Hi everyone,
I had successfully installed the entire Chirpstack on Raspbian OS, Debian and Win10 with no major issues. Currently I try to do the same on a Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-88-generic x86_64). I followed the instructions and discovered the following behavior:
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 1CE2AFD36DBCCA00
Executing: /tmp/apt-key-gpghome.uByMYQBhy3/gpg.1.sh --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 1CE2AFD36DBCCA00
gpg: key 1CE2AFD36DBCCA00: public key āOrne Brocaar info@brocaar.comā imported
gpg: Total number processed: 1
gpg: imported: 1
Nothing curious from my point of view. Next step:
sudo echo ādeb hhttps://artifacts.chirpstack.io/packages/3.x/deb stable mainā | sudo tee /etc/apt/sources.list.d/chirpstack.list
deb hhttps://artifacts.chirpstack.io/packages/3.x/deb stable main
Looks good to me too, next step:
sudo apt update
Hit:1 hhttp://ch.archive.ubuntu.com/ubuntu focal InRelease
Hit:2 hhttp://ch.archive.ubuntu.com/ubuntu focal-updates InRelease
Hit:3 hhttp://ch.archive.ubuntu.com/ubuntu focal-backports InRelease
Hit:4 hhttp://ch.archive.ubuntu.com/ubuntu focal-security InRelease
Ign:5 hhttps://artifacts.chirpstack.io/packages/3.x/deb stable InRelease
Err:6 hhttps://artifacts.chirpstack.io/packages/3.x/deb stable Release
Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification. [IP: 188.166.134.65 443]
Reading package listsā¦ Done
E: The repository āhhttps://artifacts.chirpstack.io/packages/3.x/deb stable Releaseā does not have a Release file.
N: Updating from such a repository canāt be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
The Error message is pretty clear; but I have no idea how to solve it. Therefore, any help would be pretty much appreciated.
Best regards
Thomas
PS: Pls consider all hhttp as http, since I was only allowed to have to links added. Sry.
It was the clock. The NTP server was down, the system clock wasnāt set properly, I didnāt notice or think to check initially, and the incorrect time was causing verification to fail.
thx for your reply - I verified the system clock on my system and found it accurate within 3 sec. I correct even this deviation but no change in the descripted behavior.
Then I went through the steps mentioned in the stackoverflow case but even those did not make the trick, still getting the same notification: The certificate is NOT trusted. The certificate issuer is unknown.
Additional info about the issue:
Just a minute ago I went through the chirpstack repro installation steps on a raspberry pi (Raspbian 10 (buster)) with no issues; there the certificate will be accepted.
It appears to be a ubuntu issue to me. My ubuntu server is fresh installed with standard settings.
you can install all package manually, it will work:
chirpstack-network-server_3.15.3_linux_amd64.deb, chirpstack-gateway-bridge_3.13.1_linux_amd64.deb and chirpstack-application-server_3.17.3_linux_amd64.deb
I donāt use Letsencrypt. DST Root CA requires at least openssl v1.1.0. so I did upgrade version. but not work.
return message : Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 188.166.134.65 443]
I went through the document and the documentation derived from the document and did the following:
check and update OpenSSL:
~$ openssl version
OpenSSL 1.1.1f 31 Mar 2020
check that the ISRG Root X1 certificate is installed.
~$ openssl x509 -enddate -noout -in /etc/ssl/certs/ISRG_Root_X1.pem
notAfter=Jun 4 11:04:38 2035 GMT
then check if the certificate is now accepted.
~$ sudo apt update
[sudo] Password for support:
Hit:1 hhttp://ch.archive.ubuntu.com/ubuntu focal InRelease
Match:2 hhttp://ch.archive.ubuntu.com/ubuntu focal-updates InRelease
Hit:3 hhttp://ch.archive.ubuntu.com/ubuntu focal-backports InRelease
Hit:4 hhttp://ch.archive.ubuntu.com/ubuntu focal-security InRelease
Ign:5 hhttps://artifacts.chirpstack.io/packages/3.x/deb stable InRelease
Err:6 hhttps://artifacts.chirpstack.io/packages/3.x/deb stable Release
Certificate verification failed: The certificate is NOT trusted. The issuer of the certificate is unknown. Handshake could not be performed: Certificate verification error. [IP: 188.166.134.65 443]
Read package listsā¦ Done
E: The repository āhttps://artifacts.chirpstack.io/packages/3.x/deb stable releaseā has no release file.
N: Updates from such a repository cannot be done securely and are therefore disabled by default.
N: See apt-secure(8) man page for details on repository creation and user configuration.
support@SL-HDB-LoRaWAN-1:~$
Not sure what to do next. Certainly I could install it manually as sugested but I guess it would be better if it would work as expected.
Best regards
Thomas
PS: Pls consider all hhttp as http, since I was only allowed to have to links added. Sry.
But the https://artifacts.chirpstack.io/ endpoint does. Therefore the CA that Letsencrypt used to to sign the server certificate must be known to your machine. Probably when you do a curl https://artifacts.chirpstack.io/ on your machine it fails, while it works in your browser.
Hello @dticomponents , I wanted to know if you managed to find the solution to this problem. Indeed, I try to follow the guide on Chirpstack but I block on this same errorā¦ (knowing that I use the Siemens IoT2050 gateway with a LoRaWAN MPCIE card)
Hi Nada, ultimately, the problem for us was in the network environment. Our company works with an internal proxy running a ZScaler, which blocked the download but did not give any feedback. It was necessary to install certificates on my Linux server, so that a position of trust was established between my server and the proxy. I got on the track by doing the Chripstack installation on a Raspberry Pi 4b completely and without problems in my private network and thus knew that the cause had to be in our company network.
Hello,
Thank you for your feedback. My company also works with ZScaler, this is the first time Iāve worked on a project like this so this error took me days ā¦ Iāll try to proceed like you and Iāll let you know if it works for me too!
Thank you very much
Indeed, thatās the problem because when I try to install it somewhere else it works.
So I wanted to ask you if installing the certificates on the linux server directly does not cause cybersecurity problems.
Also, could you tell me what files (certificates) you have installed on your computer to proceed this way (since theoretically the āinstall ca-certificatesā command was supposed to be sufficient).
In Ubuntu I had to copy the ZScaler certificates (zscaler_root.cer, zscaler_intermadiate_t.cer, zscaler_intermediate.cer) to ā/usr/local/share/ca-certificatesā and then run āsudo update-ca-certificatesā. You can get the certificates from your network administrator.
If you have gateways running OpenWRT (e.g. Dragino LG308) you have to make the certificates known for the installation of the Chripstack gateway bridge on the gateway. Let me know if you need that too.
Thank you for your answers. I am new in the field hence the multiple questions.
I use the Siemens IoT2050 gateway with a LoRaWAN MPCIE concentrator card so technically I wonāt need OpenWRT