Problem with repo update and GPG key for Zato3.0

[SharpThunder]

Hello,

I already installed Zato and it's repo in a Ubuntu 16.04 server. During auto update of my zato servers, I encountered repo update error.

Err:12 https://zato.io/repo/stable/3.0/ubuntu xenial/main amd64 Packages server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none Reading package lists... Done W: The repository 'https://zato.io/repo/stable/3.0/ubuntu xenial Release' does not have a Release file. N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use. N: See apt-secure(8) manpage for repository creation and user configuration details. E: Failed to fetch https://zato.io/repo/stable/3.0/ubuntu/dists/xenial/main/binary-amd64/Packages server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none E: Some index files failed to download. They have been ignored, or old ones used instead.

When i try to re-add the key with

curl -s https://zato.io/repo/zato-0CBD7F72.pgp.asc | sudo apt-key add - gpg: no valid OpenPGP data found.

Could you please update the key? Thanks.

[dsuch]

Hello @SharpThunder,

• The PGP key is valid, I have just successfully checked it using the curl version from Ubuntu 18.04
• The exception that you encounter is to do with the fact that curl in your version can not understand the zato.io's TLS certificate

• That all aside, there is no longer free support for Zato 3.0, please check the release policies for 3.0 and 3.1 here:

  https://zato.io/docs/3.0/release/policy.html https://zato.io/docs/3.1/release/policy.html

My curl version is:

$
curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.1 zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3
Release-Date: 2018-01-24
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL 
$

[SharpThunder]

Hello @dsuch

• I will try to update the curl version but in ubuntu repos this version is the latest.

• However, I don't think that is the issue, auto update works every week without issues with the same version of curl, this issue probably happened because USERTrust RSA Certification Authority expired last week and old clients don't like broken certificate chains.

• https://whatsmychaincert.com/?zato.io shows that chain has expired certificate.

• Me aside this will help the many people who use Ubuntu 16.04 and the new comers.

Thanks.

[dsuch]

Ah, I see, thanks, I will relay it to the people responsible for the certificate.

The situation with OpenSSL is that it started to move much faster in the last few years so I imagine that such things may happen from time to time and only four years will mean a lot - although I have not seen it myself prior to this ticket.

As for the newcomers, they tend to use the latest versions of everything so this is less of a concern but you are right that generally, this is something to look into, thanks once more.

[dsuch]

@SharpThunder Could you try it out now? There is a new intermediate certificate uploaded.

[SharpThunder]

Thank you, that fixed the problem.