107

Running sudo apt-get update on my AWS EC2 Ubuntu 18.04.01 LTS instance fails:

Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown

when trying to access the deb.nodesource.com/node_10.x bionic Release

Here is the result after running sudo apt-get update:

Hit:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu bionic InRelease
Get:2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
Ign:3 https://deb.nodesource.com/node_10.x bionic InRelease
Get:4 http://us-east-1.ec2.archive.ubuntu.com/ubuntu bionic-backports InRelease [74.6 kB]
Err:5 https://deb.nodesource.com/node_10.x bionic Release
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: XX.XXX.XX.XX 443]
Get:6 http://security.ubuntu.com/ubuntu bionic-security InRelease [83.2 kB]
Reading package lists... Done
W: https://deb.nodesource.com/node_10.x/dists/bionic/InRelease: No system certificates available. Try installing ca-certificates.
W: https://deb.nodesource.com/node_10.x/dists/bionic/Release: No system certificates available. Try installing ca-certificates.
E: The repository 'https://deb.nodesource.com/node_10.x bionic Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

It seems like my current installation of Node.js is causing the problem.

I have tried installing and updating ca-certificates in etc/ssl/certs, however, this did not help. I'm not exactly sure how to proceed from here to resolve this issue.

I'm not looking for a quick workaround that would compromise the security of the server.

vvvvv
  • 608
Joe
  • 1,199

19 Answers19

117

I experienced this error trying to add the keys for mongodb-org 4.0 to a docker container running Ubuntu 18.04. There was a problem with the certificates installed in this base image. I managed to fix it by install ca-certificates:

sudo apt install ca-certificates
caffeinated.tech
  • 1,445
  • 1
  • 11
  • 10
  • 3
    Thanks - this actually solved the problem without bypassing security. – carusot42 Mar 27 '20 at 19:42
  • I'm on an infrequently used "Ubuntu for Windows" instance and I can't install ca-certificates because esm.ubuntu.com server certificate verification failed... – jla Dec 03 '20 at 18:07
  • Mine says I'm already running the current version – Katastic Voyage Aug 26 '21 at 01:29
  • @KatasticVoyage Then you may have a different issue. Could you post a new question with all the relevant details, and reference this question saying that these solutions didn't work for you? I reckon plenty has changed since these questions & answers. – caffeinated.tech Aug 26 '21 at 09:16
  • 2
    This should be an accepted answer. Today met the same problem inside of 18.04.* container, installing ca-certificates resolved it. Thanks! – Andrei Sinitson Oct 01 '21 at 08:35
  • 1
    I think the reason this happens is because the root certificates on the Ubuntu are outdated, so upgrading ca-certificates solves it. – lucaswxp Oct 02 '21 at 14:06
  • 1
    @lucaswxp Frankly speaking, I don't have the knowledge to know if what you said is the real cause of the problem, but I really appreciate that you are explaining "why" instead of simply doing "how". – yaobin Oct 15 '21 at 18:32
  • 1
    For me, I just had to make sure I updated it... sudo apt install --only-upgrade ca-certificates – Cobertos Oct 22 '21 at 01:13
  • It fixed for my by update the already installed ca-certificates package with this above command. – Feriman Nov 10 '21 at 13:06
  • This fixed my Sublime Text error! Nice. Here was my error: Err:6 https://download.sublimetext.com apt/stable/ Release Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 104.236.0.104 443]...E: The repository 'https://download.sublimetext.com apt/stable/ Release' no longer has a Release file. N: Updating from such a repository can't be done securely, and is therefore disabled by default. – Gabriel Staples Dec 17 '21 at 04:38
  • Note: for my Sublime Text comment above see their forum here. They linked back to this answer. Upvoted! – Gabriel Staples Dec 17 '21 at 04:39
  • it does nothing, same error – Madeo Feb 01 '22 at 08:56
34

You can add [trusted=yes] in the sources.list. For example:

deb [trusted=yes] http://ppa.launchpad.net/repo_name/pkg/ubuntu vivid main
deb-src [trusted=yes] http://ppa.launchpad.net/repo_name/pkg/ubuntu vivid main
Mike V.D.C.
  • 898
  • 8
    Hi Mike. I'm still seeing the same error after updating both /etc/apt/sources.list and /etc/apt/sources.list.d/nodesource.list with [trusted=yes] as shown above. – Joe Nov 23 '18 at 17:01
  • 1
    sorry for the newbie question, but where is sources list, how do I add trusted=yes, and what does "vivid" mean in this context? – schlingel Dec 12 '19 at 08:15
  • 4
    If you are VPNing through somewhere that uses ZScaler or something alike then you may hit this problem too. In my case I had only to turn off the vpn and the update went flawless. – Leo May 08 '20 at 08:49
  • @schlingel sources.list.d at /etc/apt/, vivid is the first part of Ubuntu release (version) name.. – All Іѕ Vаиітy Nov 17 '21 at 07:03
  • 1
    not work for me... – Linc Jun 25 '22 at 07:33
34

For those still having this issue, here is a solution which I gleaned from the Ubuntu manpages.

