apt安装包时报错：Certificate verification failed: The certificate is NOT trusted.

忽略:1 https://mirrors.tuna.tsinghua.edu.cn/ubuntu groovy-updates/universe amd64 apt-transport-https all 2.1.10ubuntu0.3
错误:1 https://mirrors.tuna.tsinghua.edu.cn/ubuntu groovy-updates/universe amd64 apt-transport-https all 2.1.10ubuntu0.3
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 101.6.8.193 443]
W: https://mirrors.tuna.tsinghua.edu.cn/ubuntu/pool/universe/a/apt/apt-transport-https_2.1.10ubuntu0.3_all.deb: No system certificates available. Try installing ca-certificates.
W: https://mirrors.tuna.tsinghua.edu.cn/ubuntu/pool/universe/a/apt/apt-transport-https_2.1.10ubuntu0.3_all.deb: No system certificates available. Try installing ca-certificates.
E: 无法下载 https://mirrors.tuna.tsinghua.edu.cn/ubuntu/pool/universe/a/apt/apt-transport-https_2.1.10ubuntu0.3_all.deb  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 101.6.8.193 443]
E: 有几个软件包无法下载，要不运行 apt-get update 或者加上 --fix-missing 的选项再试试？

 

之前将源改为了清华的源，清华源之前的源使用的是http，清华源使用的是https

 

尝试了apt install ca-certificates和apt upgrade ca-certificates都没有效果（需要切换到原始源尝试，否则因为清华源证书错误无法运行）

 

尝试了添加[trusted=yes]到源配置文件中，也无效

deb [trusted=yes] https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ groovy main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ groovy main restricted universe multiverse
deb [trusted=yes] https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ groovy-updates main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ groovy-updates main restricted universe multiverse
deb [trusted=yes] https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ groovy-backports main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ groovy-backports main restricted universe multiverse
deb [trusted=yes] https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ groovy-security main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ groovy-security main restricted universe multiverse

 

最后添加了下面的配置，可以正常下载了

Acquire { https::Verify-Peer false }

 

不过上面的配置会取消验证证书，不推荐

 

 

 

（详细查错过程，有时间可看）

---

(base) gbstack@n02:~/certs$ sudo openssl s_client -showcerts -connect https://mirrors.tuna.tsinghua.edu.cn/ubuntu
140438806988096:error:2008F002:BIO routines:BIO_lookup_ex:system lib:../crypto/bio/b_addr.c:726:Servname not supported for ai_socktype
connect:errno=2
(base) gbstack@n02:~/certs$ sudo openssl s_client -showcerts -connect mirrors.tuna.tsinghua.edu.cn:443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = tuna.tsinghua.edu.cn
verify return:1
---
Certificate chain
 0 s:CN = tuna.tsinghua.edu.cn
   i:C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----
MIIFRTCCBC2gAwIBAgISA6TnJkfXaw00GpHTYJluV6HTMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA0MTQwODQ0MDBaFw0yMTA3MTMwODQ0MDBaMB8xHTAbBgNVBAMT
FHR1bmEudHNpbmdodWEuZWR1LmNuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAwV9ZkklmU1VhhxWJ0BxXTatIoVdHT14uOsZWkxOSmFtMlMuAaqoGroZt
ZBlOxT3nfNfP7TDJITzejwd5ktNqpHonty7Gp8FPKOX5QVIVn8WAKELTUKTKeMgI
/m2DZs94FBv2NoUvmOjxuvBmjwjfeoHklYRIk1jaOGHFoTTROAVFL6WNj+jWBjuv
cxL++y2bwZ8U3/vvJsnirCDS3CLNFMJm/uvvPLHIGU8VTd4PWmg0iLIhNCg6tGEt
4RFV8a5734cRKkQaxJQcSJBLx9UQjWVzrXNcV8LnKuHuR0steY/nywcLbuV9v92T
4yd3GccBZIqvjkbVS0qeZBDuBJWFFQIDAQABo4ICZjCCAmIwDgYDVR0PAQH/BAQD
AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA
MB0GA1UdDgQWBBTywriysAtrKqDK8PCYW8T6BH2JlzAfBgNVHSMEGDAWgBQULrMX
t1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0
dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVu
Y3Iub3JnLzA3BgNVHREEMDAughYqLnR1bmEudHNpbmdodWEuZWR1LmNughR0dW5h
LnRzaW5naHVhLmVkdS5jbjBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLf
EwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCC
AQMGCisGAQQB1nkCBAIEgfQEgfEA7wB2AESUZS6w7s6vxEAH2Kj+KMDa5oK+2Msx
tT/TM5a1toGoAAABeM/EIJEAAAQDAEcwRQIgC1RkSNtugNOm/L5qUGvyfFKjp0Wh
9U61mfXQ2YLpoYoCIQDD/vUyP50bLTj234WZWvTm+m/B5PHjH4IB43JmGyK/3QB1
AH0+8viP/4hVaCTCwMqeUol5K8UOeAl/LmqXaJl+IvDXAAABeM/EIOAAAAQDAEYw
RAIgXTH9Uj10z7jSgPXK+s4DCnXBaBxEuQNSfiLLCCeTmJUCIAnDetYgBjskUJzy
snihedj2ptqsDfWF9/yHJO8qh/9yMA0GCSqGSIb3DQEBCwUAA4IBAQCT6E9/o4Ym
XdmfkTO2AUgtnkZ0zKGigFD5aHlLuspPrsZVOs4ipybDIwn2sAuFYZaouDi2RAqR
ye/SOm8TWuT2mfaO4ofpyUjTsozFBaRDbZD+mgR60bbEdFXb5UwrTiGLjzxicx8H
qQzZaDvlGMIkqwtpaYHzAZ5cGARjcpZ11q+5qNqsDv+sRgwD5N0eGbgO7qDn5db2
fHFBea6dgjTe+Oe2J1jDCZr5YYyJkYGhtpLPIUAlUM43/86IueHuKMqnuSSNoo4a
3Msv4ZsZ0oesiXJA9R+eoRy87iBRtW7fgKw0xYs3oaHZLs3XKCc0EkBDnku+Vdli
Cu4NqPI0dkr7
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow
MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT
AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs
jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp
Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB
U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7
gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel
/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R
oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p
ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE
p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE
AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu
Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0
LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf
r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B
AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH
ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8
S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL
qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p
O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw
UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = tuna.tsinghua.edu.cn

