Description

Certificate verification failed when trying to update using apt-get on Ubuntu. Err:4 https://brave-browser-apt-release.s3.brave.com bionic Release Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification. [IP: ::ffff:146.112.61.106 443]

Steps to Reproduce

Add brave repo to sources.list
Run sudo apt-get update
Get error

Actual result:

Get cert error when trying to update using apt-get.

Expected result:

Actually update when using apt-get.

Reproduces how often:

Easily reproduced.

Brave version (brave://version info)

Brave | 1.1.23 Chromium: 79.0.3945.88 (Official Build) (64-bit) Revision | c2a58a36b9411c80829b4b154bfcab97e581f1f3-refs/branch-heads/3945@{#954} OS | Linux

Other Additional Information:

The cert error when attempting to go to the URL of repo:

NET::ERR_CERT_AUTHORITY_INVALID Subject: brave-browser-apt-release.s3.brave.com

Issuer: Cisco Umbrella Secondary SubCA dfw-SG

Expires on: Jan 11, 2020

Current date: Jan 8, 2020

PEM encoded chain: -----BEGIN CERTIFICATE----- MIIDdzCCAl+gAwIBAgIEXhXXlTANBgkqhkiG9w0BAQsFADBAMQ4wDAYDVQQKDAVD aXNjbzEuMCwGA1UEAwwlQ2lzY28gVW1icmVsbGEgU2Vjb25kYXJ5IFN1YkNBIGRm dy1TRzAeFw0yMDAxMDYxMzA3MjZaFw0yMDAxMTExMzA3MjZaMIGDMQswCQYDVQQG EwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNj bzEWMBQGA1UECgwNT3BlbkROUywgSW5jLjEvMC0GA1UEAwwmYnJhdmUtYnJvd3Nl ci1hcHQtcmVsZWFzZS5zMy5icmF2ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDTbvCpq+tRX0ND1wsYdLHZZkLOD66DATbS60/JgGVUNb9zV5W4 FeWctINkYB//2uklUZ8ktt5UC1pwRuoa5KWXjqXzndInsJVdJUtA6MiV1UaciRMP 8dMFWvrWfK0RBife1eA2fe1b+fKeGNlPOBCW5XZqaQ1p/A6A9OeMXFklRJTr93eG +3KppykYwosWfeYfSln04vS4wTbTjZX6LiTbZteS/nP1BIJ/4Q45RTioRIy362DN B2uzM+ltplMJh/W+8Q/kcQseJX7W+dto/FTniXT0CqouGmVGim1FekYSSLJTbTHD 1AxEfpLpKAuJ15Bh2D0KiOiNlUPB9BV1fl4RAgMBAAGjNTAzMDEGA1UdEQQqMCiC JmJyYXZlLWJyb3dzZXItYXB0LXJlbGVhc2UuczMuYnJhdmUuY29tMA0GCSqGSIb3 DQEBCwUAA4IBAQAyBXgtOJqO0m/S/Ju3Asq5HFkFWdwOAentyBM8ol7bp6tkJ14D bxDHVZnYKzMapVXzxVDqiIUwUm5BVTfk+80+R5gsyyR7etZi7Pz5Q3vMskpZGCMQ 9Ihh4w+AmTPpkbVe1lbe8yg5IobZBGK7AmF1qipRIDYuKYMFOInUUjVJgg7d5qnS jhU9/wjnygDRUlLorD/gcXIdhq70m+wSnbJamnwX/At/MPVt9R5k80WqHY2veGJf paHt2ic/qoafsHDDeUQRd1d48spUULT1ZJ2BwAQ1ER1xawhX1hogom/zgXMxlnfN b6+QeL65hZ/G7koUXHzq45SkJxl/jjTkUxWK -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIEJzCCAw+gAwIBAgIRANneUZPYX0NIjR5UolwU07swDQYJKoZIhvcNAQELBQAw cTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNh biBGcmFuY2lzY28xDjAMBgNVBAoMBUNpc2NvMSUwIwYDVQQDDBxDaXNjbyBVbWJy ZWxsYSBQcmltYXJ5IFN1YkNBMB4XDTIwMDEwNzA1MjIyMVoXDTIwMDExODA1MjIy MVowQDEOMAwGA1UECgwFQ2lzY28xLjAsBgNVBAMMJUNpc2NvIFVtYnJlbGxhIFNl Y29uZGFyeSBTdWJDQSBkZnctU0cwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQDTbvCpq+tRX0ND1wsYdLHZZkLOD66DATbS60/JgGVUNb9zV5W4FeWctINk YB//2uklUZ8ktt5UC1pwRuoa5KWXjqXzndInsJVdJUtA6MiV1UaciRMP8dMFWvrW fK0RBife1eA2fe1b+fKeGNlPOBCW5XZqaQ1p/A6A9OeMXFklRJTr93eG+3KppykY wosWfeYfSln04vS4wTbTjZX6LiTbZteS/nP1BIJ/4Q45RTioRIy362DNB2uzM+lt plMJh/W+8Q/kcQseJX7W+dto/FTniXT0CqouGmVGim1FekYSSLJTbTHD1AxEfpLp KAuJ15Bh2D0KiOiNlUPB9BV1fl4RAgMBAAGjgeowgecwEgYDVR0TAQH/BAgwBgEB /wIBADAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFMyv1Omq+mUAxnWxPmuAU0sL nCJWMB8GA1UdIwQYMBaAFEVf9ZtxMyWpwE48AkTPPOhGBhbEMIGABggrBgEFBQcB AQR0MHIwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLm9wZW5kbnMuY29tMEsGCCsG AQUFBzAChj9odHRwOi8vY2FjZXJ0cy5vcGVuZG5zLmNvbS9EOURFNTE5M0Q4NUY0 MzQ4OEQxRTU0QTI1QzE0RDNCQi5jcnQwDQYJKoZIhvcNAQELBQADggEBAJtFnDtg Ne6UdkjJuZD+7tQ+l/2hKQVqzPXjuwZiklaMezdkRq0rZ6PNcxWQvzYQD4ISUXcC qE12RsaOtRjhyoljjeAaPR9P693i+g5YHhSEaDBwRNzaOZkUO5DEe/8cbc2kVBR+ Y9ZS96qmXBREuQAcNii5F0bbmv9SNmDdrmA82D6hNCvxpX+6+ut2O+6mv/6pGoNJ SooSCUF7JVafaAQtL8czJ+FrfEKv4LrpqxmR+yWpur5/oaTXSCUgxInqF431SstY 2O/Se4KQEO8Yapsb3HbLcQyRQTYvhkSU91DTrZu/m+5uh1IrnuWUld5yMpJEaMiK sGpxfF4ZB6DN2SE= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIEuzCCA6OgAwIBAgIJAcQ3zFeNvKYVMA0GCSqGSIb3DQEBCwUAMDExDjAMBgNV BAoTBUNpc2NvMR8wHQYDVQQDExZDaXNjbyBVbWJyZWxsYSBSb290IENBMB4XDTE5 MDUyMTE5NTMxOFoXDTI0MDUyMTE5NTMxOFowcTELMAkGA1UEBhMCVVMxEzARBgNV BAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDjAMBgNVBAoM BUNpc2NvMSUwIwYDVQQDDBxDaXNjbyBVbWJyZWxsYSBQcmltYXJ5IFN1YkNBMIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuFEhA5TkN8CiGmW7XjaUbuve U274v0kt6hRW8UUakmbyLnkI4d/BBQrGW71LYiT2QH4UaoYuihTXjuyAlzDxJ9OQ Vje2NB9RdE3FcUCISeW5GrQs7vF2xFrjs2TGgG4ZXjE/8WymgFZP50nsTJYf7VqL 1r6Brs59DAbbQ1rVvsz/DFxoE3ruFagSFcOF07/watUxFrAPV+S/kK6Nb5TqrI1j 32hK6i49ujavDcbbb12aozwdoyPSyhs4cB0sCXFHK/yEdaE4CNXEAH8EjKUuj6O2 QUvRtBGM480688BId0T0ws3q+hSzRiVJ+dYCr3iufmTrAMhVwc+EzGjlEfLyXwID AQABo4IBlDCCAZAwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQEw UgYDVR0gBEswSTBHBgorBgEEAQkVAR0AMDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly93 d3cuY2lzY28uY29tL3NlY3VyaXR5L3BraS9wb2xpY2llcy8wHQYDVR0OBBYEFEVf 9ZtxMyWpwE48AkTPPOhGBhbEMEwGA1UdHwRFMEMwQaA/oD2GO2h0dHA6Ly93d3cu Y2lzY28uY29tL3NlY3VyaXR5L3BraS9jcmwvY2lzY291bWJyZWxsYXJvb3QuY3Js MIGHBggrBgEFBQcBAQR7MHkwSQYIKwYBBQUHMAKGPWh0dHA6Ly93d3cuY2lzY28u Y29tL3NlY3VyaXR5L3BraS9jZXJ0cy9jaXNjb3VtYnJlbGxhcm9vdC5jZXIwLAYI KwYBBQUHMAGGIGh0dHA6Ly9wa2ljdnMuY2lzY28uY29tL3BraS9vY3NwMB8GA1Ud IwQYMBaAFENzAN4kukAaQFQsfXzVAEiJDHCkMA0GCSqGSIb3DQEBCwUAA4IBAQC6 P7ugvpQSkNxrzY1ZM0Nd9Q3LaoTERS4ItcxMsswFPl7ID/3Vk3v3ZT6KgtCZ+Nh0 MUgZztLATHf42ZppdSkdMf1HfCmLSWORz/eK+fZxztE63M1EGiZJoe8qFKT9z6qx iDD989jyjY74sYfiSo5nbhcb5meUrUO6MQvOO5pUnlhWsDiBUg+yBzyfVoLnGRlY 2t7UZVTUz5kbBNFieTIt86yaYAumgOqriz/dCgQltFySbOkrgg/PN7cRv3IWm84C uKQ9prsXbXLLbl8U+bGRH119prl3zJyRnQ0D+ursCqUnIfziBdKv7yLsupGDGt+Q oqLzmkMPYE+WZmEi+3j5 -----END CERTIFICATE-----

