Error: Failed container creation: Get https://cloud-images.ubuntu.com/releases/streams/v1/index.json: x509: certificate signed by unknown authority

I don’t have a ubuntu 20.04 image on my machine. But I want to create a ubuntu 20.04 for it.
gpsemc@lxd15:/etc/apt$ lxc remote list
±----------------±-----------------------------------------±--------------±----------±-------±-------+
| NAME | URL | PROTOCOL | AUTH TYPE | PUBLIC | STATIC |
±----------------±-----------------------------------------±--------------±----------±-------±-------+
| images | https://images.linuxcontainers.org | simplestreams | | YES | NO |
±----------------±-----------------------------------------±--------------±----------±-------±-------+
| local (default) | unix:// | lxd | tls | NO | YES |
±----------------±-----------------------------------------±--------------±----------±-------±-------+
| ubuntu | https://cloud-images.ubuntu.com/releases | simplestreams | | YES | YES |
±----------------±-----------------------------------------±--------------±----------±-------±-------+
| ubuntu-daily | https://cloud-images.ubuntu.com/daily | simplestreams | | YES | YES |
±----------------±-----------------------------------------±--------------±----------±-------±-------+

gpsemc@lxd15:/etc/apt$ lxc image list
±------------------------±-------------±-------±---------------------------------------------------±-------±----------±-----------------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCH | SIZE | UPLOAD DATE |
±------------------------±-------------±-------±---------------------------------------------------±-------±----------±-----------------------------+
| centos7 | d58d3dcfc3d1 | no | Centos 7 x86_64 (20191024_07:08) | x86_64 | 148.77MB | May 20, 2020 at 8:08am (UTC) |
±------------------------±-------------±-------±---------------------------------------------------±-------±----------±-----------------------------+
| fedora29 | ade430c33554 | no | Fedora 29 x86_64 (20190827_20:33) with ssh enabled | x86_64 | 283.80MB | May 20, 2020 at 8:13am (UTC) |
±------------------------±-------------±-------±---------------------------------------------------±-------±----------±-----------------------------+
| ubuntu14 | 2b43a10aaaba | no | Ubuntu 14.04 LTS server (20171026) | x86_64 | 181.01MB | May 20, 2020 at 7:43am (UTC) |
±------------------------±-------------±-------±---------------------------------------------------±-------±----------±-----------------------------+
| ubuntu16 | 115c1a4cf7d7 | no | Ubuntu 16.04 LTS server (20171011) | x86_64 | 195.11MB | May 20, 2020 at 7:47am (UTC) |
±------------------------±-------------±-------±---------------------------------------------------±-------±----------±-----------------------------+
| ubuntu18 | f0060a90de8c | no | ubuntu 18.04 LTS amd64 (release) (20200717) | x86_64 | 187.02MB | Jul 18, 2020 at 5:07am (UTC) |

