search

chirpstack / chirpstack-gateway-bridge

ChirpStack Gateway Bridge abstracts Packet Forwarder protocols into Protobuf or JSON over MQTT.
https://www.chirpstack.io
MIT License
415 stars 269 forks source link

Debian installation fails due to expired certificate #201

Closed Fainzeraier closed 2 years ago

Fainzeraier commented 2 years ago

What happened?

When trying to install Chirpstack Gateway Bridge on our debian linux server following this guide https://www.chirpstack.io/gateway-bridge/install/debian/, installation failed due to expired certificate.

What did you expect?

Expected installation to work. I installed the Gateway Bridge last time Jan 2021 to a similar Debian server, it did work back then.

Steps to reproduce this issue

Steps:

  1. Open a Debian linux cli
  2. Run the commands as described here https://www.chirpstack.io/gateway-bridge/install/debian/

Could you share your log output?

henrik@Chirp2:/etc$
henrik@Chirp2:/etc$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 1CE2AFD36DBCCA00                    Executing: /tmp/apt-key-gpghome.yNPEiaAuB0/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 1CE2AFD36DBCCA00
gpg: key 1CE2AFD36DBCCA00: "Orne Brocaar <info@brocaar.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
henrik@Chirp2:/etc$ sudo echo "deb https://artifacts.chirpstack.io/packages/3.x/deb stable main" | sudo tee /etc/apt/sources.list.d/chirpstack.list
deb https://artifacts.chirpstack.io/packages/3.x/deb stable main
henrik@Chirp2:/etc$ sudo apt update
Hit:1 http://www.nic.funet.fi/debian buster InRelease
Hit:2 http://www.nic.funet.fi/debian buster-updates InRelease
Hit:3 http://security.debian.org/debian-security buster/updates InRelease
Hit:4 https://packages.grafana.com/enterprise/deb stable InRelease
Ign:5 https://artifacts.chirpstack.io/packages/3.x/deb stable InRelease
Err:6 https://artifacts.chirpstack.io/packages/3.x/deb stable Release
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 188.166.134.65 443]
Reading package lists... Done
E: The repository 'https://artifacts.chirpstack.io/packages/3.x/deb stable Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
henrik@Chirp2:/etc$ sudo apt install chirpstack-gateway-bridge
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  chirpstack-gateway-bridge
0 upgraded, 1 newly installed, 0 to remove and 103 not upgraded.
Need to get 4,986 kB of archives.
After this operation, 13.5 MB of additional disk space will be used.
Err:1 https://artifacts.chirpstack.io/packages/3.x/deb stable/main amd64 chirpstack-gateway-bridge amd64 3.10.0
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 188.166.134.65 443]
E: Failed to fetch https://artifacts.chirpstack.io/packages/3.x/deb/pool/main/c/chirpstack-gateway-bridge/chirpstack-gateway-bridge_3.10.0_linux_amd64.deb  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 188.166.134.65 443]
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
henrik@Chirp2:/etc$

Your Environment

Linux Chirp2 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64

brocaar commented 2 years ago

Thanks for reporting. I was able to reproduce a simmilar error on one of my test environments:

apt update
Hit:1 http://deb.debian.org/debian stretch-backports InRelease
Hit:2 http://security.debian.org stretch/updates InRelease          
Hit:3 http://deb.debian.org/debian unstable InRelease               
Hit:4 http://ftp.debian.org/debian stretch-backports InRelease      
Ign:5 http://mirrors.digitalocean.com/debian stretch InRelease      
Hit:6 http://mirrors.digitalocean.com/debian stretch-updates InRelease
Hit:7 http://mirrors.digitalocean.com/debian stretch Release
Hit:8 https://repos.influxdata.com/debian stretch InRelease
Ign:9 https://artifacts.chirpstack.io/packages/3.x/deb stable InRelease
Ign:10 https://artifacts.chirpstack.io/packages/3.x/deb testing InRelease
Err:11 https://artifacts.chirpstack.io/packages/3.x/deb stable Release
  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Err:12 https://artifacts.chirpstack.io/packages/3.x/deb testing Release
  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Reading package lists... Done
E: The repository 'https://artifacts.chirpstack.io/packages/3.x/deb stable Release' does no longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://artifacts.chirpstack.io/packages/3.x/deb testing Release' does no longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

After spending about an hour on looking at the wrong place (I was assuming this was because of the apt signing key which was causing this, but this has an expiration of 1-1-2022), I noticed this was not because of this but because of the Lets Encrypt certificate.

There is nothing wrong with the certificate of https://artifacts.chirpstack.io/ (generated by Lets Encrypt), but the Lets Encrypt root certificate has expired: https://stackoverflow.com/questions/21181231/server-certificate-verification-failed-cafile-etc-ssl-certs-ca-certificates-c/69403278#69403278. These certificates must be present on your host machine in order to validate that the certificate used for https://artifacts.chirpstack.io/ is authentic.

In my case, the following sequence of commands solved the issue:

# this will show some errors
sudo apt update

# this will install all upgradable packages and updates the CA certificates including the Lets Encrypt certificate
sudo apt upgrade

# this will update the ChirpStack repository
apt update

# now you can upgrade the ChirpStack packages
apt upgrade

If that doesn't work, you could also try the comment posted in https://stackoverflow.com/questions/21181231/server-certificate-verification-failed-cafile-etc-ssl-certs-ca-certificates-c/69403278#69403278

For those having issues due to this, but unrelated to github, the following worked for me while following this comment stackoverflow.com/a/24492364/14633782: sudo apt-get install apt-transport-https ca-certificates -y sudo update-ca-certificates – Keipi Oct 1 at 10:17

Fainzeraier commented 2 years ago

Thank you for the quick response. The update and upgrade commands weren't enough to solve the issue for me, but I got the installation to work eventually after trying that stackoverflow solution, then running update and upgrade, and also rebooting the server once.