Miscellaneous Information:

brave-browser-apt-release.s3.brave.com.txt

cc: @mbacchi @mihaiplesa @fmarier

Strange, I just updated my browser successfully using the apt repo.

[IP: ::ffff:146.112.61.106 443]

This suggests you're trying to access the repo over IPv6. However, from my machine, I can't see an IPv6 for that hostname:

$ dig AAAA brave-browser-apt-release.s3.brave.com

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> AAAA brave-browser-apt-release.s3.brave.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58278
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;brave-browser-apt-release.s3.brave.com.    IN AAAA

;; ANSWER SECTION:
brave-browser-apt-release.s3.brave.com. 81 IN CNAME u2.shared.global.fastly.net.

;; Query time: 12 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Wed Jan 08 11:17:24 PST 2020
;; MSG SIZE  rcvd: 108

There seems to be something wrong with DNS somewhere. I don't think you're connecting to the right server.

Can you try forcing one of the IPv4 addresses for that hostname in your /etc/hosts to see if you get a different result?

e.g. 151.101.2.217 brave-browser-apt-release.s3.brave.com

Looks like OpenDNS blocked the IP that brave-browser-apt-release.s3.brave.com resolved to for me:

[2075]jsandiego ~: sudo systemd-resolve -4 brave-browser-apt-release.s3.brave.com
brave-browser-apt-release.s3.brave.com: 146.112.61.106

-- Information acquired via protocol DNS in 17.4ms.
-- Data is authenticated: no

Site Blocked_20200108_160344

Using the IP you provided allowed me to update.

Ah yes, OpenDNS mistakenly blocked us yesterday: https://www.reddit.com/r/BATProject/comments/ela2o0/bravecom_sites_being_blocked_by_opendns/

They have apparently rolled out a fix on their end, but DNS caching being what it is, it might take another day to clear up.

@jsandiego Is this still an issue for you?

My DNS no longer resolves to the IP address that was giving me the issue, so it is no longer an issue for me.

Closing, reopen if necessary.

Hi there,

I am seeing this error messageagain, running Linux Mint 22.02. Don't know whether it is a same issue on OpenDNS. Is there a ticket opened / reopned. I am using Public Library network, and was able to upgrade brave browser before without any issue until couple weeks ago..

