ERROR: cannot verify us.lxd.images.canonical.com’s certificate, issued by ‘/C=US/O=Let’s Encrypt/CN=R3’:
Issued certificate has expired.
Hit into this again…I’m not a certs expert…so not sure why this is, but I get the above error on Oracle LInux 7 but not on Oracle Linux 8 - which makes no sense to me at all.
So to get around it atm I’m using --no-check-certificate on Oracle Linux 7.
What output do you get for:
openssl s_client -servername us.lxd.images.canonical.com -connect us.lxd.images.canonical.com:443 2>/dev/null | openssl x509 -noout -dates
As its working on a new system, it might be indicative that your older system does not have a current LetsEncrypt CA cert installed.
Or the system time is way off. That’s usually the culprit when dealing with a certificate expired message.
@tomp thanks! here’s the output:
[ubuntu@o78sv1 ~]$ openssl s_client -servername us.lxd.images.canonical.com -connect us.lxd.images.canonical.com:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Oct 20 00:44:36 2021 GMT
notAfter=Jan 18 00:44:35 2022 GMT
[ubuntu@o78sv1 ~]$@stgraber time is spot on - it’s on the att network - i realize the below output doesn’t have any absolute frame of reference but it’s the correct local time here.
[ubuntu@o78sv1 ~]$ date
Wed Nov 24 09:26:54 CST 2021
[ubuntu@o78sv1 ~]$So it’ll likely be your CA cert bundle that has expired.
Thanks @tomp.
For anybody else who may run into this here are definitive options for addressing below.
Also, for my need, the cleanest solution is just to use “curl -s --remote-name” instead of “wget -q” which is discussed in the below blog giving the various solutions, extracted here for convenience:
" … wget is used intentionally as it uses the OpenSSL library for HTTPS, unlike curl which uses the NSS (Mozilla Network Security Services) library and remains unaffected."