Adding root crt on ubuntu

I'm trying to use 'bundle install' on an Ubuntu 18.1 machine and I'm being told I cannot verify the SSL certificate for https://rails-assets.org/.

https://rails-assets.org/ appears to have an R3 certificate issued by Lets Encrypt. I am very very sketchy about certificates and really dont know what I'm talking about so please bare with me!

Ubuntu has a ca-update-certificates command that reads a ca-certificates.conf file in order to set up the certificates. An example of a configuration line in the ca-certificates.conf file would be

mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt

So my question is, what should I add to my ca-certificates.conf file in order to get the required R3 Lets Encrypt crt/pem (see I have no idea what I'm talking about!) into my Ubuntu /usr/share/ca-certificates folder?

Any help/advice/instructions gratefully received!

LTS version is 18.4, not 18.10: and even that 18.04 will end support in April 2023 unless you pay canonical for them. just update it go 20.04

3 Likes

Ubuntu Bionic (18.04) should have ISRG Root X1 in its root store, see Ubuntu – Details of package ca-certificates in bionic

Could you please share the exact error message you're getting? And in which situation?

5 Likes

If that is the version in use, then you need to upgrade that ASAP.
The ".10" versions do not have Long Term Support [LTS].

4 Likes

maybe it's DST root expired in trust problem from graveyard. 18.10 is old enough to that have libs old enough to not patched against this

3 Likes

Hi

bundle install is giving me the following:

Retrying fetcher due to error (2/4): Bundler::Fetcher::CertificateFailureError Could not verify the SSL certificate for https://rails-assets.org/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see http://bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.

I'm not familiar with Ruby, do you know which underlying SSL library is used? And which version?

4 Likes

I'm not an Ubuntu expert at all - could someone please point me to some instructions on how to upgrade from 18.1 to 20?

https://help.ubuntu.com/community/EOLUpgrades

5 Likes

Thanks :+1:

1 Like

Be sure to pick a version that ends with ".04" [for LTS].

2 Likes

Don't forget the even number to the left of the decimal. :wink:

3 Likes

Are there even uneven numbers to the left of the decimal?

(At least, there aren't any current versions with uneven major version numbers. :stuck_out_tongue: )

3 Likes

Thanks. I'm going to bite the bullet and image a new machine at 20 LTS rather than upgrade mine from 18.1 I think. That looks a lot safer and I can keep my old machine for reference.

1 Like

That's only because you linked to a list of LTS releases. :grin:

23.04 will release in a few months and have only 9 months of support. This is why it is important to select the ".04" release of an even year release.

3 Likes

Nah, that's not it. It's just that LTS keeps around in the "Current" list for a long time and non-LTS not. At "Future" you can find the 23.x release. But that's indeed a good thing to notice in the future :slight_smile: And not by accident upgrade to 21.x somehow, as it's end of life already :stuck_out_tongue:

4 Likes

20.04 only has 2 years of standard support left. Why not choose 22.04 if you are doing a fresh install?

4 Likes

my bad.. I will update to 22 LTS, thanks

3 Likes

It is almost like .04 is the release month of that year. :slight_smile:

1 Like

Or the "4" is for the number of years they will support it ...

2 Likes