Can't verify certificates issued by letsencrypt

andyrue · September 27, 2021, 3:50pm

Let me remove again and try purging, not sure if that will help at all.

rg305 · September 27, 2021, 3:51pm

show all output from:
apt update
&
apt-get update

andyrue · September 27, 2021, 3:53pm

Huzzah! Purging fixed it. Now YOU are out of date. My file is bigger than yours. Haha!

-rw-r--r-- 1 root root 202781 Sep 27 11:52 /etc/ssl/certs/ca-certificates.crt

rg305 · September 27, 2021, 3:54pm

Well that means it has the cert that needs to be removed?

 202781
-199113
=======
   3668

[sounds about the right size]

andyrue · September 27, 2021, 3:55pm

Oo, possibly? I'm not getting verification errors anymore though.

rg305 · September 27, 2021, 3:56pm

Please post here your exact steps [for all to see]
And I will follow along and we can both get back to where we should all be.

andyrue · September 27, 2021, 3:57pm

apt purge ca-certificates
apt install ca-certificates

andyrue · September 27, 2021, 3:58pm

I'm not sure if there is a better method, as removing the ca-certificates package also required removing other packages that had it as a dependency.

rg305 · September 27, 2021, 3:58pm

Oh no!
I get:

The following packages will be REMOVED:
  apport* ca-certificates* cloud-init* landscape-common* python3-apport* python3-certifi* python3-httplib2* python3-requests*
  python3-requests-unixsocket* snapd* software-properties-common* ssh-import-id* ubuntu-release-upgrader-core* ubuntu-server* update-manager-core*
  update-notifier-common*

andyrue · September 27, 2021, 4:00pm

I had a similar list. In my case I think I only needed one of the packages so I just reinstalled it afterwards.

rg305 · September 27, 2021, 4:01pm

Yeah this is not an ideal solution for all (yet).
We need to purge ONLY ca-certificates
OR
Force it to actually update
[seems like it wasn't actually doing that]

andyrue · September 27, 2021, 4:01pm

Agreed.

rg305 · September 27, 2021, 4:04pm

hmm...
Even after removing that entire list and then (re)installing them all:
-rw-r--r-- 1 root root 199113 Sep 27 15:57 /etc/ssl/certs/ca-certificates.crt

Same size!

andyrue · September 27, 2021, 4:05pm

Doesn't make any sense.

rg305 · September 27, 2021, 4:05pm

So even though this seems to have worked in your benefit, I would caution anyone from doing this.

andyrue · September 27, 2021, 4:09pm

During my troubleshooting I was trying to add certificates manually, so I'm wondering if I have something extra installed that wouldn't normally be there. Still investigating.

rg305 · September 27, 2021, 4:13pm

Please show outputs:
apt install libgnutls-openssl27
apt install libgnutls30

andyrue · September 27, 2021, 4:14pm

libgnutls-openssl27 is already the newest version (3.5.18-1ubuntu1.5)

libgnutls30 is already the newest version (3.5.18-1ubuntu1.5)

andyrue · September 27, 2021, 4:19pm

Ya, I don't know. I had installed some certificates into /usr/local/share/ca-certificates. After removing them I now get.

-rw-r--r-- 1 root root 200082 Sep 27 12:17 /etc/ssl/certs/ca-certificates.crt

which is smaller than before, but still doesn't match yours.

rg305 · September 27, 2021, 4:25pm

ls -l /usr/local/share/ca-certificates/