The OP's post indicates a certificate verification error:

Err:5 https://deb.nodesource.com/node_10.x bionic Release
Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: XX.XXX.XX.XX 443]

I was having similar issues on a VM which sits behind a corporate proxy. The proxy acts as a man-in-the-middle, decrypting and re-encrypting traffic as it flows through the proxy. Even though I had the trusted certificate installed on my VM for the proxy, this error was still happening, caused by an invalid OCSP response. To fix it, I ran this command:

touch /etc/apt/apt.conf.d/99verify-peer.conf \
&& echo >>/etc/apt/apt.conf.d/99verify-peer.conf "Acquire { https::Verify-Peer false }"

This disables apt's OCSP verification, and is not recommended.

I chose a different solution, which may not be available to others. Our company maintains a non-decrypting proxy for use cases like this, so I switched to using it.

WPWoodJr
  • 449
19

Make sure your date and time are set correctly.

Savlon
  • 299
7

This happened today to me on an old, poorly maintained Ubuntu 16 release.

The first problem was that the sources in /etc/apt were HTTP and not HTTPS, and they had been blocked. The HTTPS links failed verification, which was expected since I believe they use LetsEncrypt and they changed their certification path last October.

But I could not update ca-certificates because they were believed current -- and I could not make apt understand they weren't current because, you know, the update was not working.

So:

  1. Temporarily disable certificate verification by adding

    Acquire { https::Verify-Peer false }

    in /etc/apt/apt.conf.d/99verify-peer.conf.

  2. Run apt update to get the new ca-certificates info

  3. Run apt install ca-certificates

  4. Re-enable certificate verification

    Edit the file above and remove the peer-verification bypass. If the file is now empty, you may delete it.

Now everything should mostly work.

I then proceeded to clean the apt cache, and run a full dist-upgrade. This, in turn, unlocked the do-release-upgrade command. It did not work completely on the first time around, I had to run apt-get update again, clean unneeded packages and remove two packages that were conflicted, and update.

After a couple of hours and another release upgrade from 18, I got the system running Ubuntu 20.04-LTS and could reinstall the two missing packages from the previous stage. Everything is okay now.

muru
  • 197,895
  • 55
  • 485
  • 740
LSerni
  • 433
  • 6
  • 6
5

You can replace https:// with http:// from setup script using sed.

curl -sL https://deb.nodesource.com/setup_10.x | sed 's|https://|http://|' | sudo -E bash -

This should be used as the last alternative of course.

Toilal
  • 199
  • 1
    Welp... not recommended... Also, some resources may redirect to HTTP over SSL/TLS anyways on their back-end. – Artfaith Oct 26 '21 at 21:48
  • 1
    Thanks that worked for me to change https to http, install apt install ca-certificates and again change http to https. https://serverfault.com/questions/1093511/apt-get-update-failing-because-of-certificate-validation/1133024#1133024 – bl3ssedc0de Jun 10 '23 at 21:07
2

What caused the problem

I was originally trying to install Node.js on Ubuntu 18.04.01 LTS via PPA and curl via: 

curl -sL https://deb.nodesource.com/setup_10.x -o nodesource_setup.sh

However, running this command generated a nodesource.list file in etc/apt/sources.list.d/ with the following contents: 

deb https://deb.nodesource.com/node_10.x xenial main
deb-src https://deb.nodesource.com/node_10.x xenial main

So when running sudo apt update these sources could not be trusted via SSL handshake which caused to the update to fail.

How I fixed it

  1. Navigated to /etc/apt/nodesource.list.d

  2. Removed nodesource.list file from the system with

    sudo rm nodesource.list

  3. Purged the system of any current Node.js installation with

    sudo apt-get purge nodejs

    sudo apt-get autoremove

  4. Installed the Distro-Stable Version of Node.js for Ubuntu with:

    sudo apt update

    sudo apt install nodejs

    sudo apt install npm

Joe
  • 1,199
  • "So when running ... these sources could not be trusted via SSL handshake": Why could they not be trusted? – BlenderBender Apr 20 '19 at 13:47
  • @BlenderBender At the time this error happened, I couldn't find the root cause as to why these sources could not be trusted. – Joe May 23 '19 at 14:35
2

I was facing the same error on WSL2 Ubuntu and tried to install ca-certificates with no luck, as it was already installed.