Hit:1 http://mirror.math.ucdavis.edu/ubuntu focal InRelease Hit:2 http://mirror.math.ucdavis.edu/ubuntu focal-updates InRelease
Hit:3 http://mirror.math.ucdavis.edu/ubuntu focal-backports InRelease
Ign:4 http://packages.linuxmint.com uma InRelease
Ign:5 https://brave-browser-apt-release.s3.brave.com stable InRelease
Hit:6 http://security.ubuntu.com/ubuntu focal-security InRelease
Hit:7 http://packages.linuxmint.com uma Release
Hit:8 https://dl.google.com/linux/chrome/deb stable InRelease
Err:9 https://brave-browser-apt-release.s3.brave.com stable Release
Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification. [IP: 65.8.158.8 443]

cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 vq2-HP-EliteBook-Folio-9470m

The following lines are desirable for IPv6 capable hosts

::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters

$ dig AAAA brave-browser-apt-release.s3.brave.com

; <<>> DiG 9.16.1-Ubuntu <<>> AAAA brave-browser-apt-release.s3.brave.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43317 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;brave-browser-apt-release.s3.brave.com. IN AAAA

;; ANSWER SECTION: brave-browser-apt-release.s3.brave.com. 300 IN CNAME d9owkidwx4k9e.cloudfront.net.

;; Query time: 48 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) ;; WHEN: Thu Oct 06 20:01:08 PDT 2022 ;; MSG SIZE rcvd: 109

Thank you

@cdphan there are no images for Mint 22 at hub.docker.com, but in a Mint 21 container the instructions from brave.com/linux appear to be working fine. Could this be a local issue? Have you tried following the official installation instructions again? Is the system clock set up correctly? Does reinstalling ca-certificates change anything?

@cdphan, I just came across the same problem in LM 21.2 ( i assume your 22.02 was a typo as LM 22 isn't out yet) on a public library wifi. Switching to data changed the error message from the same as the OP to a Notification:

N: Skipping acquisition of configured file 'main/binary-i386/Packages', as repository 'https://brave-browser-apt-release.s3.brave.com stable InRelease' doesn't support architecture 'i386'

Which i solved by changing my /etc/apt/sources.list.d/brave-browser-release.list to specify ARM64 architecture as i have a 64bit machine and i386 is 32 bit, so my brave-browser-release.list now looks like:

deb [arch=amd64 signed-by=/usr/share/keyrings/brave-browser-archive-keyring.gpg] https://brave-browser-apt-release.s3.brave.com/ stable main

I'm not sure if the i386 architecture bit is related but i thought i would include all my steps incase it was a compound of problems. My knowledge is limited so i don't pretend to understand the whole picture.

Summary: if on LM22 on public wifi, try changing from public Wifi, If you are getting 'i386' notification then edit the apt source list file as above. Useful link to take you through that step by step is:

https://itsfoss.com/repository-doesnt-support-architecture-i386/

@GuiltySpark7 I'm afraid I can't reproduce any of the issues by following the instructions from brave.com/linux in a linuxmintd/mint21-amd64 container.

Issues specific to a network would be best discussed with its maintainer. If you share the output of openssl s_client -connect brave-browser-apt-release.s3.brave.com:443 -servername brave-browser-apt-release.s3.brave.com -showcerts </dev/null we could see what certificate you're seeing and maybe spot an issue there.

As for the architecture - I also didn't run into this. Per https://wiki.debian.org/Multiarch/HOWTO, you can check your currently selected architecture with dpkg --print-architecture and other available architectures with dpkg --print-foreign-architectures. Architectures can be added/removed via dpkg --add-architecture/dpkg --remove-architecture.

@wknapik impressively fast reply. Sorry I should have been more clear, I solved my problem and wanted to share my solution as my problem lead me to this thread and reading cdphans post I was not the first so I reckoned I wouldn't be the last. It might be a simple solution of changing network for many who visit and I wanted to deflect them from a potentially unnecessary rabbit hole (that I went down). I understand that a conversation with the library network maintainer might help but this is clearly a common problem and also good luck finding such a person, I am in a van, outside a library which is opened 3 hours a week 9-12 on a Friday xD

I think the architecture was a default problem thing twith changing folders that is explained in https://itsfoss.com/repository-doesnt-support-architecture-i386/

If you are still interested running your command connected to Library Wifi after the amd64 fix: CONNECTED(00000003) depth=1 C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FG6H0ETB20904233, emailAddress = support@fortinet.com verify error:num=19:self-signed certificate in certificate chain verify return:1 depth=1 C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FG6H0ETB20904233, emailAddress = support@fortinet.com verify return:1 depth=0 CN = brave-browser-apt-release.s3.brave.com verify return:1

