Debian 202405 snapshot repos certificates have expired

The certificates on the snapshot repository used by the 202405 debian release expired today. 22 aug 2024.

It is no longer possible to run apt get to install additional software etc. Or run the install_package_and_dependencies.sh script on new installs.

Suggestions?

  • adding [trusted=yes] to the line in /etc/apt/sources.list does not work.
root@starfive:~# cat /etc/apt/sources.list
deb [trusted=yes] https://snapshot.debian.org/archive/debian-ports/20221225T084846Z unstable main

But when I tried to install an additional package I get:

root@starfive:~# apt install python3-pip
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  python3-setuptools python3-wheel
Suggested packages:
  python-setuptools-doc
The following NEW packages will be installed:
  python3-pip python3-setuptools python3-wheel
0 upgraded, 3 newly installed, 0 to remove and 19 not upgraded.
Need to get 1872 kB of archives.
After this operation, 9517 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Ign:1 https://snapshot.debian.org/archive/debian-ports/20221225T084846Z unstable/main riscv64 python3-setuptools all 65.5.0-1.1
Ign:2 https://snapshot.debian.org/archive/debian-ports/20221225T084846Z unstable/main riscv64 python3-wheel all 0.38.4-1
Ign:3 https://snapshot.debian.org/archive/debian-ports/20221225T084846Z unstable/main riscv64 python3-pip all 22.3.1+dfsg-1
Ign:1 https://snapshot.debian.org/archive/debian-ports/20221225T084846Z unstable/main riscv64 python3-setuptools all 65.5.0-1.1
Ign:2 https://snapshot.debian.org/archive/debian-ports/20221225T084846Z unstable/main riscv64 python3-wheel all 0.38.4-1
Ign:3 https://snapshot.debian.org/archive/debian-ports/20221225T084846Z unstable/main riscv64 python3-pip all 22.3.1+dfsg-1
Ign:1 https://snapshot.debian.org/archive/debian-ports/20221225T084846Z unstable/main riscv64 python3-setuptools all 65.5.0-1.1
Ign:2 https://snapshot.debian.org/archive/debian-ports/20221225T084846Z unstable/main riscv64 python3-wheel all 0.38.4-1
Ign:3 https://snapshot.debian.org/archive/debian-ports/20221225T084846Z unstable/main riscv64 python3-pip all 22.3.1+dfsg-1
Err:1 https://snapshot.debian.org/archive/debian-ports/20221225T084846Z unstable/main riscv64 python3-setuptools all 65.5.0-1.1
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 185.213.153.170 443]
Err:2 https://snapshot.debian.org/archive/debian-ports/20221225T084846Z unstable/main riscv64 python3-wheel all 0.38.4-1
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 185.213.153.170 443]
Err:3 https://snapshot.debian.org/archive/debian-ports/20221225T084846Z unstable/main riscv64 python3-pip all 22.3.1+dfsg-1
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 185.213.153.170 443]
E: Failed to fetch https://snapshot.debian.org/archive/debian-ports/20221225T084846Z/pool/main/s/setuptools/python3-setuptools_65.5.0-1.1_all.deb  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 185.213.153.170 443]
E: Failed to fetch https://snapshot.debian.org/archive/debian-ports/20221225T084846Z/pool/main/w/wheel/python3-wheel_0.38.4-1_all.deb  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 185.213.153.170 443]
E: Failed to fetch https://snapshot.debian.org/archive/debian-ports/20221225T084846Z/pool/main/p/python-pip/python3-pip_22.3.1%2bdfsg-1_all.deb  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 185.213.153.170 443]
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
1 Like

To answer my own question the ‘not recommended’ answer from here works. And is quite acceptable for the starfive releases.

root@starfive:~# touch /etc/apt/apt.conf.d/99verify-peer.conf
root@starfive:~# echo >>/etc/apt/apt.conf.d/99verify-peer.conf "Acquire { https::Verify-Peer false }"

After this I was able to finally install python3-pip (which is not part of the default install, but is available in the snapshot repo.)

root@starfive:~# apt install python3-pip
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  python3-setuptools python3-wheel
Suggested packages:
  python-setuptools-doc
The following NEW packages will be installed:
  python3-pip python3-setuptools python3-wheel
0 upgraded, 3 newly installed, 0 to remove and 19 not upgraded.
Need to get 1872 kB of archives.
After this operation, 9517 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 https://snapshot.debian.org/archive/debian-ports/20221225T084846Z unstable/main riscv64 python3-setuptools all 65.5.0-1.1 [519 kB]
Get:2 https://snapshot.debian.org/archive/debian-ports/20221225T084846Z unstable/main riscv64 python3-wheel all 0.38.4-1 [30.8 kB]
Get:3 https://snapshot.debian.org/archive/debian-ports/20221225T084846Z unstable/main riscv64 python3-pip all 22.3.1+dfsg-1 [1323 kB]
Fetched 1872 kB in 1s (1445 kB/s)                       
Selecting previously unselected package python3-setuptools.
(Reading database ... 208040 files and directories currently installed.)
Preparing to unpack .../python3-setuptools_65.5.0-1.1_all.deb ...
Unpacking python3-setuptools (65.5.0-1.1) ...
Selecting previously unselected package python3-wheel.
Preparing to unpack .../python3-wheel_0.38.4-1_all.deb ...
Unpacking python3-wheel (0.38.4-1) ...
Selecting previously unselected package python3-pip.
Preparing to unpack .../python3-pip_22.3.1+dfsg-1_all.deb ...
Unpacking python3-pip (22.3.1+dfsg-1) ...
Setting up python3-setuptools (65.5.0-1.1) ...
Setting up python3-wheel (0.38.4-1) ...
Setting up python3-pip (22.3.1+dfsg-1) ...
Processing triggers for man-db (2.11.1-1) ...
root@starfive:~# 
1 Like

As I see ssl certificates is valid, maybe the issue is on your side? See SSL Checker

Try to install ca-certificates and check the date on board.

sudo apt install ca-certificates

+1 for checking date/time on your system.

There’s no hardware clock, so properly configuring systemd-timesyncd (and running it on startup) is crucial:

$ timedatectl
Local time: Tue 2024-08-27 13:38:52 CEST
Universal time: Tue 2024-08-27 11:38:52 UTC
RTC time: n/a
Time zone: Europe/Zurich (CEST, +0200)
System clock synchronized: yes
NTP service: active
RTC in local TZ: no

1 Like