The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification

I faced this issue today repeatedly, when trying to add jitsi keys on my server. i added logs for reference below. @damencho

 root@ip-X.X.X.X:~#curl https://download.jitsi.org/jitsi-key.gpg.key | sudo sh -c 'gpg --dearmor > /usr/share/keyrings/jitsi-keyring.gpg'  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
    100  3071  100  3071    0     0    174      0  0:00:17  0:00:17 --:--:--   910


    root@ip-X.X.X.X:~# echo 'deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/' | sudo tee /etc/apt/sources.list.d/jitsi-stable.list > /dev/nul
l
    root@ip-X.X.X.X:~# sudo apt update
    Hit:1 http://ap-south-1.ec2.archive.ubuntu.com/ubuntu bionic InRelease
    Hit:2 http://security.ubuntu.com/ubuntu bionic-security InRelease                                                         
    Hit:3 http://ap-south-1.ec2.archive.ubuntu.com/ubuntu bionic-updates InRelease                       
    Hit:4 http://ap-south-1.ec2.archive.ubuntu.com/ubuntu bionic-backports InRelease                     
    Ign:5 https://download.jitsi.org stable/ InRelease                             
    Err:6 https://download.jitsi.org stable/ Release    
      Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: X.X.X.X 443]
    Reading package lists... Done                       
    E: The repository 'https://download.jitsi.org stable/ Release' does not have a Release file.
    N: Updating from such a repository can't be done securely, and is therefore disabled by default.
    N: See apt-secure(8) manpage for repository creation and user configuration details.

I’m suffering from the same problem today. Only that the problem manifests itself on an already installed system, where the repository is already added:
$ sudo apt update
Грш:31 https://download . jitsi . org stable/ Release
Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 130.79.200.22 443]

The problem is that the server download . jitsi . org is returning and old intermediate certificate for issuer=C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
subject=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
notBefore=May 30 10:48:38 2000 GMT
notAfter=May 30 10:48:38 2020 GMT

So to resolve the problem the configuration of the server download . jitsi . org need to be updated to return the updated intermediate certificate.
The certificate of download . jitsi . org itself doesn’t need to be updated.
More information on the matter can be found here:

If anyone has access to the system administrator of download. jitsi . org, please forward this topic to that person.

1 Like

It appears that their Root CA expired today 6 hrs go. Hopefully they can update this soon.

Subject USERTrust RSA Certification Authority
Fingerprint SHA256: 1a5174980a294a528a110726d5855650266c48d9883bea692b67b6d726da98c5
Pin SHA256: x4QzPSC810K5/cMjb05Qm4k3Bw5zBn4lTdO/nEW/Td4=
Valid until Sat, 30 May 2020 10:48:38 UTC (expired 6 hours and 6 minutes ago) EXPIRED
Key RSA 4096 bits (e 65537)
Issuer AddTrust External CA Root
Signature algorithm SHA384withRSA

3 Likes