Then I updated /etc/apt/sources.list to use the global servers, updated Apt, and now it works. After upgrading, I saw some updates were made in the /etc/ssl/certs directory; new certificates.

Out of curiosity, I changed sources.list file to use the mirror servers again, and everything works.

matigo
  • 22,138
  • 7
  • 45
  • 75
linuxspy
  • 21
2

This error can be caused by not having the certs in /etc/ssl/certs world-readable. I ran into this after restoring my certs from a backup: for me, the /etc/ssl directory itself was set to 750 instead of 755 making it's contents unreadable except to root.

Try these commands if you're having trouble and reinstalling ca-certificates doesn't help:

sudo chmod 755 /etc /etc/ssl /etc/ssl/certs
sudo chmod 644 /etc/ssl/certs/ca-certificates.crt
ki9
  • 522
  • 1
    And you're exactly right, sir! Kudos for posting. Was super-puzzled by seeing the relevant CA roots present in the ca bundle, browser/curl/openssl s_client verifying no problem — but apt acting up. Turned out, a cert issuing script I used before on this machine, set /etc/ss/certs to 750. Best wishes – ulidtko Jan 06 '23 at 14:27
  • This solved my problem! – eethirteenzz Jan 30 '24 at 05:12
2

To summary all the response above, there are 3 possibilities:

1/ ca-certificates are not installed Solution:

apt install -y ca-certificates

But you say they are. So for you, that should not be an answer.

2/ disable https check (https::Verify-Peer) Solution: add this to /etc/apt/conf.d/

Acquire { https::Verify-Peer false }

but that reduce your security.

3/ find the certificate of your server and add it

jehon
  • 165
2

This fixed it for me:

sudo dpkg-reconfigure tzdata
sudo date -s "$(wget -qSO- --max-redirect=0 google.com 2>&1 | grep Date: | cut -d' ' -f5-8)Z"
sudo apt update
sudo apt upgrade ca-certificates --fix-missing

Credits to:

balupton
  • 234
1

This issue can also occur due to corrupt cache. I resolved this by:

sudo apt clean

then

sudo apt update

then

sudo apt upgrade
kewlashu
  • 111
1

I meet same problem,
here fix (try) step by step.

// base on caffeinated.tech's answer,
// I guess something break my ca-certificates package.

1. mirror 1

sudo apt-get update
Ign:1 https://mirrors.ustc.edu.cn/ubuntu focal InRelease
Ign:2 https://mirrors.ustc.edu.cn/ubuntu focal-updates InRelease
Hit:3 http://dl.google.com/linux/chrome/deb stable InRelease                                     
Ign:4 https://mirrors.ustc.edu.cn/ubuntu focal-backports InRelease                                               
Ign:5 https://mirrors.ustc.edu.cn/ubuntu focal-security InRelease                                                 
Ign:6 https://mirrors.ustc.edu.cn/ubuntu focal-proposed InRelease           
Hit:7 http://ppa.launchpad.net/jgmath2000/et/ubuntu focal InRelease
Err:8 https://mirrors.ustc.edu.cn/ubuntu focal Release
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 218.104.71.170 443]
Err:9 https://mirrors.ustc.edu.cn/ubuntu focal-updates Release
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 218.104.71.170 443]
Err:10 https://mirrors.ustc.edu.cn/ubuntu focal-backports Release                                       
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 218.104.71.170 443]
Err:11 https://mirrors.ustc.edu.cn/ubuntu focal-security Release                                        
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 218.104.71.170 443]
Err:12 https://mirrors.ustc.edu.cn/ubuntu focal-proposed Release
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 218.104.71.170 443]
Hit:13 http://ppa.launchpad.net/libretro/stable/ubuntu focal InRelease
Reading package lists... Done
E: The repository 'https://mirrors.ustc.edu.cn/ubuntu focal Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://mirrors.ustc.edu.cn/ubuntu focal-updates Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://mirrors.ustc.edu.cn/ubuntu focal-backports Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://mirrors.ustc.edu.cn/ubuntu focal-security Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://mirrors.ustc.edu.cn/ubuntu focal-proposed Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

