15

I am trying to update a system using an HTTPS package mirror located here: 

 https://mirror.ufs.ac.za/os/linux/distros/ubuntu/ubuntu/

However, during apt-get update, I get the following message:

Packages  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

If you visit the site in your browser, you are warned about the site's certificate, but I trust the site, so it's not an issue for me. I assume I must be able to add this exception somewhere for apt to proceed.

Can you tell me where and how?

mydoghasworms
  • 1,069
  • Ignoring certificate validation errors isn't a matter of trusting the site. It means you're trusting anyone who can influence network traffic between yourself and that site - for example anyone you're trusting your wifi network and ISP. – poolie Jan 08 '20 at 22:23

1 Answers1

21

After reading up on the matter, following a trail about "self-signed certificates" etc., I found a suitable answer in a question on Serverfault: https://serverfault.com/questions/340887/using-a-self-signed-ssl-cert-for-an-https-based-internal-apt-repository

By adding the following line to my apt.conf, it resolved the matter:

Acquire::https::mirror.ufs.ac.za::Verify-Peer "false";

But keep in mind, that "resolved" means, that it might "work" now. Disabling verification is rather a workaround.

Community
  • 1
mydoghasworms
  • 1,069
  • 12
    It can also be used directly in the command line with the -o parameter: apt-get update -o Acquire::https::mirror.ufs.ac.za::Verify-Peer=false – Dinei Jun 13 '18 at 20:08
  • This worked for me whereas Answer 1095266 that says [trusted yes] is needed did not. – snow6oy Nov 11 '19 at 15:58
  • I don't have a apt.conf on my ubuntu 16.04, so this does not work for me. – Henry Nov 09 '20 at 16:21
  • In my experience, you have to add [trusted yes], in fact, only using [trusted yes] works without Acquire::https::mirror.ufs.ac.za::Verify-Peer=false – esguti May 18 '22 at 10:23