let's encrypt expiry issues
we have a few issues related to the expiry of the Let's encrypt root:
- #40431 (closed) is about runners failing to reach archive.ubuntu.com
- then our own APT repository at db.torproject.org is giving out errors, and lots of them... i had over a thousand messages similar to this in the last 24h:
From: root@polyanthum.torproject.org
Subject: Cron <root@polyanthum> [ -x /usr/sbin/dsa-update-apt-status ] && /usr/sbin/dsa-update-apt-status
To: root@polyanthum.torproject.org
Date: Fri, 01 Oct 2021 18:20:18 +0000
E: The repository 'https://db.torproject.org/torproject-admin buster Release' no longer has a Release file.
E: The repository 'https://db.torproject.org/torproject-admin tpo-all Release' no longer has a Release file.
E: The repository 'https://db.torproject.org/torproject-admin buster Release' no longer has a Release file.
E: The repository 'https://db.torproject.org/torproject-admin tpo-all Release' no longer has a Release file.
E: The repository 'https://db.torproject.org/torproject-admin buster Release' no longer has a Release file.
E: The repository 'https://db.torproject.org/torproject-admin tpo-all Release' no longer has a Release file.
the actual error from apt-update
is:
root@fsn-node-06:~# apt update
Hit:1 http://security.debian.org buster/updates InRelease
Ign:2 https://db.torproject.org/torproject-admin buster InRelease
Ign:3 https://db.torproject.org/torproject-admin tpo-all InRelease
Err:4 https://db.torproject.org/torproject-admin buster Release
Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 2a01:4f8:fff0:4f:266:37ff:fea1:4d3 443]
Err:5 https://db.torproject.org/torproject-admin tpo-all Release
Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 2a01:4f8:fff0:4f:266:37ff:fea1:4d3 443]
Hit:6 https://deb.debian.org/debian buster-backports InRelease
Hit:7 https://deb.debian.org/debian buster InRelease
Hit:8 https://deb.debian.org/debian buster-updates InRelease
Reading package lists... Done
E: The repository 'https://db.torproject.org/torproject-admin buster Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://db.torproject.org/torproject-admin tpo-all Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
root@fsn-node-06:~#
so something is going on with the chain on that end.