We had an issue with our instance of Jenkins on our Ubuntu server which purged our configs and packages.
Because of that, we are attempting to re-install Jenkins on this server. However, we continue to get an error when running sudo apt-get update
Err:6 https://pkg.jenkins.io/debian-stable binary/ Release
Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 184.108.40.206 443]
We have followed all the steps on the Jenkins Ubuntu install page:
We have also made sure to remove Jenkins from the apt list and add back all the necessary files (once again by following the steps on the Jenkins page).
The steps we have tried:
curl -fsSL https://pkg.jenkins.io/debian-stable/jenkins.io.key | sudo tee \ /usr/share/keyrings/jenkins-keyring.asc > /dev/null
echo deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] \ https://pkg.jenkins.io/debian-stable binary/ | sudo tee \ /etc/apt/sources.list.d/jenkins.list > /dev/null
sudo apt-get update ← This is the issue where we get the error mentioned above.
I have also tried: wget -q -O - https://pkg.jenkins.io/debian-stable/jenkins.io.key | apt-key add -
Usually when there is a report that the certificate is not trusted, it is because the operating system list of certificates is out of date. Be sure that you’ve run apt-get update && apt-get upgrade on that operating system so that it downloads and installs the latest certificate authorities.
I can confirm its valid and working. You may want to confirm a certificate package was updated for your OS version. (You need to update your local certs before running the update-ca-certificates function)
I don’t know offhand. update-ca-certificates takes the certs in the directory and installs them properly. One of the debian packages, maybe ca-certificates is the one that installs the latest ones for debian.
I would recommend googling for your version of linux (debian, ubuntu, arch, etc) and the version, and how to update it to support the letsencrypt root certificates.
I have the same issue and have came to this post numerous times just because there wasn’t any other post out there.
As @MarkEWaite previously posted the DST Root CA X3 Expiration (September 2021) - Let's Encrypt Let’s Encrypt CA has expired. So a possible solution that worked for me, would be to check if there is a line in your /etc/ca-certificates.conf file and if there is comment it out by adding an exclamation mark.
And then run “sudo update-ca-certificates” - that will update the changes that you just made. After that try running sudo apt update once again.