http://josm.openstreetmap.de/apt focal Release' no longer has a Release file.

[A_Pirard]

When reloading Synaptic, message
​http://josm.openstreetmap.de/apt focal Release' no longer has a Release file.

$ sudo apt update
...

Get:7 ​http://be.archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]

...

Get:18 ​http://be.archive.ubuntu.com/ubuntu focal-updates/universe i386 Packages [677 kB]
Err:14 https://josm.openstreetmap.de/apt focal Release

Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 2a01:4f9:2b:907::2 443]

...

Reading package lists... Done
E: The repository '​http://josm.openstreetmap.de/apt focal Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

[skyper]

Strange, the file is present, see apt/dists/focal/.

[taylor.smock]

Can you give us the line in /etc/apt/sources.list for JOSM? It should look like

deb https://josm.openstreetmap.de/apt focal universe

[A_Pirard]

You didn't ask more info.
Easy. Description updated.
Cheers.

[anonymous]

A_Pirard: please reread comment:2.

Anyway, skyper just updated Ubuntu repo instructions. Try following those, and see if that helps.

[taylor.smock]

Replying to A_Pirard:

Err:14 https://josm.openstreetmap.de/apt focal Release

Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 2a01:4f9:2b:907::2 443]

...

Reading package lists... Done
E: The repository '​http://josm.openstreetmap.de/apt focal Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

From ​https://dev.ssllabs.com/ssltest/analyze.html?d=josm.openstreetmap.de&latest (since I don't have IPv6), it looks like we use the same certificate for IPv4 and IPv6 from letsencrypt (current validity range is Thu, 09 Jun 2022 03:45:08 UTC to Wed, 07 Sep 2022 03:45:07 UTC).

Best guess: you do not have the ISRG Root X1 root certificate from lets encrypt installed/enabled on your machine, or you have taken actions to blacklist it. You probably have the DST Root CA X3 alternate root certificate on your machine, which expired in ​September 2021.

Try running dpkg-reconfigure ca-certificates and ensure that ISRG_Root_X1.crt is enabled (it may be prefixed with mozilla/ or something like that).

If the above actions do not fix the problem, please attach a copy of /etc/ca-certificates.conf (especially if you do not see ISRG_Root_X1 in the list). You may need to manually add it (but hopefully not). But do check and see if it exists in /usr/share/ca-certificates/mozilla (probably mozilla). (i.e., file /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt).

[skyper]

According to Jenkins kinetic (Ubuntu 22.10) is missing, so far.

[taylor.smock]

That is correct. This ticket was specifically about focal however, which does exist in our repo.

[A_Pirard]

My Ubuntu MATE is a 20.04 (probably .1 or .2) without updates.

According to Firefox
Message is set: Query OCSP responder servers to confirm the current validity of the certificates (what does that mean? That it does it or that I should do it?)
uses
ISRG Root X1 Thu, 04 Jun 2015 11:04:38 GMT to Mon, 04 Jun 2035 11:04:38 GMT
isrg-root-x1-chain.pem attached

I don't feel like trying to mend what doesn't look like broke and risking to break it.
I opened an Ask Ubuntu ​ticket for this issue.

[A_Pirard]

see comment #10, attachment and Ask Ubuntu ticket

[taylor.smock]

attachment:isrg-root-x1-chain.pem​ looks good from a vimdiff comparison with ​https://letsencrypt.org/certs/isrgrootx1.pem .

With that said, there is a difference in sha256sums:
4c99356c265ee06c0ae0502e74d38231263513726d001cfe28ea25e70af2cc7f isrg-root-x1-chain.pem​
22b557a27055b33606b6559f37703928d3e4ad79f110b407d04986e1843543d1 ​isrgrootx1.pem

This appears to be an issue with line endings. After running dos2unix on both files, the sha256sums were as follows:
22b557a27055b33606b6559f37703928d3e4ad79f110b407d04986e1843543d1 isrg-root-x1-chain.pem​
22b557a27055b33606b6559f37703928d3e4ad79f110b407d04986e1843543d1 ​isrgrootx1.pem

I ran sha256sum on the installed cert on a multipass ubuntu instance, and I got:
22b557a27055b33606b6559f37703928d3e4ad79f110b407d04986e1843543d1 /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt

The file you uploaded has a non-unix line ending. I don't know how that happened.

$ file -k ~/Downloads/isrg*
isrg-root-x1-chain.pem: PEM certificate
- , ASCII text, with CRLF line terminators
isrgrootx1.pem:         PEM certificate
- , ASCII text

If I were you, I'd try running dos2unix on the certificate file. However, I'm not you, so you are going to have to determine whether or not you want to do that.

Maybe try running update-ca-certificates first?

Similar issues where line endings matter:

• ​https://github.com/Azure/azure-rest-api-specs/issues/11361
• ​https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/855454 (supposedly fixed)

Anyway,

My Ubuntu MATE is a 20.04 (probably .1 or .2) without updates.

Without updates? Are you certain? 20.04.2 was released on 2021-02-04. The DST Root CA X3 expiration for letsencrypt was September 2021.
If you haven't updated since 2021-09, please do a full system update first. I don't know how to do that on Ubuntu Mate via UI, but on the command line do as root

apt update
apt dist-upgrade

You may have to comment out or otherwise disable the JOSM repo to get things updated, at which point you should be able to re-enable the JOSM repo.

[A_Pirard]

I keep my eyes open for any info about this and when adding a ppa to my system I read
Err:10 https://josm.openstreetmap.de/apt focal Release

Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 2a01:4f9:2b:907::2 443]

Also, I didn't mention that when Synaptic Package Manager does a Reload, there's a very long delay caused by JOSM (before the message I mention).

Looks like we're circling down on the reason.

If I can be certain that update-ca-certificates cannot harm my sstem, I can do it.
But a full system update is not an option given that I'm 2 days busy with Thunderbird update problems.

Cheers.

[skyper]

Usually, the previously downloaded packages are cached under /var/cache/apt/archives/ so, just in case, you can backup the currently installed package ca-certificates.deb or similar to reinstall it later.

A simple update of this package should rather benefit than harm you system.

[taylor.smock]

I'm going to close this.

If you still have problems after fully updating your system (you may need to temporarily disable the JOSM repository), feel free to reopen this ticket.