Certificate verification failed

automata · May 5, 2023, 2:32pm

While trying to install vtk-osmesa, we are getting the following error:

Err:5 https://apt.kitware.com/ubuntu bionic Release
  Certificate verification failed: The certificate is NOT trusted. The received OCSP status response is invalid.  Could not handshake: Error in the certificate verification. [IP: 66.194.253.25 443]

We are running the exact same commands from the documentation at https://apt.kitware.com/. To reproduce, in a fresh Ubuntu 18.04 image:

docker run -it ubuntu:18.04 /bin/bash
apt-get update
apt-get install -y gpg wget
wget -O - https://apt.kitware.com/keys/kitware-archive-latest.asc 2>/dev/null | gpg --dearmor - | tee /usr/share/keyrings/kitware-archive-keyring.gpg >/dev/null
echo 'deb [signed-by=/usr/share/keyrings/kitware-archive-keyring.gpg] https://apt.kitware.com/ubuntu/ bionic main' | tee /etc/apt/sources.list.d/kitware.list >/dev/null
apt-get update

We also tested with Ubuntu 20.04 image, same issue.

Both gpg file and sources.list file have content:

I understand this is more related with kitware project, but given that many users depend on their build for vtk, I believe it’s still on context.

Please let me know how can we can contribute on further investigation and fix.

mwestphal · May 5, 2023, 2:36pm

There seems to be a network issue for a few hours. I’m just an engineer at Kitware but I’m impacted too. We will let you know when it is fixed.

@ben.boeckel

automata · May 5, 2023, 2:42pm

Thank you for the quick reply Mathieu!

Do you believe we could mirror the repository ourselves to have a plan B on those cases? Any guidance/documents would be much appreciated. Thanks in advance.

mwestphal · May 5, 2023, 2:43pm

Sure, but no idea how to do that

mwestphal · May 5, 2023, 3:36pm

Hi @automata

Installing ca-certificates package should help with the issue until it is fixed.

Best,

brad.king · May 5, 2023, 3:58pm

Installing wget should also install ca-certificates.

@automata I just ran through your instructions again and I do not see the certificate error anymore. Do you still see it?

automata · May 5, 2023, 6:49pm

Hello @brad.king and @mwestphal, we are able to build the images again, it seems the network errors got fixed.

I’ll try to add ca-certificates like suggested. Maybe it will be interesting to update the documentation on https://apt.kitware.com/ about that.

Thank you.

brad.king · May 8, 2023, 1:47pm

@automata great. Meanwhile we found and fixed the problem with the OCSP check. We also updated the instructions on apt.kitware.com to explicitly mention the ca-certificates package.

automata · May 9, 2023, 5:20pm

@brad.king that’s really great news! Thank you so much for the quick responses and fixes!

automata · May 9, 2023, 5:23pm

@brad.king while on it, do you have any suggestions and guidance on how to mirror apt.kitware.com? We are interested in making sure we can have some plan B when problems like that happen. Thank you in advance.

brad.king · May 9, 2023, 5:29pm

apt.kitware.com was originally meant for use by humans to install a recent CMake on Ubuntu LTS versions. I don’t think we can guarantee download performance and uptime at a level needed for widespread use in CI jobs. Instead such jobs can download from the CMake Releases page on GitHub, which is backed by a CDN. CMake’s own CI jobs do this using code here. Projects like get_cmake can help.

automata · May 9, 2023, 5:49pm

@brad.king that’s really helpful! We’ll check those suggestions and try to setup our CI to follow it. Thank you!