Mausy5043
Posts: 9
Joined: Sun Feb 08, 2015 12:14 pm
Location: Tilburg, NL

[SOLVED] The certificate of `archive.raspberrypi.org` has expired

Sat May 30, 2020 1:32 pm

Code: Select all

$ wget https://archive.raspberrypi.org/debian/raspberrypi.gpg.key
--2020-05-30 15:31:30--  https://archive.raspberrypi.org/debian/raspberrypi.gpg.key
Resolving archive.raspberrypi.org (archive.raspberrypi.org)... 176.126.240.84, 176.126.240.86, 176.126.240.167, ...
Connecting to archive.raspberrypi.org (archive.raspberrypi.org)|176.126.240.84|:443... connected.
ERROR: The certificate of ‘archive.raspberrypi.org’ is not trusted.
ERROR: The certificate of ‘archive.raspberrypi.org’ has expired.
Anybody know how to fix this?
Last edited by Mausy5043 on Sat May 30, 2020 7:10 pm, edited 1 time in total.
Mausy5043 - NL

trejan
Posts: 2195
Joined: Tue Jul 02, 2019 2:28 pm

Re: The certificate of `archive.raspberrypi.org` has expired

Sat May 30, 2020 1:40 pm

Looks like one of the mirrors has an expired certificate. If you flush your DNS cache then you might get a different one?

Mausy5043
Posts: 9
Joined: Sun Feb 08, 2015 12:14 pm
Location: Tilburg, NL

Re: The certificate of `archive.raspberrypi.org` has expired

Sat May 30, 2020 1:50 pm

trejan wrote:
Sat May 30, 2020 1:40 pm
Looks like one of the mirrors has an expired certificate. If you flush your DNS cache then you might get a different one?
Nope. DNS gives me different IPs. None of them seem to work. I tried switching upstream DNS, also no luck.
Mausy5043 - NL

trejan
Posts: 2195
Joined: Tue Jul 02, 2019 2:28 pm

Re: The certificate of `archive.raspberrypi.org` has expired

Sat May 30, 2020 1:51 pm

Yeah. Something odd happening. I checked the certificates for all the IPs and they've all got valid expiry dates. Not sure what is going on with wget.

markhealey
Posts: 1
Joined: Wed Jul 18, 2012 9:04 am
Location: Brough
Contact: Website

Re: The certificate of `archive.raspberrypi.org` has expired

Sat May 30, 2020 1:53 pm

It looks like the issueis upstream, as I get this with apt...

Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 176.126.240.84 443]

epoch1970
Posts: 5153
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: The certificate of `archive.raspberrypi.org` has expired

Sat May 30, 2020 1:58 pm

Local date wrong on the host?
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

Mausy5043
Posts: 9
Joined: Sun Feb 08, 2015 12:14 pm
Location: Tilburg, NL

Re: The certificate of `archive.raspberrypi.org` has expired

Sat May 30, 2020 2:01 pm

epoch1970 wrote:
Sat May 30, 2020 1:58 pm
Local date wrong on the host?
No problem with `timedatectl`
Mausy5043 - NL

trejan
Posts: 2195
Joined: Tue Jul 02, 2019 2:28 pm

Re: The certificate of `archive.raspberrypi.org` has expired

Sat May 30, 2020 2:12 pm

Server side configuration issue. It is sending an expired CA certificate. The *.raspberrypi.org wildcard certificate is still valid but it has to use a different certification path.

Code: Select all

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            13:ea:28:70:5b:f4:ec:ed:0c:36:63:09:80:61:43:36
        Signature Algorithm: sha384WithRSAEncryption
        Issuer: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
        Validity
            Not Before: May 30 10:48:38 2000 GMT
            Not After : May 30 10:48:38 2020 GMT
        Subject: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority[/cpde]

Mausy5043
Posts: 9
Joined: Sun Feb 08, 2015 12:14 pm
Location: Tilburg, NL

Re: The certificate of `archive.raspberrypi.org` has expired

Sat May 30, 2020 2:17 pm

trejan wrote:
Sat May 30, 2020 2:12 pm
Server side configuration issue. It is sending an expired CA certificate. The *.raspberrypi.org wildcard certificate is still valid but it has to use a different certification path.