gpsemc@lxd15:~$ lxc launch ubuntu:20.04 ubuntu20 --verbose --debug
DBUG[10-12|16:33:23] Connecting to a local LXD over a Unix socket
DBUG[10-12|16:33:23] Sending request to LXD method=GET url=http://unix.socket/1.0 etag=
DBUG[10-12|16:33:23] Got response struct from LXD
DBUG[10-12|16:33:23]
{
“config”: {
“core.https_address”: “[::]:8443”,
“core.trust_password”: true
},
“api_extensions”: [
“storage_zfs_remove_snapshots”,
“container_host_shutdown_timeout”,
“container_stop_priority”,
“container_syscall_filtering”,
“auth_pki”,
“container_last_used_at”,
“etag”,
“patch”,
“usb_devices”,
“https_allowed_credentials”,
“image_compression_algorithm”,
“directory_manipulation”,
“container_cpu_time”,
“storage_zfs_use_refquota”,
“storage_lvm_mount_options”,
“network”,
“profile_usedby”,
“container_push”,
“container_exec_recording”,
“certificate_update”,
“container_exec_signal_handling”,
“gpu_devices”,
“container_image_properties”,
“migration_progress”,
“id_map”,
“network_firewall_filtering”,
“network_routes”,
“storage”,
“file_delete”,
“file_append”,
“network_dhcp_expiry”,
“storage_lvm_vg_rename”,
“storage_lvm_thinpool_rename”,
“network_vlan”,
“image_create_aliases”,
“container_stateless_copy”,
“container_only_migration”,
“storage_zfs_clone_copy”,
“unix_device_rename”,
“storage_lvm_use_thinpool”,
“storage_rsync_bwlimit”,
“network_vxlan_interface”,
“storage_btrfs_mount_options”,
“entity_description”,
“image_force_refresh”,
“storage_lvm_lv_resizing”,
“id_map_base”,
“file_symlinks”,
“container_push_target”,
“network_vlan_physical”,
“storage_images_delete”,
“container_edit_metadata”,
“container_snapshot_stateful_migration”,
“storage_driver_ceph”,
“storage_ceph_user_name”,
“resource_limits”,
“storage_volatile_initial_source”,
“storage_ceph_force_osd_reuse”,
“storage_block_filesystem_btrfs”,
“resources”,
“kernel_limits”,
“storage_api_volume_rename”,
“macaroon_authentication”,
“network_sriov”,
“console”,
“restrict_devlxd”,
“migration_pre_copy”,
“infiniband”,
“maas_network”,
“devlxd_events”,
“proxy”,
“network_dhcp_gateway”,
“file_get_symlink”,
“network_leases”,
“unix_device_hotplug”,
“storage_api_local_volume_handling”,
“operation_description”,
“clustering”,
“event_lifecycle”,
“storage_api_remote_volume_handling”,
“nvidia_runtime”,
“candid_authentication”,
“candid_config”,
“candid_config_key”,
“usb_optional_vendorid”
],
“api_status”: “stable”,
“api_version”: “1.0”,
“auth”: “trusted”,
“public”: false,
“auth_methods”: [
“tls”
],
“environment”: {
“addresses”: [
“10.124.56.15:8443”
],
“architectures”: [
“x86_64”,
“i686”
],
“certificate”: “-----BEGIN CERTIFICATE-----\nMIIFWDCCA0CgAwIBAgIQJzKC8wczt47o9yKZHZJHUzANBgkqhkiG9w0BAQsFADA0\nMRwwGgYDVQQKExNsaW51eGNvbnRhaW5lcnMub3JnMRQwEgYDVQQDDAtyb290QHVi\ndW50dTAeFw0yMDA1MTkwNzM3NTBaFw0zMDA1MTcwNzM3NTBaMDQxHDAaBgNVBAoT\nE2xpbnV4Y29udGFpbmVycy5vcmcxFDASBgNVBAMMC3Jvb3RAdWJ1bnR1MIICIjAN\nBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsqaBlxi03ly7Q1E7KKzAa8G5qF5k\nkVX9dkegDuE8qCNXa5v8cWc1ba/pwSrk/rdygLfTaSf7i8OUPP/a/yq8IiQZ7F8Z\nik5lXehXJIBVWkBIXCIJDiH/csB/hLLotKMUXSBudKV+vve7Tb0KmDMqrG0mfZai\nto3h3pQgcyFmMWg8RloqzrFG4Hg7kaqCUPBqhg8gvjhJNDKQVSd5y0BtW4gMRF6f\n1OYEO2mRnyS6MtJsu9S8d7S4ZZ+SPoJgAxZrEeSbxZqnS/c8G6a2p+rQW2S/cr/x\nuLw1lVUD6uUY39ZSms0ga9/MuKKrttegU5ctxxJ3WCTZ6na6QMnImF9n8uEZkpIX\nzmbLbLBFBRXZOt4S7wCctT6VJRy/amWQpY0TDHMqNFBhwkFMhkxcVTEA4J/Y2LR7\nai64YHWPX+2kC0aH8zaSqfSolWVwjjwTGSxO0QgwBh28VHAtg7l29AK6U8q2cDL8\nYH5+yRMV60TQ2nli5VProkR2DPPGbIC+Zf2vCtAFVXahXagrDnqHE6arWNzVRaiS\ngF2o+3Jiw/lpM60N4Oo0jDcIvlE3dZVW3ljdEY8HqguaLnDKSVJcge/JTHGj7pug\nacamliHSsQFsKQe1LC5P69uizduU1bCkVcyjC18gQkn8StQ1vyxN7X+NVhh/fxBX\nzZF6LR0sRFpNtPECAwEAAaNmMGQwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoG\nCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwLwYDVR0RBCgwJoIGdWJ1bnR1hwQKfDgP\nhxD9p+buLgkAALImKP/+71WXhwQKfDgPMA0GCSqGSIb3DQEBCwUAA4ICAQBttm4o\nDq6VndloGx3bgyfeHHNdvl2v9WYAnkFxIKrzcY6VvrntnZJD7GpiCTkcyI4QkQIR\n89rOv0ckJhSGkDfrqBU8/vWikKOM96vlzFhNi3JLfOtTTqN+ZHMBv0qbEHIPE2be\niTR2yX8NjdpdsrD7s+ssVsomGNZVOmx7J/T9I4QsKFkIDeII5cl8grqo7KpENEVN\nak9TUbiulx3WtTzHXpsS60OcYex7N+lNhtd97cA9IcaXmh8NqLjkAlhRdkJEgcVq\nSMtOESxd1JIRruku9mm/j7c3i/bum7kxiuOQ6VAMyIDNPLl8FYhZNmwkw+jGrQ5v\nR9Qhcb7lraIlK1PANRdaZMJ3/ZAnA8k7Iq6GgceSwYtd8PTpFLtkHrBBmOriT191\nssKxYKORZXYdbRA2MzFkWE/2EqXib+URcaET4uel4SiB5+arpoRi6cKIRMMPLrmP\naI4zfQd4DFj4MLGXghl9qBZ6P9Hw6E1cRN1ixAEBdovRCn1xociqUAHNQ432VJWz\nM2/7ajTCn2omARTykz46P3LvJXgqb1oJK2SvV2Ds7O0s0bpXu2cOfLNzJFx3Te+j\nwqlXGGJxSulsfc7Nq6YoAQNrT4XQ948o+YtuL0R5N26RkLcKwRGAOJqJABWdnh0g\nDhgA221I6wSyPkC/vHZxJjnShnow2+iwUMafkA==\n-----END CERTIFICATE-----\n”,
“certificate_fingerprint”: “104519864b6279890702d56ee55908cd90b08ce549115a28ef4b6031be0ba188”,
“driver”: “lxc”,
“driver_version”: “3.0.3”,
“kernel”: “Linux”,
“kernel_architecture”: “x86_64”,
“kernel_version”: “5.4.0-86-generic”,
“server”: “lxd”,
“server_pid”: 2797,
“server_version”: “3.0.3”,
“storage”: “zfs”,
“storage_version”: “0.8.3-1ubuntu12.12”,
“server_clustered”: false,
“server_name”: “lxd15”,
“project”: “”
}
}
Creating ubuntu20
DBUG[10-12|16:33:23] Connecting to a remote simplestreams server
DBUG[10-12|16:33:23] Connected to the websocket
DBUG[10-12|16:33:23] Sending request to LXD method=POST url=http://unix.socket/1.0/containers etag=
DBUG[10-12|16:33:23]
{
“architecture”: “”,
“config”: {},
“devices”: {},
“ephemeral”: false,
“profiles”: null,
“stateful”: false,
“description”: “”,
“name”: “ubuntu20”,
“source”: {
“type”: “image”,
“certificate”: “”,
“alias”: “20.04”,
“server”: “https://cloud-images.ubuntu.com/releases”,
“protocol”: “simplestreams”,
“mode”: “pull”
},
“instance_type”: “”
}
DBUG[10-12|16:33:23] Got operation from LXD
DBUG[10-12|16:33:23]
{
“id”: “9ec43427-f3e8-496f-9beb-cca1a117c790”,
“class”: “task”,
“description”: “Creating container”,
“created_at”: “2021-10-12T16:33:23.611773723+08:00”,
“updated_at”: “2021-10-12T16:33:23.611773723+08:00”,
“status”: “Running”,
“status_code”: 103,
“resources”: {
“containers”: [
“/1.0/containers/ubuntu20”
]
},
“metadata”: null,
“may_cancel”: false,
“err”: “”
}
DBUG[10-12|16:33:23] Sending request to LXD method=GET url=http://unix.socket/1.0/operations/9ec43427-f3e8-496f-9beb-cca1a117c790 etag=
DBUG[10-12|16:33:23] Got response struct from LXD
DBUG[10-12|16:33:23]
{
“id”: “9ec43427-f3e8-496f-9beb-cca1a117c790”,
“class”: “task”,
“description”: “Creating container”,
“created_at”: “2021-10-12T16:33:23.611773723+08:00”,
“updated_at”: “2021-10-12T16:33:23.611773723+08:00”,
“status”: “Running”,
“status_code”: 103,
“resources”: {
“containers”: [
“/1.0/containers/ubuntu20”
]
},
“metadata”: null,
“may_cancel”: false,
“err”: “”
}
Error: Failed container creation: Get https://cloud-images.ubuntu.com/releases/streams/v1/index.json: x509: certificate signed by unknown authority

Could you help to take a look how to address this failure? It used to work.

What does lxc image info ubuntu:20.04 get you?

gpsemc@lxd15:~$ lxc image info ubuntu:20.04 --debug --verbose
DBUG[10-12|22:17:04] Connecting to a remote simplestreams server
Error: Get https://cloud-images.ubuntu.com/releases/streams/v1/index.json: x509: certificate signed by unknown authority

And what does curl https://cloud-images.ubuntu.com/releases/streams/v1/index.json -o /dev/null get you?

gpsemc@lxd15:~$ curl https://cloud-images.ubuntu.com/releases/streams/v1/index.json -o /dev/null
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:–:-- 0:00:01 --:–:-- 0
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Okay, so the problem is with your system in general.
Make sure the date and time is correct and make sure all package updates are applied.

Actually the date and time is correct.

And I just had an dist-upgrade two weeks ago which might cause this issue.
Looks like there is more update today. I will have a try.

gpsemc@10.124.56.15’s password:
Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 5.4.0-87-generic x86_64)

System information as of Wed Oct 13 10:16:51 CST 2021

System load: 3.34 Processes: 983
Usage of /: 42.6% of 1.70TB Users logged in: 0
Memory usage: 3% IP address for br0: 10.124.56.15
Swap usage: 0%

0 updates can be applied immediately.

gpsemc@lxd15:~$ date
Wed Oct 13 10:18:11 CST 2021

I still have the same issue. The date time is correct. My system is up to date.

Any clue?

@sdeziel any idea?

I couldn’t reproduce either, could you share the output of curl -vI https://cloud-images.ubuntu.com/releases/streams/v1/index.json, please?

Also, which version of lxd? And which version of ca-certificates (dpkg -l | grep ca-certificates)?

gpsemc@lxd15:~$ curl -vI https://cloud-images.ubuntu.com/releases/streams/v1/ind ex.json

  • Trying 91.189.91.124…
  • TCP_NODELAY set
  • Connected to cloud-images.ubuntu.com (91.189.91.124) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (OUT), TLS alert, Server hello (2):
  • SSL certificate problem: self signed certificate in certificate chain
  • stopped the pause stream!
  • Closing connection 0
    curl: (60) SSL certificate problem: self signed certificate in certificate chain
    More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

gpsemc@lxd15:~$ dpkg -l | grep ca-certificates
ii ca-certificates 20210119~18.04.2 all Common CA certificates
ii ca-certificates-java 20180516ubuntu1~18.04.1 all Common CA certificates (JKS keystore)

gpsemc@lxd15:~$ lxd --version
3.0.3
gpsemc@lxd15:~$ lxc --version
3.0.3

Can you run update-ca-certificates as root?

And output of echo "" | openssl s_client -host cloud-images.ubuntu.com -port 443 -showcerts may be useful too.

gpsemc@lxd15:~$ sudo update-ca-certificates
[sudo] password for gpsemc:
Updating certificates in /etc/ssl/certs…
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d…

done.
done.
gpsemc@lxd15:~$ echo “” | openssl s_client -host cloud-images.ubuntu.com -port 4 43 -showcerts
CONNECTED(00000005)
depth=3 C = US, O = EMC Corporation, CN = EMC Root CA
verify error:num=19:self signed certificate in certificate chain

Certificate chain
0 s:CN = cloud-images.ubuntu.com
i:emailAddress = CyberSecurity_Network_Ops@dell.com, C = US, O = Dell Technol ogy Incorprated, OU = CyberSecurity, CN = DELL SSL Decyption Authority
-----BEGIN CERTIFICATE-----
MIIEPDCCAySgAwIBAgIUQkNTTqLVvCiIv6LUAAAAAV/+gfMwDQYJKoZIhvcNAQEL
BQAwgaUxMTAvBgkqhkiG9w0BCQEWIkN5YmVyU2VjdXJpdHlfTmV0d29ya19PcHNA
ZGVsbC5jb20xCzAJBgNVBAYTAlVTMSQwIgYDVQQKExtEZWxsIFRlY2hub2xvZ3kg
SW5jb3JwcmF0ZWQxFjAUBgNVBAsTDUN5YmVyU2VjdXJpdHkxJTAjBgNVBAMTHERF
TEwgU1NMIERlY3lwdGlvbiBBdXRob3JpdHkwHhcNMjEwNzMxMDM1MDQzWhcNMjEx
MDI5MDM1MDQxWjAiMSAwHgYDVQQDExdjbG91ZC1pbWFnZXMudWJ1bnR1LmNvbTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANmgMYszyeA1IgKT4jg0IufH
b73n+hhA0HDQyel/Pngzi+tackaP0rZWGmJ6bJSQI860MrHt67E2ihjipe4HVpTL
sdGLbXbomiK3kysoj58wegOVYH6S9DhSPZMepJli1/tjgWbzExL4u8++xufjxxpR
jkXyfFJ0zAHgjG8ui6QboOdpOriwbCwgU90TYicMThZ9PJt8/VhvD6DidDiUGHCr
MjYyWC9cHAIvPFDLUs+3qFv/SoztLy2ZTvb+FtfCJ2K4eoC0iocCR7xdiG8dVSGT
1/pcM/E5muKNWuJtGN/bjUz7PQwHRE4bNjGR5yYHJnAZ0CgjrotkIfPqHNF6fzsC
AwEAAaOB5TCB4jAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAfBgNVHSMEGDAWgBSR
lXk0leZJz3GKU+WljXq8/Xb7JTA+BgNVHREENzA1ghdjbG91ZC1pbWFnZXMudWJ1
bnR1LmNvbYIadXMuY2xvdWQtaW1hZ2VzLnVidW50dS5jb20wSAYDVR0fBEEwPzA9
oDugOYY3aHR0cDovL3Byb3h5LWNybC5ibHVlY29hdC5jb20vc3NsL2NybC9FTUNf
cmVzaWduaW5nLmNybDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJ
KoZIhvcNAQELBQADggEBAHnDRuNVvJN/0cm0fADmnyF4aUqZLZI7SM+wqk7Y/pWP
XycghiQaJG6InPNQmSG8adI93bbvCpMqtu2Lr/QyMxVXWmzGrmxKcllX60Jov5Ne
sq3UNLZYpb9laWGnTyP2SHtTjryDMqv+FuQRFz9yq+1uiF/fDpykxzsCYTujFc7S
SwqLxbgpd3nC5C7M3GijmwpnjACkzsY0Cl1H7rYRtZJ/elcaJRh4R61znVmdY6GT
OdeQpuUKut09zIVLoA59Og4jvDUXCARyanqpSeQZVKROh2TGss0ytK7pK8++M3uX
Q2mMSeT5vFAa4ttMx0g4m0bh+pQDKAiCRwPNmNppl3U=
-----END CERTIFICATE-----
1 s:emailAddress = CyberSecurity_Network_Ops@dell.com, C = US, O = Dell Technol ogy Incorprated, OU = CyberSecurity, CN = DELL SSL Decyption Authority
i:C = US, O = EMC Corporation, OU = Global Security Organization, CN = EMC SS L Decryption Authority v2
-----BEGIN CERTIFICATE-----
MIIFdTCCBF2gAwIBAgIQX1xunC5P5UwW7l4w8h/3qzANBgkqhkiG9w0BAQsFADB4
MQswCQYDVQQGEwJVUzEYMBYGA1UEChMPRU1DIENvcnBvcmF0aW9uMSUwIwYDVQQL
ExxHbG9iYWwgU2VjdXJpdHkgT3JnYW5pemF0aW9uMSgwJgYDVQQDEx9FTUMgU1NM
IERlY3J5cHRpb24gQXV0aG9yaXR5IHYyMB4XDTE5MDQxOTAwMzkzMFoXDTIyMDQx
OTAwMzkzMFowgaUxMTAvBgkqhkiG9w0BCQEWIkN5YmVyU2VjdXJpdHlfTmV0d29y
a19PcHNAZGVsbC5jb20xCzAJBgNVBAYTAlVTMSQwIgYDVQQKExtEZWxsIFRlY2hu
b2xvZ3kgSW5jb3JwcmF0ZWQxFjAUBgNVBAsTDUN5YmVyU2VjdXJpdHkxJTAjBgNV
BAMTHERFTEwgU1NMIERlY3lwdGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDE6buigPTtzjDjYZ1LLlp7HDRQbjRb7nhVMT0BBZbo
Z5KZrNWnllB4uNH+VMpEGXlbDWeK4/Sb5f4/4+cqsPfBXSDMGwqKcTJqg6PfpqUB
JylmNxUL5fv1RsD8pvBc6CPhZitql9+Rm6eRrfASUzu3kXy0jvkOWTuAn1gzMSb2
Cf6T1wJf4hTXn6wh15QW0ywnoP/YqBv3rPW889/MIH5k7xty45NInRxKWw9xKrCk
OdDSFbDYOvxdPL/pmtZBFNbIrMQN3KC4hGZoIX+cwuc4B9DjltsVbmALx+tR7wJf
dhYdtmd0D+8Yv+3ZrPp43zpyCu+Sm4EK4A8zWLon35IxAgMBAAGjggHLMIIBxzAf
BgNVHSMEGDAWgBSlyDfDx/mHZJrPDaiCsk3Ezm71QzASBgNVHRMBAf8ECDAGAQH/
AgEAMIIBXwYDVR0fBIIBVjCCAVIwQaA/oD2GO2h0dHA6Ly9wa2kuY29ycC5lbWMu
Y29tL2NybC9FTUNTU0xEZWNyeXB0aW9uQXV0aG9yaXR5djIuY3JsMIHEoIHBoIG+
hoG7bGRhcDovLy9DTj1FTUMgU1NMIERlY3J5cHRpb24gQXV0aG9yaXR5IHYyLENO
PUVNQyBTU0wgRGVjcnlwdGlvbiBBdXRob3JpdHkgdjIsQ049Q0RQLENOPVB1Ymxp
YyBLZXkgU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1l
bWNyb290LERDPWVtYyxEQz1jb20/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdDBG
oESgQoZAaHR0cDovL2VudGVycHJpc2VjYS5jb3JwLmVtYy5jb20vRU1DU1NMRGVj
cnlwdGlvbkF1dGhvcml0eXYyLmNybDAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYE
FJGVeTSV5knPcYpT5aWNerz9dvslMA0GCSqGSIb3DQEBCwUAA4IBAQDFMIBQudei
E+Q0n74Sh9F9trK3ooID2FbkVxQVMJ8WOUJl/++iK+lXDX2SJO3OGJG4oCapNVMR
Q9kXD7MD/58x25aCprEGTcy51BKAH+hmYYB03Q7p0a7k8641YJQRYfnZGlpE4wGh
X68EEIhSrVqWDqfz4SJNGjrNzOSqQ40DPLQKtNZ1YFPoUuNkNIxGVZWpE25bOo9j
yziUmfugyNDve0rPAwIsuV9iCr2vv9jT6OGZPNeMvt1zQHaErSPMmBSfYKlPACqD
1T6fTFQYQ2R8K9YO99F1i1zTYYI/JO21rfKVyAnviWV8/VzG3paKh7WnZ3vPSu7Y
qGo9qTTO+Uum
-----END CERTIFICATE-----
2 s:C = US, O = EMC Corporation, OU = Global Security Organization, CN = EMC SS L Decryption Authority v2
i:C = US, O = EMC Corporation, CN = EMC Root CA
-----BEGIN CERTIFICATE-----
MIIEzDCCA7SgAwIBAgIQfzDeHUGOuZX68dftXnbR9zANBgkqhkiG9w0BAQsFADA9
MQswCQYDVQQGEwJVUzEYMBYGA1UEChMPRU1DIENvcnBvcmF0aW9uMRQwEgYDVQQD
EwtFTUMgUm9vdCBDQTAeFw0xNTEwMTUxNzAwMzJaFw0yNjAzMDYwMjM5MzNaMHgx
CzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9FTUMgQ29ycG9yYXRpb24xJTAjBgNVBAsT
HEdsb2JhbCBTZWN1cml0eSBPcmdhbml6YXRpb24xKDAmBgNVBAMTH0VNQyBTU0wg
RGVjcnlwdGlvbiBBdXRob3JpdHkgdjIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDJvnnKsIWCtCMlm1P53fHpAnCmPfTgtGICGj1dgM2osz5Y0TZRqf57
OefJaE9uZCFr2DMPR90s1mI3ybdpgA/EA6bGDdepW3jLCn7y8uVFZ94xLr3Hv5Xe
