I am trying to enable Ubuntu Pro (free subscription) on a virtual machine with Ubuntu 20.04.6 LTS. When I run the command sudo pro attach <My token>, I got the error message:
Failed to connect to authentication server
Check your Internet connection and try again.
The network is working properly and when I ping canonical.com everything is fine.
Then I tried to run sudo pro attach without token, because from the help I read this way the command should generate a short code to attach the machine to Ubuntu Pro via web browser. However, I got the error message:
Initiating attach operation...
ERROR: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)
...
< Several other lines from Python interpreter >
...
Failed to connect to authentication server
Check your Internet connection and try again.
And finally, the command ua status outputs:
Failed to access URL: https://contracts.canonical.com/v1/resources?architecture=amd64&kernel=5.4.0-1102-kvm&series=focal&virt=kvm
Cannot verify certificate of server
Please check your openssl configuration.
The issue is very similar to the one reported here Getting Errors trying to attach ua token but the solutions proposed there don't seem to be related to my issue. In fact:
With the command
curl -vs https://contracts.canonical.comI could verify that Canonical server's certificate is trusted by my virtual machine:* Trying 185.125.190.32:443... * TCP_NODELAY set * Connected to contracts.canonical.com (185.125.190.32) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN, server accepted to use h2 * Server certificate: * subject: CN=contracts.canonical.com * start date: Oct 21 03:19:23 2023 GMT * expire date: Jan 19 03:19:22 2024 GMT * subjectAltName: host "contracts.canonical.com" matched cert's "contracts.canonical.com" * issuer: C=US; O=Let's Encrypt; CN=R3 * SSL certificate verify ok. ...The structure of the /usr/lib/ssl/ folder is it as should be:
> ls -l /usr/lib/ssl/ total 4 lrwxrwxrwx 1 root root 14 Apr 20 2020 certs -> /etc/ssl/certs drwxr-xr-x 2 root root 4096 Oct 26 06:44 misc lrwxrwxrwx 1 root root 20 Oct 10 09:03 openssl.cnf -> /etc/ssl/openssl.cnf lrwxrwxrwx 1 root root 16 Apr 20 2020 private -> /etc/ssl/privateThe ISRG_Root_X1.pem certificate is correctly linked:
> ls -l /usr/lib/ssl/certs/4042bcee.0 lrwxrwxrwx 1 root root 16 Nov 8 15:24 /usr/lib/ssl/certs/4042bcee.0 -> ISRG_Root_X1.pem
and I verified that it is exactly the same as https://letsencrypt.org/certs/isrgrootx1.pem.
I also tried to add it anyway as explained in the linked post, but after
sudo update-ca-certificates
sudo c_rehash /etc/ssl/certs
I got the warning:
WARNING: Skipping duplicate certificate isrgrootx1.pem
therefore my addition attempt is skipped because that certificate is already present in the list of the trusted ones.
Any idea what could trigger the certificate problem and how could I attach my Ubuntu Pro subscription?
