The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification

abhishek · May 30, 2020, 4:11pm

I faced this issue today repeatedly, when trying to add jitsi keys on my server. i added logs for reference below. @damencho

 root@ip-X.X.X.X:~#curl https://download.jitsi.org/jitsi-key.gpg.key | sudo sh -c 'gpg --dearmor > /usr/share/keyrings/jitsi-keyring.gpg'  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
    100  3071  100  3071    0     0    174      0  0:00:17  0:00:17 --:--:--   910


    root@ip-X.X.X.X:~# echo 'deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/' | sudo tee /etc/apt/sources.list.d/jitsi-stable.list > /dev/nul
l
    root@ip-X.X.X.X:~# sudo apt update
    Hit:1 http://ap-south-1.ec2.archive.ubuntu.com/ubuntu bionic InRelease
    Hit:2 http://security.ubuntu.com/ubuntu bionic-security InRelease                                                         
    Hit:3 http://ap-south-1.ec2.archive.ubuntu.com/ubuntu bionic-updates InRelease                       
    Hit:4 http://ap-south-1.ec2.archive.ubuntu.com/ubuntu bionic-backports InRelease                     
    Ign:5 https://download.jitsi.org stable/ InRelease                             
    Err:6 https://download.jitsi.org stable/ Release    
      Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: X.X.X.X 443]
    Reading package lists... Done                       
    E: The repository 'https://download.jitsi.org stable/ Release' does not have a Release file.
    N: Updating from such a repository can't be done securely, and is therefore disabled by default.
    N: See apt-secure(8) manpage for repository creation and user configuration details.

lukav · May 30, 2020, 4:43pm

I’m suffering from the same problem today. Only that the problem manifests itself on an already installed system, where the repository is already added:
$ sudo apt update
Грш:31 https://download . jitsi . org stable/ Release
Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 130.79.200.22 443]

The problem is that the server download . jitsi . org is returning and old intermediate certificate for issuer=C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
subject=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
notBefore=May 30 10:48:38 2000 GMT
notAfter=May 30 10:48:38 2020 GMT

So to resolve the problem the configuration of the server download . jitsi . org need to be updated to return the updated intermediate certificate.
The certificate of download . jitsi . org itself doesn’t need to be updated.
More information on the matter can be found here:

If anyone has access to the system administrator of download. jitsi . org, please forward this topic to that person.

probie · May 30, 2020, 4:57pm

It appears that their Root CA expired today 6 hrs go. Hopefully they can update this soon.

Subject USERTrust RSA Certification Authority
Fingerprint SHA256: 1a5174980a294a528a110726d5855650266c48d9883bea692b67b6d726da98c5
Pin SHA256: x4QzPSC810K5/cMjb05Qm4k3Bw5zBn4lTdO/nEW/Td4=
Valid until Sat, 30 May 2020 10:48:38 UTC (expired 6 hours and 6 minutes ago) EXPIRED
Key RSA 4096 bits (e 65537)
Issuer AddTrust External CA Root
Signature algorithm SHA384withRSA