2. mirror 2

 sudo apt-get update
Ign:1 https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal InRelease
Ign:2 https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal-updates InRelease        
Ign:3 https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal-backports InRelease      
Ign:4 https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal-security InRelease       
Err:5 http://dl.google.com/linux/chrome/deb stable InRelease
  Something wicked happened resolving 'dl.google.com:http' (-5 - No address associated with hostname)
Err:6 https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal Release                    
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 101.6.15.130 443]
Hit:7 http://ppa.launchpad.net/jgmath2000/et/ubuntu focal InRelease                
Err:8 https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal-updates Release
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 101.6.15.130 443]
Err:9 https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal-backports Release
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 101.6.15.130 443]
Err:10 https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal-security Release                                      
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 101.6.15.130 443]
Hit:11 http://ppa.launchpad.net/libretro/stable/ubuntu focal InRelease                                         
Reading package lists... Done                                
E: The repository 'https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal-updates Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal-backports Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal-security Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

3. offical

sudo apt update
Hit:1 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:2 http://security.ubuntu.com/ubuntu focal-security InRelease                                                                                           
Hit:3 http://cn.archive.ubuntu.com/ubuntu focal InRelease           
Hit:4 http://ppa.launchpad.net/jgmath2000/et/ubuntu focal InRelease
Hit:5 http://cn.archive.ubuntu.com/ubuntu focal-updates InRelease        
Hit:6 http://ppa.launchpad.net/libretro/stable/ubuntu focal InRelease    
Reading package lists... Done
Building dependency tree       
Reading state information... Done
39 packages can be upgraded. Run 'apt list --upgradable' to see them.

4. install ca-certificates

sudo apt install ca-certificates 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  gir1.2-evince-3.0 libllvm11 libmusicbrainz5-2 linux-headers-5.8.0-43-generic linux-hwe-5.8-headers-5.8.0-43 linux-image-5.8.0-43-generic linux-modules-5.8.0-43-generic
  linux-modules-extra-5.8.0-43-generic
Use 'sudo apt autoremove' to remove them.
The following packages will be upgraded:
  ca-certificates
1 upgraded, 0 newly installed, 0 to remove and 39 not upgraded.
Need to get 145 kB of archives.
After this operation, 1,024 B disk space will be freed.
Get:1 http://cn.archive.ubuntu.com/ubuntu focal-updates/main amd64 ca-certificates all 20210119~20.04.2 [145 kB]
Fetched 145 kB in 2s (87.6 kB/s)          
Preconfiguring packages ...
(Reading database ... 363632 files and directories currently installed.)
Preparing to unpack .../ca-certificates_20210119~20.04.2_all.deb ...
Unpacking ca-certificates (20210119~20.04.2) over (20210119~20.04.1) ...
Setting up ca-certificates (20210119~20.04.2) ...
Updating certificates in /etc/ssl/certs...
0 added, 1 removed; done.
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for ca-certificates (20210119~20.04.2) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

// here found ca-certificates upgraded, // which was not found before (maybe something break old package)

5. mirror 1, again

sudo apt update
Hit:1 https://mirrors.ustc.edu.cn/ubuntu focal InRelease
Hit:2 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:3 https://mirrors.ustc.edu.cn/ubuntu focal-updates InRelease
Hit:4 https://mirrors.ustc.edu.cn/ubuntu focal-backports InRelease
Hit:5 https://mirrors.ustc.edu.cn/ubuntu focal-security InRelease
Hit:6 https://mirrors.ustc.edu.cn/ubuntu focal-proposed InRelease
Hit:7 http://ppa.launchpad.net/jgmath2000/et/ubuntu focal InRelease
Hit:8 http://ppa.launchpad.net/libretro/stable/ubuntu focal InRelease
Reading package lists... Done
Building dependency tree       
Reading state information... Done
55 packages can be upgraded. Run 'apt list --upgradable' to see them.

this time it worked.

yurenchen
  • 441
0

I have encountered a problem that is similar to yours, with the Ubuntu Server installed in a VM, but the underlying cause should be different. I put out the problem description and the solution in case that someone who encountered the same problem reaches here.

Brief Summary: The similar problem is caused by the network condition of our office. When the problem occurs, I used a bridged network for Internet access. After changing the VM network setting to the normal NAT, the problem is mitigated.

Background: I have installed Ubuntu Server LTS 18.04.3 with VMWare Player. After the installation is completed, I have used the VM for several days, including upgrading the system with sudo apt update|upgrade and install new applications with sudo apt install <appname>.

