linuxgitserverssl-certificateubuntu-16.04

Is it a ca certificate verification issue? How can I resolve this?


in my company, there are several instances that are being backends for production, testing and other purposes. I am also a new employee in the company. Recently, all of the instances suddenly cannot receive any update using git or apt-get.

  1. When I use git fetch --all, the result is:
fatal: unable to access 'https://[...].git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

After I saw the post, I use git config --global http.sslverify false and git fetch all again. the result is:

fatal: unable to access 'https://[...].git/': The requested URL returned error: 403
error: Could not fetch origin

That's very weird because I don't know it's a certification issue or user permission issue. Or just at the end it's a certification issue.

  1. Someone suggests that using sudo apt-get update in this link, When I use sudo apt-get update, there are lots of errors:
Ign:1 http://dl.google.com/linux/chrome/deb stable InRelease
Ign:2 http://dl.google.com/linux/chrome/deb stable Release                                                               
Ign:3 http://dl.google.com/linux/chrome/deb stable/main amd64 Packages.diff/Index                                        
Ign:4 http://dl.google.com/linux/chrome/deb stable/main all Packages                                                     
Ign:5 http://dl.google.com/linux/chrome/deb stable/main Translation-en                                                   
Ign:6 http://dl.google.com/linux/chrome/deb stable/main amd64 Packages                                                   
Ign:4 http://dl.google.com/linux/chrome/deb stable/main all Packages                                                                     
...
...
...
Ign:155 https://esm.ubuntu.com/infra/ubuntu xenial-infra-security/main i386 Packages
Ign:147 https://esm.ubuntu.com/infra/ubuntu xenial-infra-security/main all Packages
Ign:149 https://esm.ubuntu.com/infra/ubuntu xenial-infra-security/main Translation-en
Ign:156 https://esm.ubuntu.com/infra/ubuntu xenial-infra-updates/main amd64 Packages
Ign:157 https://esm.ubuntu.com/infra/ubuntu xenial-infra-updates/main i386 Packages
Ign:152 https://esm.ubuntu.com/infra/ubuntu xenial-infra-updates/main all Packages
Ign:153 https://esm.ubuntu.com/infra/ubuntu xenial-infra-updates/main Translation-en
Err:154 https://esm.ubuntu.com/infra/ubuntu xenial-infra-security/main amd64 Packages
  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Ign:155 https://esm.ubuntu.com/infra/ubuntu xenial-infra-security/main i386 Packages
Err:156 https://esm.ubuntu.com/infra/ubuntu xenial-infra-updates/main amd64 Packages
  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Ign:157 https://esm.ubuntu.com/infra/ubuntu xenial-infra-updates/main i386 Packages
Reading package lists... Done
W: The repository 'http://dl.google.com/linux/chrome/deb stable Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: The repository 'http://hk.archive.ubuntu.com/ubuntu xenial Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: The repository 'http://hk.archive.ubuntu.com/ubuntu xenial-updates Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: The repository 'https://download.docker.com/linux/ubuntu xenial Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: The repository 'http://hk.archive.ubuntu.com/ubuntu xenial-backports Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: The repository 'http://security.ubuntu.com/ubuntu xenial-security Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: The repository 'http://ppa.launchpad.net/certbot/certbot/ubuntu xenial Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: The repository 'http://ppa.launchpad.net/deadsnakes/ppa/ubuntu xenial Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: The repository 'https://esm.ubuntu.com/infra/ubuntu xenial-infra-security Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: The repository 'https://esm.ubuntu.com/infra/ubuntu xenial-infra-updates Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: Failed to fetch http://dl.google.com/linux/chrome/deb/dists/stable/main/binary-amd64/Packages  403  Forbidden [IP: 142.251.220.78 80]
E: Failed to fetch http://hk.archive.ubuntu.com/ubuntu/dists/xenial-backports/restricted/binary-amd64/Packages  403  Forbidden [IP: 45.125.0.6 80]
E: Failed to fetch http://hk.archive.ubuntu.com/ubuntu/dists/xenial/main/binary-amd64/Packages  403  Forbidden [IP: 45.125.0.6 80]
E: Failed to fetch https://download.docker.com/linux/ubuntu/dists/xenial/stable/binary-amd64/Packages  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
E: Failed to fetch http://hk.archive.ubuntu.com/ubuntu/dists/xenial-updates/main/binary-amd64/Packages  403  Forbidden [IP: 45.125.0.6 80]
E: Failed to fetch http://security.ubuntu.com/ubuntu/dists/xenial-security/main/binary-amd64/Packages  403  Forbidden [IP: 91.189.91.82 80]
E: Failed to fetch http://ppa.launchpad.net/deadsnakes/ppa/ubuntu/dists/xenial/main/binary-amd64/Packages  403  Forbidden [IP: 185.125.190.80 80]
E: Failed to fetch http://ppa.launchpad.net/certbot/certbot/ubuntu/dists/xenial/main/binary-amd64/Packages  403  Forbidden [IP: 185.125.190.80 80]
E: Failed to fetch https://esm.ubuntu.com/infra/ubuntu/dists/xenial-infra-security/main/binary-amd64/Packages  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
E: Failed to fetch https://esm.ubuntu.com/infra/ubuntu/dists/xenial-infra-updates/main/binary-amd64/Packages  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
E: Some index files failed to download. They have been ignored, or old ones used instead.
  1. Also cannot ping and curl anything.

It is really appreciated if anyone could provide some hints/ solutions for me because I have worked on these issues for days! The dis is Ubuntu 16.04.7 LTS, our team has used Let's Encrypt for certificate, thanks so much.

  1. Setting git config --global http.sslverify false for git part in : this link

  2. sudo apt-get update mentioned in: this link


Solution

  • It looks like there are problems with the firewall. Maybe the FW cracks the encryption to check the packets. After the check the packet is encrypted again with a new internal certificate. If this is not installed on the system, the error appears.

    Test:

    ssh -vvv [User]@[URL]
    

    Workaround: