Server certificate verification failed for https://dist.sapmachine.io/ due to Let's Encrypt DST Root CA X3 expiration about apt-buildpack HOT 11 CLOSED

same issue for me, can we have a workaround way? like disable the ssl cert?

   -----> Apt Buildpack version 0.2.7
          **WARNING** buildpack version changed from 0.2.6 to 0.2.7
   -----> Adding apt keys
   Warning: apt-key output should not be parsed (stdout is not a terminal)
   gpg: no valid OpenPGP data found.
   gpg: Total number processed: 0
   gpg: keyserver communications error: keyserver helper internal error
   gpg: keyserver internal error
   gpg: WARNING: unable to fetch URI https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xEB9B1D8886F44E2A: keyserver error
          **ERROR** Error running supply: could not add apt key https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xEB9B1D8886F44E2A
          
          Executing: /tmp/apt-key-gpghome.12SwVlVXe5/gpg.1.sh --fetch-keys https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xEB9B1D8886F44E2A
          gpgkeys: https fetch error 60: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
          
          
          exit status 2
          **ERROR** Unable to run all buildpacks: Failed to run all supply scripts: exit status 14

from apt-buildpack.

root cause: Let's Encrypt R3 Intermediate Certificate Expiration (30 September 2021)
Do you run websites that are signed via Let's Encrypt certificates? Then there could possibly be problems on September 30, 2021. This is because the root certificate used by Let's Encrypt to sign client certificates will lose its validity on this day (expiry of Intermediate R3 on 2021/09/29 at 19:21:40 GMT – the DST Root CA X3 expires on 2021/09/30 14:01:15 GMT). Clients that only know the old root certificates will not be able to verify Let's Encrypt server certificates after that.

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

from apt-buildpack.

fixed. change the https to http

apt.yaml

---
packages:
- openjdk-8-jre
repos:
- deb http://ppa.launchpad.net/openjdk-r/ppa/ubuntu trusty main
keys:
- http://keyserver.ubuntu.com/pks/lookup?op=get&search=0xEB9B1D8886F44E2A

from apt-buildpack.

That a workaround but not a solution. When you request the certificate via http that request could be intercepted and you could get a spoofed certificate. It also might be that the site is only reachable via https.

Is there something like a base image for this buildpack? Would that the right place to add the new Let's Encrypt Root certificate?

from apt-buildpack.

Hi @gregorwolf and @mstiunicon. If I understand correctly, as of Sept. 30th, the specific dependency that you are trying to install via the apt-buildpack can no longer install it due to a need for different certificates?

from apt-buildpack.

Correct.

from apt-buildpack.

It seems like you need a way to update the certs during staging for the buildpack to access possibly. This seems beyond the apt-buildpack scope. Have you tried following something like https://docs.cloudfoundry.org/running/trusted-system-certificates.html to add the Let's Encrypt Root cert?

from apt-buildpack.

What is the base for apt-buildpack? Might it be worth filing an incident there?

from apt-buildpack.

OK, I think I've got it now reading the documentation Trusted System Certificates. This documentaiton states:

admin configures these certificates

So I think I have to reach out to SAP as the provider of the Cloud Foundry environment where I face this issue and ask them to add the updated Let's Encrypt Root cert?

from apt-buildpack.

@gregorwolf I think so. I don't think it's something you'd configure with the buildpack or it's base image. The buildpack runs on the cflinuxfs3 stack

from apt-buildpack.

Seems that the issue was solved by SAP now.

from apt-buildpack.