Certificate chain 0 s:CN = brave-browser-apt-release.s3.brave.com i:C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FG6H0ETB20904233, emailAddress = support@fortinet.com a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Jun 3 00:00:00 2023 GMT; NotAfter: Jul 1 23:59:59 2024 GMT -----BEGIN CERTIFICATE----- MIIFlTCCBH2gAwIBAgIUKOlS/QYDosACcthHgNMAXg+m30UwDQYJKoZIhvcNAQEL BQAwgakxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQH DAlTdW5ueXZhbGUxETAPBgNVBAoMCEZvcnRpbmV0MR4wHAYDVQQLDBVDZXJ0aWZp Y2F0ZSBBdXRob3JpdHkxGTAXBgNVBAMMEEZHNkgwRVRCMjA5MDQyMzMxIzAhBgkq hkiG9w0BCQEWFHN1cHBvcnRAZm9ydGluZXQuY29tMB4XDTIzMDYwMzAwMDAwMFoX DTI0MDcwMTIzNTk1OVowMTEvMC0GA1UEAxMmYnJhdmUtYnJvd3Nlci1hcHQtcmVs ZWFzZS5zMy5icmF2ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDHMCz0hTSfFhIxozHOKheUeQzMo8yT5VQ1Cwm2jaSAxd6XTOXq8TPk+gu3jfZ2 mVwc7QXRXOIcbFz9FR1HH+ZBaLCN/WPqa6qXFiglYhnrDeTqhYEULKnWlsYENXzI zEjyEbj/NaS2xyTYuvP3VbbHWMi5a+LlaAqj6QSamKJ4HmCVpT18wc0X3T5CNKlL Qsse6bgv1NgTLWVllsHKbm/QJH+GuYl96Pgu6CDpefrnL3DGo9VOiZ+W/6faCgZu yhAjRnG8T77aR3D8N2IJvRFtaCYhQDmslgAFb7RoLhabOVk4L/JrGY9fWHvNDEXU 0z3Vwpq0WElmUVrz17iX9UC5AgMBAAGjggIqMIICJjAdBgNVHQ4EFgQUMOt3PGYS Qa8bvUogUGvbFJ3WsaswMQYDVR0RBCowKIImYnJhdmUtYnJvd3Nlci1hcHQtcmVs ZWFzZS5zMy5icmF2ZS5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsG AQUFBwMBBggrBgEFBQcDAjATBgNVHSAEDDAKMAgGBmeBDAECATAMBgNVHRMBAf8E AjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdwDuzdBk1dsazsVct520zROi ModGfLzs3sNRSFlGcR+1mwAAAYh/H5rNAAAEAwBIMEYCIQDyT7QEPjC2tpjhepfy ftmXlpzEAHAInZKpTCC7g0NslgIhAJ498mYFrgeJZQ45J5v91UUO0o7E8mRTxCOj 4Rd6iWx5AHYASLDja9qmRzQP5WoC+p0w6xxSActW3SyB2bu/qznYhHMAAAGIfx+a uQAABAMARzBFAiAJkrMRPFEMEqSzkSgIPM7Lj8S0LPow1yxqNpAVLsQruwIhAJGl p4xSimCY9W6ivbICfdAN3nGPn8xJJz+8xBklE2ERAHUA2ra/az+1tiKfm8K7XGvo cJFxbLtRhIU0vaQ9MEjX+6sAAAGIfx+aiAAABAMARjBEAiBo2bhYpzOtWZB5/dUd lThFJhRpgYntFqG+eow0AAgHTAIgO4ags1ThSEqAfB6I3i6KL7D9M09cDFFTuPZ9 C0+ydIAwDQYJKoZIhvcNAQELBQADggEBAAUExeL5qzjJNOnvPoE/cr0+hAdf00Cj ZS5OEHBbRAP+jEvivhZ0dVkuhuo6yMVSFhJVY5vizuxZ1C7f1h93knuJ14wl3jem dMEWCGyC3ps0wsZVuGsgmyrZf8wudBNMUAIVTXfTwi9PbqE4xAVeF0eHqb3TQTWu GuzGrPk7r/TGQcS7DYJDpahhxoqlV0UQ1Vuk/mSDaawnX0KLSSvPRQz7BFmMOhVb ARG6a765QHgp1nflYd6+rxe9gBEGamqv0I3QUbzK4PuW3gZuTGV71k35EzJGiKiB nb3UecKULzMuqSG2NyUnEa+jvFpXgp8og/TJvTWrmci8WHYM6vd0Fx0= -----END CERTIFICATE----- 1 s:C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FG6H0ETB20904233, emailAddress = support@fortinet.com i:C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FG6H0ETB20904233, emailAddress = support@fortinet.com a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Feb 8 14:45:02 2021 GMT; NotAfter: Feb 9 14:45:02 2031 GMT -----BEGIN CERTIFICATE----- MIID5jCCAs6gAwIBAgIIHeGHbZxtYpYwDQYJKoZIhvcNAQELBQAwgakxCzAJBgNV BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUx ETAPBgNVBAoMCEZvcnRpbmV0MR4wHAYDVQQLDBVDZXJ0aWZpY2F0ZSBBdXRob3Jp dHkxGTAXBgNVBAMMEEZHNkgwRVRCMjA5MDQyMzMxIzAhBgkqhkiG9w0BCQEWFHN1 cHBvcnRAZm9ydGluZXQuY29tMB4XDTIxMDIwODE0NDUwMloXDTMxMDIwOTE0NDUw MlowgakxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQH DAlTdW5ueXZhbGUxETAPBgNVBAoMCEZvcnRpbmV0MR4wHAYDVQQLDBVDZXJ0aWZp Y2F0ZSBBdXRob3JpdHkxGTAXBgNVBAMMEEZHNkgwRVRCMjA5MDQyMzMxIzAhBgkq hkiG9w0BCQEWFHN1cHBvcnRAZm9ydGluZXQuY29tMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAppLfb78R/Lr5wr4X6KjCJ4iyW891SELRzUlcC5Vq+iV9 8XkUnB7CuVxWklbaSxraBJWK0nmR53Ve04Mt0E6rMSzKsu1V7XXazCxXyNMG6TCO 8qWthKtkyARZBTOy31GjTRv/ag679v770ZwPe3FfTSKTKdNWY4/E9zmKGhdJK2QY iFLN1Cur8M2Qj1TXqFYlpTwApUHA7EWAQN0Na8KtBGELRbg0KuS8epu2dH9rFpKK 865f6KQ9noKT8qcdfhRbUkFlRAelgJKn21cVYV+S9YpBvp1XEx9LIXS50GcTghbg KzG4MpiFXFdZzgpA/HIb00ZU+i2g+My5WqKb7S9T8QIDAQABoxAwDjAMBgNVHRME BTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAMpKt7+MSNC1VCNopgM0Jq74LydHV8 hsQU4nU/qk3dwZmFFoySflq/gVyDTFZ89NBuAZrM0lHWF+aBlEaJ7tq6hY9O7pwj 6OHEZ8KNjDsl3Q1UodflnO0S7O0OLgNpG1Ra4Wk7uaOKD/9Ng29LtnaDeXU+la1A oQHqDEJ6Hk+TTN3euoK+UhheAZWV3WJJUond6LsU7pH44edzrkoTW5zQ3dGcXyr/ 9s9wWRBU49H8PP/O1aGq547MdRP9XenH+YuwAERiC2XPGn1jO+AdAuduyxRNG/xx HPTV8JmKUTx3+EozazX/acfa5++Wp19ZYm4GkepARk/QWYtHUUBHHre6 -----END CERTIFICATE-----

Server certificate subject=CN = brave-browser-apt-release.s3.brave.com issuer=C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FG6H0ETB20904233, emailAddress = support@fortinet.com

No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits

SSL handshake has read 2980 bytes and written 404 bytes Verification error: self-signed certificate in certificate chain

New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 19 (self-signed certificate in certificate chain)

DONE

And on mobile phone data:

CONNECTED(00000003) depth=1 C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FG6H0ETB20904233, emailAddress = support@fortinet.com verify error:num=19:self-signed certificate in certificate chain verify return:1 depth=1 C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FG6H0ETB20904233, emailAddress = support@fortinet.com verify return:1 depth=0 CN = brave-browser-apt-release.s3.brave.com verify return:1

Certificate chain 0 s:CN = brave-browser-apt-release.s3.brave.com i:C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FG6H0ETB20904233, emailAddress = support@fortinet.com a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Jun 3 00:00:00 2023 GMT; NotAfter: Jul 1 23:59:59 2024 GMT -----BEGIN CERTIFICATE----- MIIFlTCCBH2gAwIBAgIUKOlS/QYDosACcthHgNMAXg+m30UwDQYJKoZIhvcNAQEL BQAwgakxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQH DAlTdW5ueXZhbGUxETAPBgNVBAoMCEZvcnRpbmV0MR4wHAYDVQQLDBVDZXJ0aWZp Y2F0ZSBBdXRob3JpdHkxGTAXBgNVBAMMEEZHNkgwRVRCMjA5MDQyMzMxIzAhBgkq hkiG9w0BCQEWFHN1cHBvcnRAZm9ydGluZXQuY29tMB4XDTIzMDYwMzAwMDAwMFoX DTI0MDcwMTIzNTk1OVowMTEvMC0GA1UEAxMmYnJhdmUtYnJvd3Nlci1hcHQtcmVs ZWFzZS5zMy5icmF2ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDHMCz0hTSfFhIxozHOKheUeQzMo8yT5VQ1Cwm2jaSAxd6XTOXq8TPk+gu3jfZ2 mVwc7QXRXOIcbFz9FR1HH+ZBaLCN/WPqa6qXFiglYhnrDeTqhYEULKnWlsYENXzI zEjyEbj/NaS2xyTYuvP3VbbHWMi5a+LlaAqj6QSamKJ4HmCVpT18wc0X3T5CNKlL Qsse6bgv1NgTLWVllsHKbm/QJH+GuYl96Pgu6CDpefrnL3DGo9VOiZ+W/6faCgZu yhAjRnG8T77aR3D8N2IJvRFtaCYhQDmslgAFb7RoLhabOVk4L/JrGY9fWHvNDEXU 0z3Vwpq0WElmUVrz17iX9UC5AgMBAAGjggIqMIICJjAdBgNVHQ4EFgQUMOt3PGYS Qa8bvUogUGvbFJ3WsaswMQYDVR0RBCowKIImYnJhdmUtYnJvd3Nlci1hcHQtcmVs ZWFzZS5zMy5icmF2ZS5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsG AQUFBwMBBggrBgEFBQcDAjATBgNVHSAEDDAKMAgGBmeBDAECATAMBgNVHRMBAf8E AjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdwDuzdBk1dsazsVct520zROi ModGfLzs3sNRSFlGcR+1mwAAAYh/H5rNAAAEAwBIMEYCIQDyT7QEPjC2tpjhepfy ftmXlpzEAHAInZKpTCC7g0NslgIhAJ498mYFrgeJZQ45J5v91UUO0o7E8mRTxCOj 4Rd6iWx5AHYASLDja9qmRzQP5WoC+p0w6xxSActW3SyB2bu/qznYhHMAAAGIfx+a uQAABAMARzBFAiAJkrMRPFEMEqSzkSgIPM7Lj8S0LPow1yxqNpAVLsQruwIhAJGl p4xSimCY9W6ivbICfdAN3nGPn8xJJz+8xBklE2ERAHUA2ra/az+1tiKfm8K7XGvo cJFxbLtRhIU0vaQ9MEjX+6sAAAGIfx+aiAAABAMARjBEAiBo2bhYpzOtWZB5/dUd lThFJhRpgYntFqG+eow0AAgHTAIgO4ags1ThSEqAfB6I3i6KL7D9M09cDFFTuPZ9 C0+ydIAwDQYJKoZIhvcNAQELBQADggEBAAUExeL5qzjJNOnvPoE/cr0+hAdf00Cj ZS5OEHBbRAP+jEvivhZ0dVkuhuo6yMVSFhJVY5vizuxZ1C7f1h93knuJ14wl3jem dMEWCGyC3ps0wsZVuGsgmyrZf8wudBNMUAIVTXfTwi9PbqE4xAVeF0eHqb3TQTWu GuzGrPk7r/TGQcS7DYJDpahhxoqlV0UQ1Vuk/mSDaawnX0KLSSvPRQz7BFmMOhVb ARG6a765QHgp1nflYd6+rxe9gBEGamqv0I3QUbzK4PuW3gZuTGV71k35EzJGiKiB nb3UecKULzMuqSG2NyUnEa+jvFpXgp8og/TJvTWrmci8WHYM6vd0Fx0= -----END CERTIFICATE----- 1 s:C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FG6H0ETB20904233, emailAddress = support@fortinet.com i:C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FG6H0ETB20904233, emailAddress = support@fortinet.com a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Feb 8 14:45:02 2021 GMT; NotAfter: Feb 9 14:45:02 2031 GMT -----BEGIN CERTIFICATE----- MIID5jCCAs6gAwIBAgIIHeGHbZxtYpYwDQYJKoZIhvcNAQELBQAwgakxCzAJBgNV BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUx ETAPBgNVBAoMCEZvcnRpbmV0MR4wHAYDVQQLDBVDZXJ0aWZpY2F0ZSBBdXRob3Jp dHkxGTAXBgNVBAMMEEZHNkgwRVRCMjA5MDQyMzMxIzAhBgkqhkiG9w0BCQEWFHN1 cHBvcnRAZm9ydGluZXQuY29tMB4XDTIxMDIwODE0NDUwMloXDTMxMDIwOTE0NDUw MlowgakxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQH DAlTdW5ueXZhbGUxETAPBgNVBAoMCEZvcnRpbmV0MR4wHAYDVQQLDBVDZXJ0aWZp Y2F0ZSBBdXRob3JpdHkxGTAXBgNVBAMMEEZHNkgwRVRCMjA5MDQyMzMxIzAhBgkq hkiG9w0BCQEWFHN1cHBvcnRAZm9ydGluZXQuY29tMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAppLfb78R/Lr5wr4X6KjCJ4iyW891SELRzUlcC5Vq+iV9 8XkUnB7CuVxWklbaSxraBJWK0nmR53Ve04Mt0E6rMSzKsu1V7XXazCxXyNMG6TCO 8qWthKtkyARZBTOy31GjTRv/ag679v770ZwPe3FfTSKTKdNWY4/E9zmKGhdJK2QY iFLN1Cur8M2Qj1TXqFYlpTwApUHA7EWAQN0Na8KtBGELRbg0KuS8epu2dH9rFpKK 865f6KQ9noKT8qcdfhRbUkFlRAelgJKn21cVYV+S9YpBvp1XEx9LIXS50GcTghbg KzG4MpiFXFdZzgpA/HIb00ZU+i2g+My5WqKb7S9T8QIDAQABoxAwDjAMBgNVHRME BTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAMpKt7+MSNC1VCNopgM0Jq74LydHV8 hsQU4nU/qk3dwZmFFoySflq/gVyDTFZ89NBuAZrM0lHWF+aBlEaJ7tq6hY9O7pwj 6OHEZ8KNjDsl3Q1UodflnO0S7O0OLgNpG1Ra4Wk7uaOKD/9Ng29LtnaDeXU+la1A oQHqDEJ6Hk+TTN3euoK+UhheAZWV3WJJUond6LsU7pH44edzrkoTW5zQ3dGcXyr/ 9s9wWRBU49H8PP/O1aGq547MdRP9XenH+YuwAERiC2XPGn1jO+AdAuduyxRNG/xx HPTV8JmKUTx3+EozazX/acfa5++Wp19ZYm4GkepARk/QWYtHUUBHHre6 -----END CERTIFICATE-----

