You may want to sudo apt dist-upgrade to make sure you have all updates.
1 Like
just run it,0 added, 0 removed
seems there’s a problem there: unable to get local issuer certificate
after running sudo update-ca-certificates it says:
Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done.
1 Like
Just an idea - are you running this in a corporate network, via a captive portal, or in some other situation where there is a third party man-in-the-middling your TLS connections? Can you connect to https sites from this machine?
1 Like
sure, can connect. it’s a normal network, not corporate or something like that
is your clock of the machine set correctly ?
yes it was. I also just checked again, and automatically updated it with the internet connection to be sure
and did you try the
openssl s_client -connect api.snapcraft.io:443
command that @tobias suggested to get some debug data from openssl ?
2 Likes
I have the same issue after upgrading from 18.04 to 20.04. I have no MITM or other proxying set up on my network.
$ openssl s_client -connect api.snapcraft.io:443
CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = api.snapcraft.io
verify return:1
---
Certificate chain
0 s:CN = api.snapcraft.io
i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=CN = api.snapcraft.io
issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3288 bytes and written 434 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
...
Start Time: 1609520578
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
---
HTTP/1.0 408 Request Time-out
Cache-Control: no-cache
Connection: close
Content-Type: text/html
<html><body><h1>408 Request Time-out</h1>
Your browser didn't send a complete request in time.
</body></html>
closed
I have run sudo update-ca-certificates, sudo apt dist-upgrade etc everything seems to be up to date.
$ snap version
snap 2.48+20.04
snapd 2.48+20.04
series 16
ubuntu 20.04
kernel 5.4.0-58-generic
Ok problem solved
I had to add Digital Signature Trust Co., CN = DST Root CA X3 since for some reason that wasnt active.
After adding and running sudo update-ca-certificates I had to restart snapd for it to work using sudo systemctl restart snapd
1 Like
I am running this on a corporate network, and I’m getting the same error. Is there a known workaround?
Have you tried openssl s_client -connect api.snapcraft.io:443 ? Was the verification successful?
I get Verify return code: 19 (self signed certificate in certificate chain) when I run that command.
When I run this on my system, the API presents the following certificates which get verified correctly:
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = api.snapcraft.io
verify return:1
---
Certificate chain
0 s:CN = api.snapcraft.io
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Maybe you’re running through a proxy?
It looks like my stumbling block is a perimeter firewall certificate.
Though the discussion is regarding Ubuntu 20.04 but I am having Ubuntu 18.04. Couldn’t find a corresponding discussion thread. Hence posting here.
OS:
Ubuntu 18.04.6 LTS (GNU/Linux 4.15.0-177-generic x86_64)
The VM that I am using is a corporate one with a proxy.
The command
openssl s_client -connect api.snapcraft.io:443
returns the following error:
139925280621696:error:0200206E:system library:connect:Connection timed out:crypto/bio/b_sock2.c:110: 139925280621696:error:2008A067:BIO routines:BIO_connect:connect error:crypto/bio/b_sock2.c:111: 139925280621696:error:0200206E:system library:connect:Connection timed out:crypto/bio/b_sock2.c:110: 139925280621696:error:2008A067:BIO routines:BIO_connect:connect error:crypto/bio/b_sock2.c:111: 139925280621696:error:0200206E:system library:connect:Connection timed out:crypto/bio/b_sock2.c:110: 139925280621696:error:2008A067:BIO routines:BIO_connect:connect error:crypto/bio/b_sock2.c:111: 139925280621696:error:0200206E:system library:connect:Connection timed out:crypto/bio/b_sock2.c:110: 139925280621696:error:2008A067:BIO routines:BIO_connect:connect error:crypto/bio/b_sock2.c:111: connect:errno=110
irrespective of setting http/https proxy as defined in https://snapcraft.io/docs/system-options under the section: system proxy.{http,https,ftp}
I came across the above issue while installing certbot from snap.
Thanks in advance for any suggestion to resolve this issue.
Providing correct proxy solved the issue.
I had the same issue on a VM Ubuntu instance. Changing network configuration to Bridged Adapter fixed it.
Hi There, Just would like to share my experience with facing the same (x509: certificate signed by unknown authority) issue. After struggling with my Multipass Ubuntu for few days, I finally decided to check certificate, provided by https://canonical-bos01.cdn.snapcraftcontent.com/ and found out, that it was substituted by internet security software running on my host. Issue was simply resolved by disabling internet security software.
True canonical certificate should be issued by:
| Common Name (CN) | DigiCert TLS RSA SHA256 2020 CA1 |
|---|---|
| Organization (O) | DigiCert Inc |
| Organizational Unit (OU) |
Hope this may help somebody.
1 Like