fzIUnUXakmIbGmKfBfhVLHQfY22RDks5RNCj/Y+Q0xGbJvjKzes+FnGkMy5WdJ5P
kz8Awlbz26HVX1lh4+7KEcfjV1lyNtMhlSk7KJmVChlRvoF4u40AI7AwHamm7D4R
3BhiMzHpj1NO5tb4exd1Y6Y38pDFaIJGCDe4irdaiYg3dUSYv7oPazFCv7ng4aNR
hwPyTjAhWSXWC4kkZqgECEmeRdgX5CXxAgMBAAGjggGLMIIBhzCCAR8GA1UdHwSC
ARYwggESMDWgM6Axhi9odHRwOi8vcGtpLmNvcnAuZW1jLmNvbS9jcmwvRU1DJTIw
Um9vdCUyMENBLmNybDA6oDigNoY0aHR0cDovL2VudGVycHJpc2VjYS5jb3JwLmVt
Yy5jb20vRU1DJTIwUm9vdCUyMENBLmNybDCBnKCBmaCBloaBk2xkYXA6Ly8vQ049
RU1DIFJvb3QgQ0EsQ049RU1DIFJvb3QgQ0EsQ049Q0RQLENOPVB1YmxpYyBLZXkg
U2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1lbWNyb290
LERDPWVtYyxEQz1jb20/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdDAOBgNVHQ8B
Af8EBAMCAYYwHwYDVR0jBBgwFoAUjyKad6YrWTr8z+fAlE5VRpSg/zQwEgYDVR0T
AQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUpcg3w8f5h2Sazw2ogrJNxM5u9UMwDQYJ
KoZIhvcNAQELBQADggEBAKDr+Kz19+Dw7bN+qm4+TZuR0g30pEiGov7i30D6hNL7
XSPzGRmQYXEmucEEsoMY6iBMAPmLqdWFfBDh2vSmnOGk0IL+q3WzLq6IGPpXI4Wf
GGAnjyujnPsk6YP1OyrqYlVN0BUPQ3Jz8l3OI1Ga0/2RM5jogkCqszSoaHdNrouk
mA5Rz0cgETyU5TXC/+a6CEqDbFviqaiiHHZvjCVlgKmdQXirEPm6b2vp2B/DBiVW
6eTyDrIGle10RuPZTKSmlEWSgTshyMCNdOFLm7TsSkbgLgWWwFyDOeCHhvZdEuqP
dApqEUwXnO0ppEtljo5zvCLsYmkri4bxanMGHBcgG9o=
-----END CERTIFICATE-----
3 s:C = US, O = EMC Corporation, CN = EMC Root CA
i:C = US, O = EMC Corporation, CN = EMC Root CA
-----BEGIN CERTIFICATE-----
MIIDajCCAlKgAwIBAgIQDnpJf/sai2ikg8QrEDRcejANBgkqhkiG9w0BAQUFADA9
MQswCQYDVQQGEwJVUzEYMBYGA1UEChMPRU1DIENvcnBvcmF0aW9uMRQwEgYDVQQD
EwtFTUMgUm9vdCBDQTAeFw0xMTAzMDgwMjM1MThaFw0yNjAzMDgwMjM1MThaMD0x
CzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9FTUMgQ29ycG9yYXRpb24xFDASBgNVBAMT
C0VNQyBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwEV0
QaykbhIOVKj1BunB8pXsISlXgiv10QSGSxG2Dnbwoli0WSgPpLqPD8bsQuwjReg0
ERGXTXpxDEpb4Kya+YcIr4KGMd+EIdLjogXnrKv1/EWa54UNNjNLU6tkwEnVQ79p
Sbx2weCxEi+VG755+Bbb5AJKDcgk4ss5hXjI8tOzAgHe+tReNQamMSOgCO+4bZJ1
RBalcYHmGxVz2TbK0qrKKC7Um4ALQfRQejB+TuvYMoTZHD8Wm/e3Hdq7wwTOmQUL
/hG4+J+k4fl8WUtf4M6CzmeYVnEpZ34wk4H/1bRmFI9jvEQlmu/uKmFZ8DPOvK8j
YJCPft/fWOLkCZOSPwIDAQABo2YwZDAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/
BAgwBgEB/wIBAzAdBgNVHQ4EFgQUjyKad6YrWTr8z+fAlE5VRpSg/zQwHwYDVR0j
BBgwFoAUjyKad6YrWTr8z+fAlE5VRpSg/zQwDQYJKoZIhvcNAQEFBQADggEBALaL
B5rAo9GLri9vvYMIkMwtI4SFYeftNrY47YA4o49sbCVlgdmzUXWk48aevoUZRl6/
rEPFbTxaZUbmjOv+XO+bGFA3T57RS6rAFeGBai/UirrckJhGgusAVU5lFtO31Mgm
W3cPXqV+PXwwHKbgLRCeTJFK3Rw68TxBqazMjNp4WufdnPC379Fg/zeKrCLwgsa4
AVFHmeIadvijSQBpY0bFzsSZGF/PmAh+NiYJpWRdDXfeeQStdZWxPESbWoXPu/Qg
0dIifLaHr2Nugkg8eTcp+F2rl2YIjnQcEFqOUNhyI8kPzzsWinYel47tC9kDL7qR
s34MLubs2L1iMIk7fJ4=
-----END CERTIFICATE-----