Server certificate subject=CN = brave-browser-apt-release.s3.brave.com issuer=C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FG6H0ETB20904233, emailAddress = support@fortinet.com

No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits

SSL handshake has read 2980 bytes and written 404 bytes Verification error: self-signed certificate in certificate chain

New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 19 (self-signed certificate in certificate chain)

DONE

[3]+ Stopped sudo notepad /etc/apt/sources.list.d/brave-browser-release.list

I can still recreate the warning message if I try sudo apt update on the Library Wifi, but no message if i am on phone data

@GuiltySpark7 the s_client outputs you shared for the library network and your phone are identical. They're also different to what I'm getting. You seem to be getting a certificate issued by Fortinet, while one issued by Amazon would be expected.

I'm guessing the outputs being the same on both networks might be a copy/paste mistake?

In any case, it seems like either some local configuration is causing this (perhaps a custom DNS, or VPN), or the network administrator might be doing something unusual.

The IPs brave-browser-apt-release.s3.brave.com resolves to are not static, but it should look something like this

% host brave-browser-apt-release.s3.brave.com
brave-browser-apt-release.s3.brave.com is an alias for d9owkidwx4k9e.cloudfront.net.
d9owkidwx4k9e.cloudfront.net has address 18.172.170.35
d9owkidwx4k9e.cloudfront.net has address 18.172.170.34
d9owkidwx4k9e.cloudfront.net has address 18.172.170.73
d9owkidwx4k9e.cloudfront.net has address 18.172.170.41
%

If it doesn't for you, that would confirm my speculation above.

@wknapik Ahh yes you are right, a copy and paste error, sorry not sure how i managed that. when I am on phone data and able to update fine, I get a certificate from amazon

Certificate from amazon (update working)

