Using debian-installer on a server with a Let's Encrypt cert dies
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| debian-installer (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Bug Description
While using debian-installer to install Ubuntu Focal, I get the following error:
May 16 22:02:41 base-installer: Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 129.59.59.10 443]
There was an issue in 2021, where the "DST_Root_
https:/
The problem is that the certificate is still included in the "ca-certificate
May 16 22:02:17 debootstrap: Preparing to unpack .../ca-
May 16 22:02:17 debootstrap: Unpacking ca-certificates (20190110ubuntu1) ...
May 16 22:02:31 debootstrap: Setting up ca-certificates (20190110ubuntu1) ...
May 16 22:02:40 debootstrap: Processing triggers for ca-certificates (20190110ubuntu1) ...
May 16 22:02:40 debootstrap: Running hooks in /etc/ca-
Because the certificate is expired, debian-installer dies with:
May 16 22:02:41 base-installer: Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 129.59.59.10 443]
te is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 129.59.59.10 443]
Can Ubuntu update the ca-certificate .deb pulled during install to one that does not have DST_Root_CA_X3.crt? Thanks.
| Alex Murray (alexmurray) wrote | #1 |
| affects: | ca-certificates (Ubuntu) → debian-installer (Ubuntu) |
I believe this is caused by debootstrap - it only uses packages from the release pocket (and this is frozen from the time Ubuntu 20.04 LTS was originally released). This is a known issue https:/