How to make apt-get to ignore ca-certificate issue - cannot install gstreamer dev library

Question

I am currently trying to develop gstreamer plugins by using gstreamer-development library as instructed in:

http://docs.gstreamer.com/display/GstSDK/Installing+the+SDK

I have an Ubuntu 14.04 installed PC, and tried to install the library via the following instructions:

• I saved the following page as a file under some local directory in my pc https://www.freedesktop.org/software/gstreamer-sdk/data/packages/ubuntu/raring/amd64/gstreamer-sdk.list
• I copied it under /etc/apt/sources.list.d/
• I entered the following commands to the terminal as instructed

wget -q -O - http://www.freedesktop.org/software/gstreamer-sdk/sdk.gpg | sudo apt-key add - sudo apt-get update

I got the following error:

Err http://www.freedesktop.org ./ Packages
  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Ign http://www.freedesktop.org ./ Translation-en_US
Ign http://www.freedesktop.org ./ Translation-en
W: Failed to fetch http://www.freedesktop.org/software/gstreamer-sdk/data/packages/ubuntu/raring/amd64/./Packages  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

E: Some index files failed to download. They have been ignored, or old ones used instead.

In order to get rid of certificate errors, I searched it but this thread is so "gitlab" specific and was not useful:

server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

I could not manage to find to instruct apt-get update utility to ignore when my source is not certified. Maybe my problem is not gstreamer-dev specific, apt-get specific.

Another note: A few days ago, I did this installation without a problem. Something may have changed.

Best regards,

fercis

Answer 1

You shouldn't need to disable the certificate verification, but one situation where I have had to do this is when adding a new local repository, whose certificates package is stored on the same server (yes, a chicken-and-egg situation). For that, you can disable the peer verification using the APT option Acquire::https::Verify-Peer=false, as documented in the apt-transport-https(1) man page.

Example:

apt-get -q2 -y install --no-install-recommends    \
        -o Acquire::https::Verify-Peer=false      \
             ca-certificates-example.com     

Obviously, ensure the server really is under your control, and don't simultaneously disable signature checking on the packages.

Answer 2

Either you don't have the right CA certificates installed (they should be there by default in ubuntu 14.04), or something is intercepting your traffic.

The error is likely a correct result in this case. You can get more information about the cert by running:

openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -showcerts -connect www.freedesktop.org:443 < /dev/null

This should give you all the certs served by freedesktop and end in Verify return code: 0 (ok). If it doesn't, look into that specific error.

The output should start with:

depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = www.freedesktop.org
verify return:1