Certificate Issue lxd.images.canonical.com on centos 7?

ERROR: cannot verify us.lxd.images.canonical.com’s certificate, issued by ‘/C=US/O=Let’s Encrypt/CN=R3’:
Issued certificate has expired.

Hit into this again…I’m not a certs expert…so not sure why this is, but I get the above error on Oracle LInux 7 but not on Oracle Linux 8 - which makes no sense to me at all.

So to get around it atm I’m using --no-check-certificate on Oracle Linux 7.

What output do you get for:

openssl s_client -servername us.lxd.images.canonical.com -connect us.lxd.images.canonical.com:443 2>/dev/null | openssl x509 -noout -dates

As its working on a new system, it might be indicative that your older system does not have a current LetsEncrypt CA cert installed.

Or the system time is way off. That’s usually the culprit when dealing with a certificate expired message.

1 Like

@tomp thanks! here’s the output:

[ubuntu@o78sv1 ~]$ openssl s_client -servername us.lxd.images.canonical.com -connect us.lxd.images.canonical.com:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Oct 20 00:44:36 2021 GMT
notAfter=Jan 18 00:44:35 2022 GMT
[ubuntu@o78sv1 ~]$

@stgraber time is spot on - it’s on the att network - i realize the below output doesn’t have any absolute frame of reference but it’s the correct local time here.

[ubuntu@o78sv1 ~]$ date
Wed Nov 24 09:26:54 CST 2021
[ubuntu@o78sv1 ~]$

So it’ll likely be your CA cert bundle that has expired.

Thanks @tomp.

For anybody else who may run into this here are definitive options for addressing below.

Also, for my need, the cleanest solution is just to use “curl -s --remote-name” instead of “wget -q” which is discussed in the below blog giving the various solutions, extracted here for convenience:

" … wget is used intentionally as it uses the OpenSSL library for HTTPS, unlike curl which uses the NSS (Mozilla Network Security Services) library and remains unaffected."

1 Like