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3162 bytes and written 413 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: AE564447F12242DE56ED576F39188527A2C851B556748B8CF75E680590DC659D
    Session-ID-ctx:
    Master-Key: 6DB9A683881FECD7064DA37A69281A4EAB9BB324EAAE5B884A001E1C17720EBFC8218E891550DAF60FE58B212945AD69
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 2e f9 56 38 98 3c fe d1-22 1e 3c 1d d9 66 31 38   ..V8.<..".<..f18
    0010 - c5 20 1f 6d aa 79 5c 65-e6 4f a0 5c e9 9a b0 c2   . .m.y\e.O.\....
    0020 - c6 45 1f c0 f5 0a e3 54-5a d4 0e 81 04 cd 0b 81   .E.....TZ.......
    0030 - 83 4d 25 0c 21 9b b7 62-13 ca fd 59 9d 89 87 19   .M%.!..b...Y....
    0040 - 4f 9f af a4 62 9c b4 f7-35 bf ca 9a 75 1a c7 87   O...b...5...u...
    0050 - 75 88 3c ad 32 a3 3c 0d-47 a1 81 f7 ae 86 27 b3   u.<.2.<.G.....'.
    0060 - c1 cc 30 7c 6f bb 64 75-2b 78 fa b5 75 0f 78 aa   ..0|o.du+x..u.x.
    0070 - 76 fa bf 78 ce 08 d4 91-d4 9e 7c d6 db 5c 17 ab   v..x......|..\..
    0080 - 9a 38 79 ce 43 ac 55 9b-50 46 70 55 b3 f5 cb 1e   .8y.C.U.PFpU....
    0090 - 21 65 5f 32 12 f0 8b 72-5f d2 67 0b 20 43 7a 4e   !e_2...r_.g. CzN
    00a0 - c8 fc 88 f7 29 05 3c a8-6a cc 9c a9 e4 9d 22 3d   ....).<.j....."=
    00b0 - d9 81 62 7e 57 08 1e b3-b6 47 fd 9b bd 5c d2 a6   ..b~W....G...\..
    00c0 - 80 ef e2 c0 31 2b 27 23-62 63 fa 74 34 0f 37 c3   ....1+'#bc.t4.7.

    Start Time: 1619072880
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
closed

 

检查/etc/ca-certificates，发现其中内容包括了

mozilla/DST_Root_CA_X3.crt

 

所以不是缺少ca证书导致