OS - Ubuntu
Have followed following mender client installation steps ,
sudo apt-get update
sudo apt-get install --assume-yes apt-transport-https ca-certificates curl gnupg-agent software-properties-common
curl -fsSL https://downloads.mender.io/repos/debian/gpg | sudo tee /etc/apt/trusted.gpg.d/mender.asc
gpg --show-keys --with-fingerprint /etc/apt/trusted.gpg.d/mender.asc
sudo sed -i.bak -e “,https://downloads.mender.io/repos/debian,d” /etc/apt/sources.list
echo “deb [trusted=yes arch=$(dpkg --print-architecture)] https://downloads.mender.io/repos/debian ubuntu/jammy/stable main” | sudo tee /etc/apt/sources.list.d/mender.list > /dev/null
sudo apt-get update
sudo apt-get update command is failing with following certificate issue, what could be issue ?
root@ip-10-210-142-170:~# echo “deb [trusted=yes arch=$(dpkg --print-architecture)] https://downloads.mender.io/repos/debian ubuntu/jammy/stable main”
| sudo tee /etc/apt/sources.list.d/mender.list > /dev/null
root@ip-10-210-142-170:~# sudo apt-get update
Hit:1 Index of /ubuntu jammy InRelease
Hit:2 Index of /ubuntu jammy-security InRelease
Hit:3 Index of /ubuntu jammy-updates InRelease
Ign:4 https://downloads.mender.io/repos/debian ubuntu/jammy/stable InRelease
Hit:5 Index of /ubuntu jammy-backports InRelease
Hit:6 https://ppa.launchpadcontent.net/ethereum/ethereum/ubuntu jammy InRelease
Ign:4 https://downloads.mender.io/repos/debian ubuntu/jammy/stable InRelease
Ign:4 https://downloads.mender.io/repos/debian ubuntu/jammy/stable InRelease
Err:4 https://downloads.mender.io/repos/debian ubuntu/jammy/stable InRelease
Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification. [IP: 18.238.25.107 443]
Reading package lists… Done
W: Failed to fetch https://downloads.mender.io/repos/debian/dists/ubuntu/jammy/stable/InRelease Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification. [IP: 18.238.25.107 443]
W: Some index files failed to download. They have been ignored, or old ones used instead.
Hi @nareshtech20 ,
I am not able to reproduce on my side. I just tried from a vanilla Ubuntu Jammy and could add the repos following your commands.
The only thing that is strange from your commands is that you use trusted=yes which shouldn’t be necessary once you have added the GPG key (iow apt does not need to explicitly trust the source, the GPG key will be used instead). However, even with this trusted=yes works on my machine so I cannot really see the problem
@lluiscampos, thank you for response.
I have added trusted=yes option, just to check if resolves this issue, but noluck.
I can see following key,
gpg --show-keys --with-fingerprint /etc/apt/trusted.gpg.d/mender.asc
pub rsa3072 2020-11-13 [SC] [expires: 2024-10-23]
E6C8 5734 5575 F921 8396 5662 2407 2B80 A1B2 9B00
uid Mender Team mender@northern.tech
sub rsa3072 2020-11-13 [E] [expires: 2024-10-23]
Also after mender-client and setup, i can observe following error,
Jun 28 12:47:44 ip-10-210-142-170 mender[148447]: time=“2023-06-28T12:47:44Z” level=info msg=“State transition: inventory-update-retry-wait [Sync] → check-wait [Idle]”
Jun 28 12:47:47 ip-10-210-142-170 mender[148447]: time=“2023-06-28T12:47:47Z” level=info msg=“State transition: check-wait [Idle] → update-check [Sync]”
Jun 28 12:47:47 ip-10-210-142-170 mender[148447]: time=“2023-06-28T12:47:47Z” level=info msg=“Device unauthorized; attempting reauthorization”
Jun 28 12:47:47 ip-10-210-142-170 mender[148447]: time=“2023-06-28T12:47:47Z” level=info msg=“Output (stderr) from command "/usr/share/mender/identity/mender-device-identity": using interface /sys/class/net/ens5”
Jun 28 12:47:47 ip-10-210-142-170 mender[148447]: time=“2023-06-28T12:47:47Z” level=error msg=“Failure occurred while executing authorization request: Method: Post, URL: https://hosted.mender.io/api/devices/v1/authentication/auth_requests”
Jun 28 12:47:47 ip-10-210-142-170 mender[148447]: time=“2023-06-28T12:47:47Z” level=error msg="Failed to authorize with "https://hosted.mender.io": Unknown url.Error type: certificate signed by unknown authority, openssl verify rc: 20 server cert file: "
Jun 28 12:47:47 ip-10-210-142-170 mender[148447]: time=“2023-06-28T12:47:47Z” level=warning msg=“Reauthorization failed with error: transient error: authorization request failed”
Jun 28 12:47:47 ip-10-210-142-170 mender[148447]: time=“2023-06-28T12:47:47Z” level=error msg=“Error receiving scheduled update data: update check request failed: transient error: authorization request failed”
Jun 28 12:47:47 ip-10-210-142-170 mender[148447]: time=“2023-06-28T12:47:47Z” level=error msg=“Update check failed: transient error: update check request failed: transient error: authorization request failed”
Jun 28 12:47:47 ip-10-210-142-170 mender[148447]: time=“2023-06-28T12:47:47Z” level=info msg=“State transition: update-check [Sync] → error [Error]”
Jun 28 12:47:47 ip-10-210-142-170 mender[148447]: time=“2023-06-28T12:47:47Z” level=info msg=“Handling error state, current error: transient error: update check request failed: transient error: authorization request failed”
@nareshtech20 An error with hosted.mender.io certificate is very suspicious. Maybe there is something off with the CA trust on your device? Try running update-ca-certificates 
1 Like
@lluiscampos, even after force update-ca-certificates update, issue still remains.
Are you building Ubuntu OS image yourself with some build tooling, or just installed an existing image from Canonical?
Just using existing image
Unless I’m reading it wrong , curl didn’t have a problem with the certificate in the beginning, whereas apt did. If that’s correct then that would imply that your OS does have the intermediate and CA cert in it.maybe your apt source file isn’t quite correct?
1 Like
Its blocked at organization level as part of compliance, working now after whitelisting required URLs.
Thank you @dellgreen and @lluiscampos for response.
1 Like