Error in the certificate verification WSL2

Question

From my personal computer (Win 11) where I have installed WSL2 with Ubuntu 20.04, I am having some difficulties installing programs.

I tried to install OpenFoam and Geogebra and with both I get an error related to certificates.

Could anyone help me understand why and how to solve?

When installing GEOGEBRA with:

sudo apt-add-repository -u 'deb http://www.geogebra.net/linux/ stable main'

I get the error:

...
Err:17 https://sourceforge.net/projects/openfoam/files/repos/deb focal Release
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 204.68.111.105 443]
Get:20 http://archive.ubuntu.com/ubuntu focal-updates/universe Translation-en [207 kB]
Get:21 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 c-n-f Metadata [20.7 kB]
Reading package lists... Done
W: GPG error: http://www.geogebra.net/linux stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY C072A32983A736CF
E: The repository 'http://www.geogebra.net/linux stable InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://dl.openfoam.com/repos/deb focal Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

With OpenFOAM:

Add the repository

curl https://dl.openfoam.com/add-debian-repo.sh | sudo bash
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3862  100  3862    0     0  11392      0 --:--:-- --:--:-- --:--:-- 11358
Detected distribution code-name: focal
Overwrote /etc/apt/sources.list.d/openfoam.list
Importing openfoam gpg key... done
Overwrote /etc/apt/trusted.gpg.d/openfoam.gpg
Running apt-get update... done
The repository is setup! You can now install packages.

Install preferred package:

sudo apt-get install openfoam2112-default
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package openfoam2112-default

At this link they proposed this solution:

sudo apt install ca-certificates

And for geogebra I found this proposed solution.

But before proceeding I would like to understand the problem better.

Can someone help me understand it better please?

Welcome to Ask Ubuntu. Can you edit the question to specify your Ubuntu version? Thanks! — NotTheDr01ds, May 26 '22 at 13:03
@NotTheDr01ds Ubuntu 20.04 LTS, I also edited the question, if there are other info you need please let me know. Thanks. — user19137338, May 26 '22 at 13:09
Ok, so if I understand correctly, you just want to understand why an apt-key add is required for geogebra and why a ca-certificates is needed for OpenFOAM, correct? — NotTheDr01ds, May 26 '22 at 13:28
@NotTheDr01ds yes, but I don't know if these solutions work for me, I just found them in forums from people with same or similar problems, I haven't tried them yet on my computer. This because I would like to better understand what the error "Certificate verification failed: The certificate is NOT trusted" mean(what could cause it), and in which way the proposed solutions I found could fix it. But above all if these solutions are the correct way to fix the problem. (I have to apologize for my English, is not my first lenguage) — user19137338, May 26 '22 at 14:04
Right - While we normally get more "how to do/fix something" questions here, the "why" part of it is a completely valid question here as well. I looked around for some possible existing answers that might explain it, but I haven't found any yet. And I'm not a huge apt expert myself, but I'll see if I can provide the explanation for you if no one else answers first. Also, no worries on your English - It's pretty good! I did a few edits to make it more readable, but they were more on the formatting. — NotTheDr01ds, May 26 '22 at 19:58
I would say that the suggestions that you've found are perfectly normal, and I would encourage you to go ahead and do them in the meantime. — NotTheDr01ds, May 26 '22 at 20:01

score 1 · Accepted Answer · answered May 27 '22 at 02:41

So the two are related, but different. There are a few different topics to cover here:

PPA keys on Ubuntu 20.04

Both applications are being installed from a PPA, a "Personal Package Archive". This is a repository set up by the maintainers of those applications to simplify the installation under Ubuntu.

As a security measure, apt requires that packages in these private repositories be signed with the maintainers' private key. In order to verify the signatures, apt needs the corresponding public key. That's the purpose of the apt-key command that you see in the Geogebra answer you mentioned. Google/search "public-key cryptography" for more details if you are interested.

OpenFOAM is doing the same thing, but there the script that you ran via:

curl https://dl.openfoam.com/add-debian-repo.sh | sudo bash

... actually did the apt-key add for their key.

After adding the key, you also need to update your local repo cache with sudo apt update. Again, that's mentioned in the Geogebra answer and also done automatically by the OpenFOAM script.

PPA keys after 20.04

Note that Ubuntu 20.04 is the last major release where this particular process works exactly like that. In 20.04, adding a key would allow any software signed with that key to be trusted. This was somewhat of a security risk, since if the private key ever got out, it could be used to sign malicious software which your system would then trust. That said, it's been like that for many years. I'm happy they've changed it, personally.

Now, in 20.10 and later, you have to configure each repository to have a trusted key. Software signed by that keypair that lives in a different repository will no longer be trusted. See this excellent answer for the details. But also realize that the method of configuring the key for repositories will probably change and improve over time.

So with their respective apt keys installed on your system, Geogebra and OpenFOAM should install.

OpenFOAM error

However, you are seeing an interesting error with OpenFOAM:

E: Unable to locate package openfoam2112-default

That's not going to be resolved with the installation of ca-certificates, which actually are part of the default Ubuntu 20.04 installation on WSL anyway.

I can tell you that I just tried it on my WSL/Ubuntu 20.04 and it worked properly, so there are two possibilities that I can think of:

The repo didn't get updated properly on your system.
There was a temporary failure in the repo when you were trying to install.

Since I was able to do it successfully, I'd suggest you just try again:

sudo apt update
sudo apt-get install openfoam2112-default

If that doesn't work, run the script one more time, then try again:

curl https://dl.openfoam.com/add-debian-repo.sh | sudo bash
sudo apt-get install openfoam2112-default

Running a script downloaded from the web

Okay, that also brings us to the topic of a script like that. Since we're talking "security" topics here, and you've expressed an interest, keep in mind that running scripts from the web, especially passing them to sudo, is a pretty big security risk.

You have to:

Trust that the maintainer isn't doing something nefarious.
Trust that the site hasn't been taken over.
Trust that the project hasn't been sold to or handed over to a new maintainer who is a "bad actor" doing something nefarious (it's happened).

Or:

You need to examine the script being run and make sure it appears safe. You can do this by first issuing the curl https://dl.openfoam.com/add-debian-repo.sh without passing it to sudo bash.

For this reason, I'd typically be happier with a project on a PPA that simply provides instructions on installing their key, rather than one who provides a "easier to use" script that automates it.

ca-certificates

And finally, since you asked about the:

sudo apt install ca-certificates

That's really covered in this answer already (which happens to be the top Google search result as well).

But it's not going to help in this case. The OpenFOAM thread you linked to was due to:

expired certificates of sourceforge.net so I was not able to create repository so system could not be installed

That's not the problem (or error) you are having.