Code: Select all

        Validity
            Not Before: May 30 10:48:38 2000 GMT
            Not After : May 30 10:48:38 2020 GMT
 
:-\

So, we're back at the original question.

Who knows how to fix this?
Mausy5043 - NL

trejan
Posts: 2195
Joined: Tue Jul 02, 2019 2:28 pm

Re: The certificate of `archive.raspberrypi.org` has expired

Sat May 30, 2020 2:20 pm

Mausy5043 wrote:
Sat May 30, 2020 2:17 pm
Who knows how to fix this?
It has to be fixed by the server admins. If you just want the key then use curl.

Code: Select all

curl https://archive.raspberrypi.org/debian/raspberrypi.gpg.key -o raspberrypi.gpg.key

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 6229
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: The certificate of `archive.raspberrypi.org` has expired

Sat May 30, 2020 2:24 pm

On it, hang on.

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 6229
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: The certificate of `archive.raspberrypi.org` has expired

Sat May 30, 2020 2:30 pm

Looks like it was already fixed, or are people still seeing this?

Code: Select all

$ wget https://archive.raspberrypi.org/debian/raspberrypi.gpg.key -O /dev/null --prefer-family=IPv4
--2020-05-30 15:30:24--  https://archive.raspberrypi.org/debian/raspberrypi.gpg.key
Resolving archive.raspberrypi.org (archive.raspberrypi.org)... 176.126.240.84, 46.235.227.39, 93.93.135.118, ...
Connecting to archive.raspberrypi.org (archive.raspberrypi.org)|176.126.240.84|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1719 (1.7K) [application/pgp-keys]
Saving to: ‘/dev/null’

/dev/null                                        100%[=========================================================================================================>]   1.68K  --.-KB/s    in 0s      

2020-05-30 15:30:24 (419 MB/s) - ‘/dev/null’ saved [1719/1719]

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 6229
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: The certificate of `archive.raspberrypi.org` has expired

Sat May 30, 2020 2:33 pm

Okay, I see the issue if I use wget on the pi.

trejan
Posts: 2195
Joined: Tue Jul 02, 2019 2:28 pm

Re: The certificate of `archive.raspberrypi.org` has expired

Sat May 30, 2020 2:35 pm

ShiftPlusOne wrote:
Sat May 30, 2020 2:30 pm
Looks like it was already fixed, or are people still seeing this?
It is still sending the expired CA certificate. No idea why wget is fixated on that path only though.

trejan
Posts: 2195
Joined: Tue Jul 02, 2019 2:28 pm

Re: The certificate of `archive.raspberrypi.org` has expired

Sat May 30, 2020 2:38 pm

Code: Select all

$ echo | openssl s_client -showcerts -connect archive.raspberrypi.org:443 2> /dev/null | grep -A100 "^ 2" | openssl x509 -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            13:ea:28:70:5b:f4:ec:ed:0c:36:63:09:80:61:43:36
        Signature Algorithm: sha384WithRSAEncryption
        Issuer: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
        Validity
            Not Before: May 30 10:48:38 2000 GMT
            Not After : May 30 10:48:38 2020 GMT
        Subject: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
Or use https://www.ssllabs.com/ssltest/analyze ... =on&latest but it'll take a few minutes to run so doing it manually with openssl will be a lot faster.
Last edited by trejan on Sat May 30, 2020 2:47 pm, edited 3 times in total.

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 6229
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: The certificate of `archive.raspberrypi.org` has expired

Sat May 30, 2020 2:41 pm

Ah makes sense. I've raised the appropriate ticket.

