if you are getting packages via a mirror then there is nothing that Purism can do to make the mirror have a valid certificate.

The most likely explanation here is that the mirror really did let the certificate expire. I’ve seen any number of web sites that are not closely managed, who only notice that the certificate expiry date approaches after the date has passed. So you will get a few days when the certificate genuinely is not valid.

That said, that site appears to be using Let’s Encrypt and I thought certificate updates were supposed to be automatic in that case …

Captain_Morgan · July 10, 2022, 5:17pm

after librem 5 reflash it gives an error for me @dos .

apt update OR using the pure os store update

results in:

"Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 138.201.228.45 443]

Any ideas how to fix or update the certificates? I used the Purism L5 evergreen reflash scripts.

Never mind fell into the time/date trap. Fixed now.