Chirpstack repository: The certificate is NOT trusted. The certificate issuer is unknown

Hi everyone,
I had successfully installed the entire Chirpstack on Raspbian OS, Debian and Win10 with no major issues. Currently I try to do the same on a Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-88-generic x86_64). I followed the instructions and discovered the following behavior:

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 1CE2AFD36DBCCA00
Executing: /tmp/apt-key-gpghome.uByMYQBhy3/gpg.1.sh --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 1CE2AFD36DBCCA00
gpg: key 1CE2AFD36DBCCA00: public key “Orne Brocaar info@brocaar.com” imported
gpg: Total number processed: 1
gpg: imported: 1

Nothing curious from my point of view. Next step:

sudo echo “deb hhttps://artifacts.chirpstack.io/packages/3.x/deb stable main” | sudo tee /etc/apt/sources.list.d/chirpstack.list
deb hhttps://artifacts.chirpstack.io/packages/3.x/deb stable main

Looks good to me too, next step:

sudo apt update
Hit:1 hhttp://ch.archive.ubuntu.com/ubuntu focal InRelease
Hit:2 hhttp://ch.archive.ubuntu.com/ubuntu focal-updates InRelease
Hit:3 hhttp://ch.archive.ubuntu.com/ubuntu focal-backports InRelease
Hit:4 hhttp://ch.archive.ubuntu.com/ubuntu focal-security InRelease
Ign:5 hhttps://artifacts.chirpstack.io/packages/3.x/deb stable InRelease
Err:6 hhttps://artifacts.chirpstack.io/packages/3.x/deb stable Release
Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification. [IP: 188.166.134.65 443]
Reading package lists… Done
E: The repository ‘hhttps://artifacts.chirpstack.io/packages/3.x/deb stable Release’ does not have a Release file.
N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

The Error message is pretty clear; but I have no idea how to solve it. Therefore, any help would be pretty much appreciated.

Best regards
Thomas

PS: Pls consider all hhttp as http, since I was only allowed to have to links added. Sry.

First, make sure it’s not your clock:

It was the clock. The NTP server was down, the system clock wasn’t set properly, I didn’t notice or think to check initially, and the incorrect time was causing verification to fail.

Otherwise, try this Ubuntu thing:
https://stackoverflow.com/questions/35821245/github-server-certificate-verification-failed

Hi fmgst,

thx for your reply - I verified the system clock on my system and found it accurate within 3 sec. I correct even this deviation but no change in the descripted behavior.

Then I went through the steps mentioned in the stackoverflow case but even those did not make the trick, still getting the same notification: The certificate is NOT trusted. The certificate issuer is unknown.

Additional info about the issue:

Just a minute ago I went through the chirpstack repro installation steps on a raspberry pi (Raspbian 10 (buster)) with no issues; there the certificate will be accepted.

It appears to be a ubuntu issue to me. My ubuntu server is fresh installed with standard settings.

Any additional thoughts?

Best Regards

Thomas

The issue is that the Letsencrypt root certificate on your machine has expired and must be updated on your machine. See also: DST Root CA X3 Expiration (September 2021) - Let's Encrypt

you can install all package manually, it will work:
chirpstack-network-server_3.15.3_linux_amd64.deb, chirpstack-gateway-bridge_3.13.1_linux_amd64.deb and chirpstack-application-server_3.17.3_linux_amd64.deb

I don’t use Letsencrypt. DST Root CA requires at least openssl v1.1.0. so I did upgrade version. but not work.
return message : Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 188.166.134.65 443]

hi brocaar,
thx for your reply–>

I went through the document and the documentation derived from the document and did the following:

1. check and update OpenSSL:
   ~$ openssl version
   OpenSSL 1.1.1f 31 Mar 2020

2. check that the ISRG Root X1 certificate is installed.
   ~$ openssl x509 -enddate -noout -in /etc/ssl/certs/ISRG_Root_X1.pem
   notAfter=Jun 4 11:04:38 2035 GMT

3. then check if the certificate is now accepted.

~$ sudo apt update
[sudo] Password for support:
Hit:1 hhttp://ch.archive.ubuntu.com/ubuntu focal InRelease
Match:2 hhttp://ch.archive.ubuntu.com/ubuntu focal-updates InRelease
Hit:3 hhttp://ch.archive.ubuntu.com/ubuntu focal-backports InRelease
Hit:4 hhttp://ch.archive.ubuntu.com/ubuntu focal-security InRelease
Ign:5 hhttps://artifacts.chirpstack.io/packages/3.x/deb stable InRelease
Err:6 hhttps://artifacts.chirpstack.io/packages/3.x/deb stable Release
Certificate verification failed: The certificate is NOT trusted. The issuer of the certificate is unknown. Handshake could not be performed: Certificate verification error. [IP: 188.166.134.65 443]
Read package lists… Done
E: The repository ‘https://artifacts.chirpstack.io/packages/3.x/deb stable release’ has no release file.
N: Updates from such a repository cannot be done securely and are therefore disabled by default.
N: See apt-secure(8) man page for details on repository creation and user configuration.
support@SL-HDB-LoRaWAN-1:~$

Not sure what to do next. Certainly I could install it manually as sugested but I guess it would be better if it would work as expected.

Best regards

Thomas

PS: Pls consider all hhttp as http, since I was only allowed to have to links added. Sry.

But the https://artifacts.chirpstack.io/ endpoint does. Therefore the CA that Letsencrypt used to to sign the server certificate must be known to your machine. Probably when you do a curl https://artifacts.chirpstack.io/ on your machine it fails, while it works in your browser.

Hello @dticomponents , I wanted to know if you managed to find the solution to this problem. Indeed, I try to follow the guide on Chirpstack but I block on this same error… (knowing that I use the Siemens IoT2050 gateway with a LoRaWAN MPCIE card)

Hi Nada, ultimately, the problem for us was in the network environment. Our company works with an internal proxy running a ZScaler, which blocked the download but did not give any feedback. It was necessary to install certificates on my Linux server, so that a position of trust was established between my server and the proxy. I got on the track by doing the Chripstack installation on a Raspberry Pi 4b completely and without problems in my private network and thus knew that the cause had to be in our company network.

Hello,
Thank you for your feedback. My company also works with ZScaler, this is the first time I’ve worked on a project like this so this error took me days … I’ll try to proceed like you and I’ll let you know if it works for me too!
Thank you very much

Hello @dticomponents,

Indeed, that’s the problem because when I try to install it somewhere else it works.
So I wanted to ask you if installing the certificates on the linux server directly does not cause cybersecurity problems.
Also, could you tell me what files (certificates) you have installed on your computer to proceed this way (since theoretically the ‘install ca-certificates’ command was supposed to be sufficient).

Thank you in advance

In Ubuntu I had to copy the ZScaler certificates (zscaler_root.cer, zscaler_intermadiate_t.cer, zscaler_intermediate.cer) to “/usr/local/share/ca-certificates” and then run “sudo update-ca-certificates”. You can get the certificates from your network administrator.

If you have gateways running OpenWRT (e.g. Dragino LG308) you have to make the certificates known for the installation of the Chripstack gateway bridge on the gateway. Let me know if you need that too.

adding to my last post; no, there will be not an issue with cybersecurity installing the certs on the server due to encryption.

Hello,

Thank you for your answers. I am new in the field hence the multiple questions.
I use the Siemens IoT2050 gateway with a LoRaWAN MPCIE concentrator card so technically I won’t need OpenWRT