Certificate verification failed

[drjwbaker]

Hey hey. I'm trying to install Siegfried on a new PC (Windows with a linux subsystem) and I'm hitting the errors below when I do sudo add-apt-repository "deb [arch=amd64] https://www.itforarchivists.com/ buster main". Any thoughts?

Get:1 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB] Hit:2 http://archive.ubuntu.com/ubuntu focal InRelease Get:3 http://archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB] Get:4 http://archive.ubuntu.com/ubuntu focal-backports InRelease [108 kB] Ign:5 https://www.itforarchivists.com buster InRelease Err:6 https://www.itforarchivists.com buster Release Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 172.67.166.43 443] Reading package lists... Done E: The repository 'https://www.itforarchivists.com buster Release' does not have a Release file. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details.

[richardlehane]

Thanks for reporting this James. Did you run sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 20F802FE798E6857 before adding the repository?

[richardlehane]

a quick google, it seems like some people have had trouble using the apt-key command to download keys on WSL: e.g. https://dsebastien.medium.com/adding-missing-gpg-keys-for-apt-get-on-wsl-20911153ae42 & https://github.com/sbt/sbt/issues/4261

The workaround recommended is to download the key with curl and pipe that to apt-key add

curl -sL https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x20F802FE798E6857 | sudo apt-key add

that might be worth a try

[drjwbaker]

I was following the ubuntu steps here https://www.itforarchivists.com/siegfried/

[drjwbaker]

The suggested fix above doesn't work for me. Think I'll go back a machine I have siegfried (which I love, by the way!) on and know it works!

[richardlehane]

thanks for testing. I'll see if I can get access to a win PC with WSL so I can try to reproduce then fix

[drjwbaker]

Thanks Richard. No hurry. fyi, I also couldn't install with Brew in WSL.

Error: The following formula cannot be installed from bottle and must be built from source. siegfried Install Clang or run brew install gcc.

Installing gcc didn't fix it.

But maybe I was just having a bad day!

[ross-spencer]

If the goal is to get SF up and running for now, rather than convenient access to its updates (although if you're comfortable with git that's not a problem either), I can recommend the ease of compilation using Golang, Googling it looks like WSL can be configured to use Golang, e.g. here. Once the $PATH is configured, then go install under the siegfried/cmd/sf folder will place an sf onto the path for you to use elsewhere. You'd be looking to install go 1.13 upwards per the go.mod file. Bonus points - it might make it more tempting to hack on! 😉

[digitalsleuth]

I'm getting the same error as @drjwbaker , in that the repository does not have a Release file, and

  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 172.64.80.1 443]

This is on Ubuntu Focal 20.04.4 as well. This appears to be a certificate problem and/or a Release file problem, not necessarily a GPG key issue.

[richardlehane]

thanks for this extra info @digitalsleuth

[digitalsleuth]

Tried again yesterday just to test it out, everything was fine with no certificate error. @drjwbaker Not sure if you've tried again lately, but it seems to work for me now.

[richardlehane]

great to have this update. Not sure what is going on because I haven't made any fixes to the repository yet, perhaps this is a transient issue. I'll still investigate

[drjwbaker]

Tried again yesterday just to test it out, everything was fine with no certificate error. @drjwbaker Not sure if you've tried again lately, but it seems to work for me now.

Worked with mac/brew today, so yeah, maybe a transient issue.