I’m getting “server certificate verification failed” when trying to update the Indeni software. What is this and how do I fix it?

IKL Development
#1

Question:

I’m trying to update the Indeni software using “imanage” but am getting an error “server certificate verification failed”. What do I do?


Answer:

During the update process, the HTTPS certificate of the server providing the update packages gets verified. If you are seeing this error, you are probably using a proxy (configured through “imanage” hopefully). A first step would be to pull the server certificate of AWS S3 service we use to host the Indeni software packages:


echo -n | openssl s_client -connect s3.amazonaws.com:443 | \

sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | \

sudo tee '/usr/local/share/ca-certificates/s3.crt'

sudo update-ca-certificates


If this still doesn’t work, try to override the server certificate check:

sudo nano /etc/apt/apt.conf


Add the following line at the end:

Acquire::https::s3.amazonaws.com::Verify-Peer "false";

#2

running into issues with this process. Tried all the steps above.


when attempting to update packages:


[Upgrade Indeni products] Checking connectivity to indeni S3 repository...
[Upgrade Indeni products] Sending request to 'https://s3.amazonaws.com/indeni-public/'
/usr/lib/ruby/1.9.1/net/http.rb:800:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
from /usr/lib/ruby/1.9.1/net/http.rb:800:in `block in connect'
from /usr/lib/ruby/1.9.1/timeout.rb:55:in `timeout'
from /usr/lib/ruby/1.9.1/timeout.rb:100:in `timeout'
from /usr/lib/ruby/1.9.1/net/http.rb:800:in `connect'
from /usr/lib/ruby/1.9.1/net/http.rb:756:in `do_start'
from /usr/lib/ruby/1.9.1/net/http.rb:745:in `start'
from /usr/lib/ruby/1.9.1/net/http.rb:1285:in `request'
from /usr/share/indeni-tools/lib/common.rb:31:in `validate_connection_to_s3'
from /usr/share/indeni-tools/manage/indeni-manage.rb:59:in `update_upgrade'
from /usr/share/indeni-tools/manage/indeni-manage.rb:315:in `<main>'


have whitelisted the S3/AWS FQDN, and added (3) different explicit IP addresses to our content filtering appliance.


tried to wget all the deb files, that didnt work either


wget -A deb -m -p -E -k -K -np https://s3.amazonaws.com/indeni-public
--2017-10-03 08:06:39-- https://s3.amazonaws.com/indeni-public
Resolving s3.amazonaws.com (s3.amazonaws.com)... 52.216.18.211
Connecting to s3.amazonaws.com (s3.amazonaws.com)|52.216.18.211|:443... connected.
ERROR: The certificate of ‘s3.amazonaws.com’ is not trusted.
ERROR: The certificate of ‘s3.amazonaws.com’ hasn't got a known issuer.

ran all these commands too:

1) sudo apt-get update

2) sudo apt-get upgrade

3) sudo indeni-collector restart

4) sudo indeni-server restart


anyone else ran into this? Apparently I'm about 100~ pkgs behind.

#3

This should probably not be in the "Check Point" part of the forum