Ubuntu 20.04 - snap buggy from the beginning - x509: certificate signed by unknown authority

mathman · October 20, 2020, 5:59am

I recently installed Ubuntu 20.04. Considering the time that passed since its release I thought it would be stable. After installing it, I go to Snap Store (named Ubuntu Software) and I see that several new programs appear, but after a few moments, only the editor picks show, nothing else.

I try to install PyCharm through the command line with snap, sudo snap install pycharm-community --classic but it gives me this error: x509: certificate signed by unknown authority.

Afterwards, I decide to purge snap store and reinstall it, and after running these 2 commands: sudo apt-get update , sudo apt install snapd , I enter this one sudo snap install snap-store and gives me again, the same error with the certificates.

I got no idea whats going on. I installed it from 0

Edit 1 : Output of snap list :

No snaps are installed yet. Try 'snap install hello-world'.

Output of sudo snap install snap-store :

error: cannot install "snap-store": Post
       https://api.snapcraft.io/v2/snaps/refresh: x509: certificate signed by
       unknown authority

tobias · October 20, 2020, 6:27am

Sounds like an issue with your local CA certificates rather than an issue with the snap store or snapd. I can connect to api.snapcraft.io via TLS on port 443, it’s using a certificate signed by Let’s Encrypt.

Please run openssl s_client -connect api.snapcraft.io:443 in a local terminal to verify if the TLS connection is working properly.

If there’s an error, try running sudo update-ca-certificates in a local terminal to update your certificate store. Something there seems to be off.

popey · October 20, 2020, 10:21am

You may want to sudo apt dist-upgrade to make sure you have all updates.

mathman · October 20, 2020, 9:15pm

just run it,0 added, 0 removed

mathman · October 20, 2020, 9:21pm

seems there’s a problem there: unable to get local issuer certificate
after running sudo update-ca-certificates it says:
Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done.

mcphail · October 20, 2020, 10:30pm

Just an idea - are you running this in a corporate network, via a captive portal, or in some other situation where there is a third party man-in-the-middling your TLS connections? Can you connect to https sites from this machine?

mathman · October 21, 2020, 5:08am

sure, can connect. it’s a normal network, not corporate or something like that

ogra · October 21, 2020, 6:58am

is your clock of the machine set correctly ?

mathman · October 21, 2020, 11:00am

yes it was. I also just checked again, and automatically updated it with the internet connection to be sure

ogra · October 21, 2020, 11:04am

and did you try the

openssl s_client -connect api.snapcraft.io:443

command that @tobias suggested to get some debug data from openssl ?

klimburg · January 1, 2021, 5:19pm

I have the same issue after upgrading from 18.04 to 20.04. I have no MITM or other proxying set up on my network.

$ openssl s_client -connect api.snapcraft.io:443
CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = api.snapcraft.io
verify return:1
---
Certificate chain
 0 s:CN = api.snapcraft.io
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=CN = api.snapcraft.io

issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3288 bytes and written 434 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
   ...
    Start Time: 1609520578
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: no
---
HTTP/1.0 408 Request Time-out
Cache-Control: no-cache
Connection: close
Content-Type: text/html

<html><body><h1>408 Request Time-out</h1>
Your browser didn't send a complete request in time.
</body></html>
closed

I have run sudo update-ca-certificates, sudo apt dist-upgrade etc everything seems to be up to date.

$ snap version
snap    2.48+20.04
snapd   2.48+20.04
series  16
ubuntu  20.04
kernel  5.4.0-58-generic

klimburg · January 1, 2021, 6:24pm

Ok problem solved

I had to add Digital Signature Trust Co., CN = DST Root CA X3 since for some reason that wasnt active.

After adding and running sudo update-ca-certificates I had to restart snapd for it to work using sudo systemctl restart snapd

doktorivan · March 22, 2021, 7:45pm

I am running this on a corporate network, and I’m getting the same error. Is there a known workaround?

mborzecki · March 23, 2021, 6:56am

Have you tried openssl s_client -connect api.snapcraft.io:443 ? Was the verification successful?

doktorivan · March 23, 2021, 4:26pm

I get Verify return code: 19 (self signed certificate in certificate chain) when I run that command.

mborzecki · March 23, 2021, 5:33pm

When I run this on my system, the API presents the following certificates which get verified correctly:

depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = api.snapcraft.io
verify return:1
---
Certificate chain
 0 s:CN = api.snapcraft.io
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

Maybe you’re running through a proxy?

doktorivan · March 23, 2021, 8:18pm

It looks like my stumbling block is a perimeter firewall certificate.

kaushik_acharya · September 30, 2022, 12:47pm

Though the discussion is regarding Ubuntu 20.04 but I am having Ubuntu 18.04. Couldn’t find a corresponding discussion thread. Hence posting here.

OS:

Ubuntu 18.04.6 LTS (GNU/Linux 4.15.0-177-generic x86_64)

The VM that I am using is a corporate one with a proxy.

The command

openssl s_client -connect api.snapcraft.io:443

returns the following error:

139925280621696:error:0200206E:system library:connect:Connection timed out:crypto/bio/b_sock2.c:110: 139925280621696:error:2008A067:BIO routines:BIO_connect:connect error:crypto/bio/b_sock2.c:111: 139925280621696:error:0200206E:system library:connect:Connection timed out:crypto/bio/b_sock2.c:110: 139925280621696:error:2008A067:BIO routines:BIO_connect:connect error:crypto/bio/b_sock2.c:111: 139925280621696:error:0200206E:system library:connect:Connection timed out:crypto/bio/b_sock2.c:110: 139925280621696:error:2008A067:BIO routines:BIO_connect:connect error:crypto/bio/b_sock2.c:111: 139925280621696:error:0200206E:system library:connect:Connection timed out:crypto/bio/b_sock2.c:110: 139925280621696:error:2008A067:BIO routines:BIO_connect:connect error:crypto/bio/b_sock2.c:111: connect:errno=110

irrespective of setting http/https proxy as defined in https://snapcraft.io/docs/system-options under the section: system proxy.{http,https,ftp}

I came across the above issue while installing certbot from snap.

Thanks in advance for any suggestion to resolve this issue.

kaushik_acharya · October 3, 2022, 4:09am

Providing correct proxy solved the issue.

trishonline · January 5, 2023, 7:46pm

I had the same issue on a VM Ubuntu instance. Changing network configuration to Bridged Adapter fixed it.