Trisquel 9.0 Mate cannot update!

16 replies [Last post]
GeorgeK
Offline
Joined: 05/05/2021

I installed Trisquel 9 Mate and cannot update.I get the error "Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate."

Avron
Offline
Joined: 08/18/2020

I copy Ark74's messages from Trisquel's IRC yesterday (someone had the same problem):

 you could try do on a terminal: sudo sed -i 's|https|http|g' /etc/apt/sources.list
 then try updating
 there is a issue all over the world with a ssl certificate expiring
 the current iso is a bit old
 we need to update so is not affected for new users
 installed systems are not affected

Using http instead of https as suggested is not so secure, you could also wait for the iso to be updated, perhaps it will be very soon.

strypey
Offline
Joined: 05/14/2015

I had a similar issue, more details here:
https://trisquel.info/en/forum/ca-certificate-issue-while-installing-any-package#comment-161242

I tried Ark74's suggestions to use http instead of https, as posted by Avron. But it still won't upgrade, due to errors related to the SyncThing and Mailpile repos:

Err:8 https://apt.syncthing.net syncthing Release
server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Ign:9 https://www.mailpile.is/deb release InRelease
Err:10 https://www.mailpile.is/deb release Release
server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Reading package lists... Done
E: The repository 'https://apt.syncthing.net syncthing Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'http://packages.mailpile.is/deb release Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.

Any suggestions?

strypey
Offline
Joined: 05/14/2015

After following Ark74's suggestion, I tried disabling the SyncThing and Mailpile repos in System > Admin > Software & Updates. Apt update and apt upgrade now run but says there are no new packages.

SabirSaleem90
Offline
Joined: 10/03/2021

Installing from HTTP instead of HTTPS is something not secure I mean changing protocol from sources.list is not risky as we are just downloading repo from trisquel Servers ?

Avron
Offline
Joined: 08/18/2020
GeorgeK
Offline
Joined: 05/05/2021

I will try Ark74's suggestion.Thank you Avron!

Bubo
Offline
Joined: 02/07/2017

On Fri Oct 1 2021 UTC 13:11 I posted in this same topic:
I have been using Trisquel9 (Etiona) as a live USB and installing Geany, Gnumeric and mtPaint for at least the last fortnight without problems but this morning I couldn't.
My request was replied by the terminal as can be seen in the attachment.

PS: Sat Oct 2 2021 15:18 UTC
I have solved my problem using Ark74's IRC message that was forwarded by Avron and worked for GeorgeK
Thanks to all of you!

2021-10-01_10-38-41_UTC.png
GeorgeK
Offline
Joined: 05/05/2021

I have updated my system.Is there any way i can enable https only again for updating?

Ark74

I am a member!

I am a translator!

Offline
Joined: 07/15/2009

Try the reverse,

sudo sed -i "s|http|https|g" /etc/apt/sources.list

About http not being secure in this specific use, I partially disagree, since you are not pulling or sending personal information but connecting to a publicly available, worldwide accessible repository of packages.

So using https is kind of an added layer of security but not make it secure in a operative sense with the OS package manager.

All the packages are signed with gpg, so even they are pulled using https or htpp directly, over a proxy cache system, CD/DVD if the signature is tainted, or wrong then you'll be alerted and it won't install any package.

That is standard security for any package system distribution for all/(most) GNU/Linux systems.

Is it flawless to any kind of attack in the XXI century, maybe not, but does using SSL will be the be-all and end-all?, don't think so either.

Avron
Offline
Joined: 08/18/2020

Thanks for the explanations, I did not think that much before writing and forgot about the gpg signature.

Besides, I noticed that by default Debian seems not to use ssl, I don't know why.

Ark74

I am a member!

I am a translator!

Offline
Joined: 07/15/2009

It is much simpler for using a proxy cache when using http instead of https

I guess that simplifies the work for the people using proxy cache for saving bandwidth on both ends, Debian servers and users under the proxy.

It does too at home for trisquel repos. ;)

GeorgeK
Offline
Joined: 05/05/2021

Thank you Ark74!

Martins
Offline
Joined: 04/24/2013

Thank-you for the help we are getting in advance:

I tried ark74's suggestion literally.

This confirms that I am running a corrupt distro as the forum language switched to French in the process!

Will follow up when I will have downloaded and installed from a T9.1 ISO

Screenshot at 2022-02-05 00-23-59.png
Avron
Offline
Joined: 08/18/2020

Maybe you followed my link above to the forum that has "fr" in it, since I am set in French. When I follow a link from someone to the forum, I have the language switched as well.

Ark74

I am a member!

I am a translator!

Offline
Joined: 07/15/2009

you used the command to change from http > https
not the one to change from https > http (this one you needed).

Edit manually the sources.lits file to fix the double s at "httpss"

regards

Martins
Offline
Joined: 04/24/2013

Thank you again Ark74 for the help.

In the meantime I found and installed the Triskel 9.02 iso that installs the KDE Plasma desktop nicely on a 10 year old acer Aspire which had refused to launch the T10.00 iso.

I was pleased to discover that apt-get --update and apt-get --install work despite the Plasma gui terminating its version of add/remove programs.

Unfortunately shortcuts cannot be defined for simpler older programs like scite, and mate-terminal which allows copying a bash session to the clipboard. I suppose this should be addressed to the KDE people.

Regards, Martins