Problem: After a weekend, I reopen the VM and want to install some new software. So I first try to update the repository information with sudo apt update to see if there are something that is upgradable. However, after executing this command, I get the following results:

gary@ubuntu-vm:~$ sudo apt update
Ign:1 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic InRelease
Ign:2 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-updates InRelease
Ign:3 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-backports InRelease
Ign:4 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-security InRelease
Err:5 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic Release
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 101.6.8.193 443]
Err:6 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-updates Release
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 101.6.8.193 443]
Err:7 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-backports Release
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 101.6.8.193 443]
Err:8 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-security Release
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 101.6.8.193 443]
Reading package lists... Done
E: The repository 'https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-updates Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-backports Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-security Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

which is similar to the aseked problem(e.g., Ign:3 and Err:5), but not the same.

Solution: I have searched the related topics on Google, and many said that the problem is caused by incorrect configuration of certificates. However, I should never change any certificate configuration after installation of the system. Besides, avoiding certificates authentication should not be a regular routine.

To make sure that I did not change related configurations, I reinstall the system. I found that the installation cannot be completed, with the error log similar to the above one. After finding this, I guess that this problem should be caused by the network connection problem, as in this point there is no configuration made to the system.

Therefore, I checked the configuration of the VM instance, and found that this VM uses a bridged network rather than NAT. So I changed the network setting to NAT, which is usually the default network setting, then everything returns to normal!

After that, I recalled that when I first install the VM, I connect my computer to another computer to share the network (using NAT at the second computer). Later, I have my own network connection and I want the VM direct access to the physical network, so I changed the VM network setting to a bridged network, which then caused the problem (It's simply a network connection problem, because the physical network require authentication for network connection, while the VM does not have the credentials).

Gary Wang
  • 111
  • 3
0

touch /etc/apt/apt.conf.d/99verify-peer.conf
&& echo >>/etc/apt/apt.conf.d/99verify-peer.conf "Acquire { https::Verify-Peer false }"

Will disable Cert verification, and no error will be generated.

Aleksandar Lukic
  • 19
  • 2
0

Try and update the GNU TLS-related packages.
I had the same problem with Ubuntu 16.04 LTS and the sublimetext APT repository, among others:

server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

I had tried all the proposed solutions to no avail.
The funny thing is that if I ran echo "" | gnutls-cli download.sublimetext.com -p 443 from another computer, the certificate was accepted, so I know it had to be a client problem.
Then, almost by chance, I checked the pending updates in Software Updater and there were two GNU TLS packages.
I updated them and magically all the errors disappeared. I don't remember the package names exactly but here are all the TLS libaries installed on my machine:

ii  gnutls-bin                        3.4.10-4ubuntu1.9     amd64                 GNU TLS library - commandline utilities
ii  libcurl3-gnutls:amd64             7.47.0-1ubuntu2.19    amd64                 easy-to-use client-side URL transfer library (GnuTLS flavour)
ii  libgnutls-dev:amd64               3.4.10-4ubuntu1.9     amd64                 GNU TLS library - development files
ii  libgnutls-openssl27:amd64         3.4.10-4ubuntu1.9     amd64                 GNU TLS library - OpenSSL wrapper
ii  libgnutls28-dev:amd64             3.4.10-4ubuntu1.9     amd64                 dummy transitional package for GNU TLS library - development files
ii  libgnutls30:amd64                 3.4.10-4ubuntu1.9     amd64                 GNU TLS library - main runtime library
ii  libgnutlsxx28:amd64               3.4.10-4ubuntu1.9     amd64                 GNU TLS library - C++ runtime library
ii  libneon27-gnutls:amd64            0.30.1-3build1        amd64                 HTTP and WebDAV client library (GnuTLS enabled)
PJ_Finnegan
  • 171
0

This answer points apt-get at a custom cert store by using a config file and setting the APT_CONFIG environment variable to point at this new file.

echo 'Acquire::https {\
        CaInfo "/cacert.pem";\
}' > /apt.conf
APT_CONFIG=/apt.conf
r590
  • 101
-2

In my case, I moved to nvm installation steps... as the third party instance was not able to resolve this error, and I did not have sudo rights and other permissions in brief.

referred this URL for nvm steps ... https://linuxize.com/post/how-to-install-node-js-on-ubuntu-18.04/

Abdeali Chandanwala
  • 97
-2

Err:14 https://apt.llvm.org/bionic llvm-toolchain-bionic-11 Release
Certificate verification failed: The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded. Could not handshake: Error in the certificate verification.

Time zone and date in ubuntu was configured manually. Browser was set to sync with ubuntu. This caused the error The revocation or OCSP data are old and have been superseded Set time and date to auto update. Works fine

user1570861
  • 1