CONNECTED(00000003) depth=2 C = US, O = Amazon, CN = Amazon Root CA 1 verify return:1 depth=1 C = US, O = Amazon, CN = Amazon RSA 2048 M02 verify return:1 depth=0 CN = brave-browser-apt-release.s3.brave.com verify return:1 --- Certificate chain 0 s:CN = brave-browser-apt-release.s3.brave.com i:C = US, O = Amazon, CN = Amazon RSA 2048 M02 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Jun 3 00:00:00 2023 GMT; NotAfter: Jul 1 23:59:59 2024 GMT -----BEGIN CERTIFICATE----- MIIF+DCCBOCgAwIBAgIQDv5kAkwyOEikZVRtqwKFtDANBgkqhkiG9w0BAQsFADA8 MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRwwGgYDVQQDExNBbWF6b24g UlNBIDIwNDggTTAyMB4XDTIzMDYwMzAwMDAwMFoXDTI0MDcwMTIzNTk1OVowMTEv MC0GA1UEAxMmYnJhdmUtYnJvd3Nlci1hcHQtcmVsZWFzZS5zMy5icmF2ZS5jb20w ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDnb4oQZ3F8fbhC+jZ9Cdb/ IOw86mplzYoTb5PZIU8lf0KfnG54ZoYkIdzbkAOqa/igYgjT++xVKo7KHPlie1k8 00w/heRFV0ty9MrXLfh77a+5nhuKTFneLlmx/YNIDeW0JJR15GgkKPw5AdrmeMUd VmV9iVdbdLUpTfEMnjEDWgeJWbz8oV3gYxB16gP96Z0OPjWXWxWj7rH6XKx0d0nE 6l+NT3mqBCoktTO4rhzLeSI/72w17WIM1p3hXVeBgsjhL+TzN4FSm21NuVOcVz1p fv2Oci6VJTH1RWFMmetUBeaDPZAhfZP/t/7xXkzu4rr9uoW9AYK3Iqc1QaVuCs43 AgMBAAGjggL/MIIC+zAfBgNVHSMEGDAWgBTAMVLNWlDDgnx0cc7L6Zz5euuC4jAd BgNVHQ4EFgQUMOt3PGYSQa8bvUogUGvbFJ3WsaswMQYDVR0RBCowKIImYnJhdmUt YnJvd3Nlci1hcHQtcmVsZWFzZS5zMy5icmF2ZS5jb20wDgYDVR0PAQH/BAQDAgWg MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA7BgNVHR8ENDAyMDCgLqAs hipodHRwOi8vY3JsLnIybTAyLmFtYXpvbnRydXN0LmNvbS9yMm0wMi5jcmwwEwYD VR0gBAwwCjAIBgZngQwBAgEwdQYIKwYBBQUHAQEEaTBnMC0GCCsGAQUFBzABhiFo dHRwOi8vb2NzcC5yMm0wMi5hbWF6b250cnVzdC5jb20wNgYIKwYBBQUHMAKGKmh0 dHA6Ly9jcnQucjJtMDIuYW1hem9udHJ1c3QuY29tL3IybTAyLmNlcjAMBgNVHRMB Af8EAjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdwDuzdBk1dsazsVct520 zROiModGfLzs3sNRSFlGcR+1mwAAAYh/H5rNAAAEAwBIMEYCIQDyT7QEPjC2tpjh epfyftmXlpzEAHAInZKpTCC7g0NslgIhAJ498mYFrgeJZQ45J5v91UUO0o7E8mRT xCOj4Rd6iWx5AHYASLDja9qmRzQP5WoC+p0w6xxSActW3SyB2bu/qznYhHMAAAGI fx+auQAABAMARzBFAiAJkrMRPFEMEqSzkSgIPM7Lj8S0LPow1yxqNpAVLsQruwIh AJGlp4xSimCY9W6ivbICfdAN3nGPn8xJJz+8xBklE2ERAHUA2ra/az+1tiKfm8K7 XGvocJFxbLtRhIU0vaQ9MEjX+6sAAAGIfx+aiAAABAMARjBEAiBo2bhYpzOtWZB5 /dUdlThFJhRpgYntFqG+eow0AAgHTAIgO4ags1ThSEqAfB6I3i6KL7D9M09cDFFT uPZ9C0+ydIAwDQYJKoZIhvcNAQELBQADggEBAFTP7MCLd6vW8cwGerqWSSJl+gE6 LquBqbPwO1vmCyu/h9yyidaJW4OJvMYmVU10u7rNgWa9SFcjoVxvja2w6fi5j8rG /MRZ7vbZ1mwNrmPaoTsVMVyRo4eXaBy5tOxc6Y+VHHeMUHemkN0OLDnqq9q/jLaS 3qznRUsPuq3/JVmngKL71l+TMUOhMHObHdrwHrgpOrxjCzV9OQbvAdFQjWW+Dvjg s5qDf1HUdXDr1ZBz3+UO4XoWP7hzcjo8yh5aQY69BsUBmJ+N0h18BmhhTuU8mlXZ 8UpCt9WV7A1AA7OXJ6f80hk+qOPvd4h9NDrp1cfNWcabt+9TzH+Yh1w62hg= -----END CERTIFICATE----- 1 s:C = US, O = Amazon, CN = Amazon RSA 2048 M02 i:C = US, O = Amazon, CN = Amazon Root CA 1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Aug 23 22:25:30 2022 GMT; NotAfter: Aug 23 22:25:30 2030 GMT -----BEGIN CERTIFICATE----- MIIEXjCCA0agAwIBAgITB3MSSkvL1E7HtTvq8ZSELToPoTANBgkqhkiG9w0BAQsF ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6 b24gUm9vdCBDQSAxMB4XDTIyMDgyMzIyMjUzMFoXDTMwMDgyMzIyMjUzMFowPDEL MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEcMBoGA1UEAxMTQW1hem9uIFJT QSAyMDQ4IE0wMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALtDGMZa qHneKei1by6+pUPPLljTB143Si6VpEWPc6mSkFhZb/6qrkZyoHlQLbDYnI2D7hD0 sdzEqfnuAjIsuXQLG3A8TvX6V3oFNBFVe8NlLJHvBseKY88saLwufxkZVwk74g4n WlNMXzla9Y5F3wwRHwMVH443xGz6UtGSZSqQ94eFx5X7Tlqt8whi8qCaKdZ5rNak +r9nUThOeClqFd4oXych//Rc7Y0eX1KNWHYSI1Nk31mYgiK3JvH063g+K9tHA63Z eTgKgndlh+WI+zv7i44HepRZjA1FYwYZ9Vv/9UkC5Yz8/yU65fgjaE+wVHM4e/Yy C2osrPWE7gJ+dXMCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYD VR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNV HQ4EFgQUwDFSzVpQw4J8dHHOy+mc+XrrguIwHwYDVR0jBBgwFoAUhBjMhTTsvAyU lC4IWZzHshBOCggwewYIKwYBBQUHAQEEbzBtMC8GCCsGAQUFBzABhiNodHRwOi8v b2NzcC5yb290Y2ExLmFtYXpvbnRydXN0LmNvbTA6BggrBgEFBQcwAoYuaHR0cDov L2NydC5yb290Y2ExLmFtYXpvbnRydXN0LmNvbS9yb290Y2ExLmNlcjA/BgNVHR8E ODA2MDSgMqAwhi5odHRwOi8vY3JsLnJvb3RjYTEuYW1hem9udHJ1c3QuY29tL3Jv b3RjYTEuY3JsMBMGA1UdIAQMMAowCAYGZ4EMAQIBMA0GCSqGSIb3DQEBCwUAA4IB AQAtTi6Fs0Azfi+iwm7jrz+CSxHH+uHl7Law3MQSXVtR8RV53PtR6r/6gNpqlzdo Zq4FKbADi1v9Bun8RY8D51uedRfjsbeodizeBB8nXmeyD33Ep7VATj4ozcd31YFV fgRhvTSxNrrTlNpWkUk0m3BMPv8sg381HhA6uEYokE5q9uws/3YkKqRiEz3TsaWm JqIRZhMbgAfp7O7FUwFIb7UIspogZSKxPIWJpxiPo3TcBambbVtQOcNRWz5qCQdD slI2yayq0n2TXoHyNCLEH8rpsJRVILFsg0jc7BaFrMnF462+ajSehgj12IidNeRN 4zl+EoNaWdpnWndvSpAEkq2P -----END CERTIFICATE----- 2 s:C = US, O = Amazon, CN = Amazon Root CA 1 i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: May 25 12:00:00 2015 GMT; NotAfter: Dec 31 01:00:00 2037 GMT -----BEGIN CERTIFICATE----- MIIEkjCCA3qgAwIBAgITBn+USionzfP6wq4rAfkI7rnExjANBgkqhkiG9w0BAQsF ADCBmDELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNj b3R0c2RhbGUxJTAjBgNVBAoTHFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4x OzA5BgNVBAMTMlN0YXJmaWVsZCBTZXJ2aWNlcyBSb290IENlcnRpZmljYXRlIEF1 dGhvcml0eSAtIEcyMB4XDTE1MDUyNTEyMDAwMFoXDTM3MTIzMTAxMDAwMFowOTEL MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM 9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6 VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L 93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm jgSubJrIqg0CAwEAAaOCATEwggEtMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/ BAQDAgGGMB0GA1UdDgQWBBSEGMyFNOy8DJSULghZnMeyEE4KCDAfBgNVHSMEGDAW gBScXwDfqgHXMCs4iKK4bUqc8hGRgzB4BggrBgEFBQcBAQRsMGowLgYIKwYBBQUH MAGGImh0dHA6Ly9vY3NwLnJvb3RnMi5hbWF6b250cnVzdC5jb20wOAYIKwYBBQUH MAKGLGh0dHA6Ly9jcnQucm9vdGcyLmFtYXpvbnRydXN0LmNvbS9yb290ZzIuY2Vy MD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly9jcmwucm9vdGcyLmFtYXpvbnRydXN0 LmNvbS9yb290ZzIuY3JsMBEGA1UdIAQKMAgwBgYEVR0gADANBgkqhkiG9w0BAQsF AAOCAQEAYjdCXLwQtT6LLOkMm2xF4gcAevnFWAu5CIw+7bMlPLVvUOTNNWqnkzSW MiGpSESrnO09tKpzbeR/FoCJbM8oAxiDR3mjEH4wW6w7sGDgd9QIpuEdfF7Au/ma eyKdpwAJfqxGF4PcnCZXmTA5YpaP7dreqsXMGz7KQ2hsVxa81Q4gLv7/wmpdLqBK bRRYh5TmOTFffHPLkIhqhBGWJ6bt2YFGpn6jcgAKUj6DiAdjd4lpFw85hdKrCEVN 0FE6/V1dN2RMfjCyVSRCnTawXZwXgWHxyvkQAiSr6w10kY17RSlQOYiypok1JR4U akcjMS9cmvqtmg5iUaQqqcT5NJ0hGA== -----END CERTIFICATE----- 3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2 i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Sep 2 00:00:00 2009 GMT; NotAfter: Jun 28 17:39:16 2034 GMT -----BEGIN CERTIFICATE----- MIIEdTCCA12gAwIBAgIJAKcOSkw0grd/MA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV BAYTAlVTMSUwIwYDVQQKExxTdGFyZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTIw MAYDVQQLEylTdGFyZmllbGQgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0 eTAeFw0wOTA5MDIwMDAwMDBaFw0zNDA2MjgxNzM5MTZaMIGYMQswCQYDVQQGEwJV UzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTElMCMGA1UE ChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjE7MDkGA1UEAxMyU3RhcmZp ZWxkIFNlcnZpY2VzIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVDDrEKvlO4vW+GZdfjohTsR8/ y8+fIBNtKTrID30892t2OGPZNmCom15cAICyL1l/9of5JUOG52kbUpqQ4XHj2C0N Tm/2yEnZtvMaVq4rtnQU68/7JuMauh2WLmo7WJSJR1b/JaCTcFOD2oR0FMNnngRo Ot+OQFodSk7PQ5E751bWAHDLUu57fa4657wx+UX2wmDPE1kCK4DMNEffud6QZW0C zyyRpqbn3oUYSXxmTqM6bam17jQuug0DuDPfR+uxa40l2ZvOgdFFRjKWcIfeAg5J Q4W2bHO7ZOphQazJ1FTfhy/HIrImzJ9ZVGif/L4qL8RVHHVAYBeFAlU5i38FAgMB AAGjgfAwge0wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0O BBYEFJxfAN+qAdcwKziIorhtSpzyEZGDMB8GA1UdIwQYMBaAFL9ft9HO3R+G9FtV rNzXEMIOqYjnME8GCCsGAQUFBwEBBEMwQTAcBggrBgEFBQcwAYYQaHR0cDovL28u c3MyLnVzLzAhBggrBgEFBQcwAoYVaHR0cDovL3guc3MyLnVzL3guY2VyMCYGA1Ud HwQfMB0wG6AZoBeGFWh0dHA6Ly9zLnNzMi51cy9yLmNybDARBgNVHSAECjAIMAYG BFUdIAAwDQYJKoZIhvcNAQELBQADggEBACMd44pXyn3pF3lM8R5V/cxTbj5HD9/G VfKyBDbtgB9TxF00KGu+x1X8Z+rLP3+QsjPNG1gQggL4+C/1E2DUBc7xgQjB3ad1 l08YuW3e95ORCLp+QCztweq7dp4zBncdDQh/U90bZKuCJ/Fp1U1ervShw3WnWEQt 8jxwmKy6abaVd38PMV4s/KCHOkdp8Hlf9BRUpJVeEXgSYCfOn8J3/yNTd126/+pZ 59vPr5KW7ySaNRB6nJHGDn2Z9j8Z3/VyVOEVqQdZe4O/Ui5GjLIAZHYcSNPYeehu VsyuLAOQ1xk4meTKCRlb/weWsKh/NEnfVqn3sF/tM+2MR7cwA130A4w= -----END CERTIFICATE----- --- Server certificate subject=CN = brave-browser-apt-release.s3.brave.com issuer=C = US, O = Amazon, CN = Amazon RSA 2048 M02 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 5532 bytes and written 404 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- DONE