Server certificate
subject=CN = cloud-images.ubuntu.com

issuer=emailAddress = CyberSecurity_Network_Ops@dell.com, C = US, O = Dell Techn ology Incorprated, OU = CyberSecurity, CN = DELL SSL Decyption Authority


No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits

SSL handshake has read 5115 bytes and written 451 bytes
Verification error: self signed certificate in certificate chain

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 2C4A679C1AA9B5F0C204DE80FF7797476E2A6A7ED6CD460B3336736D6D757B5E
Session-ID-ctx:
Master-Key: 77F1A91AEE2E682C1C452A64BE27062AD443764E5D30350E112B35E674024D1B 51AD983115336B6B2C2BDFDDC433A60D
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1634218134
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
Extended master secret: no

DONE
gpsemc@lxd15:~$

Looks like you are behind a TLS interceptor made by Dell. “CN = DELL SSL Decyption Authority” is not an official TLS cert. I find it funny that they typo’ed their common name :wink:

1 Like

Yeah, that’s what I started to suspect given ca-certificates was up to date and why I asked for the s_client output.

So since it’s your employer intercepting all your TLS traffic, you need to sort this out with them, either to have this system turned off somehow (unlikely) or have them provide you with instructions to properly trust that interceptor so you can then use TLS properly on the system.