Thanks everyone.

girishprasanna
Posts: 2
Joined: Sun Jan 06, 2019 5:00 am

Re: The certificate of `archive.raspberrypi.org` has expired

Sat May 30, 2020 3:29 pm

Any idea when this would be fixed?

i still get this error.

Mausy5043
Posts: 9
Joined: Sun Feb 08, 2015 12:14 pm
Location: Tilburg, NL

Re: The certificate of `archive.raspberrypi.org` has expired

Sat May 30, 2020 4:22 pm

trejan wrote:
Sat May 30, 2020 2:20 pm
If you just want the key then use curl.

Code: Select all

curl https://archive.raspberrypi.org/debian/raspberrypi.gpg.key -o raspberrypi.gpg.key
I'm stuck with `wget` on the pi. I just traced the error to `wget` but the code isn't mine and I can't change it. So, I'll just wait till it's fixed.
ShiftPlusOne wrote:
Sat May 30, 2020 2:41 pm
Ah makes sense. I've raised the appropriate ticket.
Thanks @ShiftPlusOne! I'll give it another try tomorrow.
Mausy5043 - NL

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 26685
Joined: Sat Jul 30, 2011 7:41 pm

Re: The certificate of `archive.raspberrypi.org` has expired

Sat May 30, 2020 4:43 pm

girishprasanna wrote:
Sat May 30, 2020 3:29 pm
Any idea when this would be fixed?

i still get this error.
Our net provider has been informed, so we a waiting for them to sort it out. I do not know how long that will take.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed.
I've been saying "Mucho" to my Spanish friend a lot more lately. It means a lot to him.

girishprasanna
Posts: 2
Joined: Sun Jan 06, 2019 5:00 am

Re: The certificate of `archive.raspberrypi.org` has expired

Sat May 30, 2020 5:11 pm

jamesh wrote:
Sat May 30, 2020 4:43 pm
girishprasanna wrote:
Sat May 30, 2020 3:29 pm
Any idea when this would be fixed?

i still get this error.
Our net provider has been informed, so we a waiting for them to sort it out. I do not know how long that will take.
ok thanks for the update.

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 6229
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: The certificate of `archive.raspberrypi.org` has expired

Sat May 30, 2020 5:42 pm

Update from them is that they're on it. Keep in mind it's 6:40PM on a Saturday here, so the right person might not be available immediately.

trejan
Posts: 2195
Joined: Tue Jul 02, 2019 2:28 pm

Re: The certificate of `archive.raspberrypi.org` has expired

Sat May 30, 2020 6:33 pm

I've poked about in the source and the issue is that wget is using gnutls which is validating every peer certificate. If you're sending a CA bundle then every single certificate must be valid or it immediately errors out. The quick fix if anybody has this problem on their own server is to delete the expired AddTrust certificate from the bundle on the webserver. gnutls will then use the preinstalled USERTrust RSA Certification Authority certificate and work like normal.
ShiftPlusOne wrote:
Sat May 30, 2020 5:42 pm
Keep in mind it's 6:40PM on a Saturday here, so the right person might not be available immediately.
Is there a giant raspberry logo being projected on to the clouds above Cambridge?

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 6229
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: The certificate of `archive.raspberrypi.org` has expired

Sat May 30, 2020 6:37 pm

trejan wrote: Is there a giant raspberry logo being projected on to the clouds above Cambridge?
Always

User avatar
dickon
Posts: 1550
Joined: Sun Dec 09, 2012 3:54 pm
Location: Home, just outside Reading

Re: The certificate of `archive.raspberrypi.org` has expired

Sat May 30, 2020 6:43 pm

*Are* there any clouds over Cambridge today?

It's been gloriously sunny here all day...

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 6229
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: The certificate of `archive.raspberrypi.org` has expired

Sat May 30, 2020 7:00 pm

Try wget now

Return to “Advanced users”