I haven't messed around with my DNS or VPN that i am aware of and all that I am changing is whether my phone (acting as hotspot) uses the Library WiFi or Data. My thoughts lean towards "administrator might be doing something unusual." But i don't know nearly as much as you. Thanks a lot for deepening my understanding and taking time, the internet is a better place for the likes of you.

I am satisfied :)

Thank you for the kind words @GuiltySpark7 :) It does look like the library is doing something weird. To anyone who finds this issue in the future - if you're seeing similar symptoms, it's likely a similar problem and changing networks (including by getting on a VPN) will likely resolve it.

Fortinet is a firewall vendor, some of the products include SSL/TLS inspection, which can be configured per-category (e.g. to allow virus scanning for "Software Download" sites).

Their database lookup shows the following changes:

Oct 21, 2022 @ 09:30:09 PDT updated as Freeware and Software Downloads

Jan 04, 2024 @ 17:35:13 PST updated as Information Technology

@GuiltySpark7 is this still an issue?

sorry I will probably not be back to the same library for many months. I have not seen it as a error in a while though. Might be because I have changed country (Original error found at Canadian library, I am now in Spain). I might be back in Canada in the next few months, if I manage to replicate the error I will post here, If there is radio silence then the error is not happening

brave / brave-browser

Certificate Error for Repo brave-browser-apt-release.s3.brave.com #7658

Description

Steps to Reproduce

Actual result:

Expected result:

Reproduces how often:

Brave version (brave://version info)

Other Additional Information:

Miscellaneous Information:

The following lines are desirable for IPv6 capable hosts

Server certificate subject=CN = brave-browser-apt-release.s3.brave.com issuer=C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FG6H0ETB20904233, emailAddress = support@fortinet.com

No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits

SSL handshake has read 2980 bytes and written 404 bytes Verification error: self-signed certificate in certificate chain

New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 19 (self-signed certificate in certificate chain)

Server certificate subject=CN = brave-browser-apt-release.s3.brave.com issuer=C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FG6H0ETB20904233, emailAddress = support@fortinet.com

No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits

SSL handshake has read 2980 bytes and written 404 bytes Verification error: self-signed certificate in certificate chain

New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 19 (self-signed certificate in certificate chain)