Error: Failed container creation: Get https://cloud-images.ubuntu.com/releases/streams/v1/index.json: x509: certificate signed by unknown authority

LXD
1

I don’t have a ubuntu 20.04 image on my machine. But I want to create a ubuntu 20.04 for it.
gpsemc@lxd15:/etc/apt$ lxc remote list
±----------------±-----------------------------------------±--------------±----------±-------±-------+
| NAME | URL | PROTOCOL | AUTH TYPE | PUBLIC | STATIC |
±----------------±-----------------------------------------±--------------±----------±-------±-------+
| images | https://images.linuxcontainers.org | simplestreams | | YES | NO |
±----------------±-----------------------------------------±--------------±----------±-------±-------+
| local (default) | unix:// | lxd | tls | NO | YES |
±----------------±-----------------------------------------±--------------±----------±-------±-------+
| ubuntu | https://cloud-images.ubuntu.com/releases | simplestreams | | YES | YES |
±----------------±-----------------------------------------±--------------±----------±-------±-------+
| ubuntu-daily | https://cloud-images.ubuntu.com/daily | simplestreams | | YES | YES |
±----------------±-----------------------------------------±--------------±----------±-------±-------+

gpsemc@lxd15:/etc/apt$ lxc image list
±------------------------±-------------±-------±---------------------------------------------------±-------±----------±-----------------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCH | SIZE | UPLOAD DATE |
±------------------------±-------------±-------±---------------------------------------------------±-------±----------±-----------------------------+
| centos7 | d58d3dcfc3d1 | no | Centos 7 x86_64 (20191024_07:08) | x86_64 | 148.77MB | May 20, 2020 at 8:08am (UTC) |
±------------------------±-------------±-------±---------------------------------------------------±-------±----------±-----------------------------+
| fedora29 | ade430c33554 | no | Fedora 29 x86_64 (20190827_20:33) with ssh enabled | x86_64 | 283.80MB | May 20, 2020 at 8:13am (UTC) |
±------------------------±-------------±-------±---------------------------------------------------±-------±----------±-----------------------------+
| ubuntu14 | 2b43a10aaaba | no | Ubuntu 14.04 LTS server (20171026) | x86_64 | 181.01MB | May 20, 2020 at 7:43am (UTC) |
±------------------------±-------------±-------±---------------------------------------------------±-------±----------±-----------------------------+
| ubuntu16 | 115c1a4cf7d7 | no | Ubuntu 16.04 LTS server (20171011) | x86_64 | 195.11MB | May 20, 2020 at 7:47am (UTC) |
±------------------------±-------------±-------±---------------------------------------------------±-------±----------±-----------------------------+
| ubuntu18 | f0060a90de8c | no | ubuntu 18.04 LTS amd64 (release) (20200717) | x86_64 | 187.02MB | Jul 18, 2020 at 5:07am (UTC) |

gpsemc@lxd15:~$ lxc launch ubuntu:20.04 ubuntu20 --verbose --debug
DBUG[10-12|16:33:23] Connecting to a local LXD over a Unix socket
DBUG[10-12|16:33:23] Sending request to LXD method=GET url=http://unix.socket/1.0 etag=
DBUG[10-12|16:33:23] Got response struct from LXD
DBUG[10-12|16:33:23]
{
“config”: {
“core.https_address”: “[::]:8443”,
“core.trust_password”: true
},
“api_extensions”: [
“storage_zfs_remove_snapshots”,
“container_host_shutdown_timeout”,
“container_stop_priority”,
“container_syscall_filtering”,
“auth_pki”,
“container_last_used_at”,
“etag”,
“patch”,
“usb_devices”,
“https_allowed_credentials”,
“image_compression_algorithm”,
“directory_manipulation”,
“container_cpu_time”,
“storage_zfs_use_refquota”,
“storage_lvm_mount_options”,
“network”,
“profile_usedby”,
“container_push”,
“container_exec_recording”,
“certificate_update”,
“container_exec_signal_handling”,
“gpu_devices”,
“container_image_properties”,
“migration_progress”,
“id_map”,
“network_firewall_filtering”,
“network_routes”,
“storage”,
“file_delete”,
“file_append”,
“network_dhcp_expiry”,
“storage_lvm_vg_rename”,
“storage_lvm_thinpool_rename”,
“network_vlan”,
“image_create_aliases”,
“container_stateless_copy”,
“container_only_migration”,
“storage_zfs_clone_copy”,
“unix_device_rename”,
“storage_lvm_use_thinpool”,
“storage_rsync_bwlimit”,
“network_vxlan_interface”,
“storage_btrfs_mount_options”,
“entity_description”,
“image_force_refresh”,
“storage_lvm_lv_resizing”,
“id_map_base”,
“file_symlinks”,
“container_push_target”,
“network_vlan_physical”,
“storage_images_delete”,
“container_edit_metadata”,
“container_snapshot_stateful_migration”,
“storage_driver_ceph”,
“storage_ceph_user_name”,
“resource_limits”,
“storage_volatile_initial_source”,
“storage_ceph_force_osd_reuse”,
“storage_block_filesystem_btrfs”,
“resources”,
“kernel_limits”,
“storage_api_volume_rename”,
“macaroon_authentication”,
“network_sriov”,
“console”,
“restrict_devlxd”,
“migration_pre_copy”,
“infiniband”,
“maas_network”,
“devlxd_events”,
“proxy”,
“network_dhcp_gateway”,
“file_get_symlink”,
“network_leases”,
“unix_device_hotplug”,
“storage_api_local_volume_handling”,
“operation_description”,
“clustering”,
“event_lifecycle”,
“storage_api_remote_volume_handling”,
“nvidia_runtime”,
“candid_authentication”,
“candid_config”,
“candid_config_key”,
“usb_optional_vendorid”
],
“api_status”: “stable”,
“api_version”: “1.0”,
“auth”: “trusted”,
“public”: false,
“auth_methods”: [
“tls”
],
“environment”: {
“addresses”: [
“10.124.56.15:8443”
],
“architectures”: [
“x86_64”,
“i686”
],
“certificate”: “-----BEGIN CERTIFICATE-----\nMIIFWDCCA0CgAwIBAgIQJzKC8wczt47o9yKZHZJHUzANBgkqhkiG9w0BAQsFADA0\nMRwwGgYDVQQKExNsaW51eGNvbnRhaW5lcnMub3JnMRQwEgYDVQQDDAtyb290QHVi\ndW50dTAeFw0yMDA1MTkwNzM3NTBaFw0zMDA1MTcwNzM3NTBaMDQxHDAaBgNVBAoT\nE2xpbnV4Y29udGFpbmVycy5vcmcxFDASBgNVBAMMC3Jvb3RAdWJ1bnR1MIICIjAN\nBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsqaBlxi03ly7Q1E7KKzAa8G5qF5k\nkVX9dkegDuE8qCNXa5v8cWc1ba/pwSrk/rdygLfTaSf7i8OUPP/a/yq8IiQZ7F8Z\nik5lXehXJIBVWkBIXCIJDiH/csB/hLLotKMUXSBudKV+vve7Tb0KmDMqrG0mfZai\nto3h3pQgcyFmMWg8RloqzrFG4Hg7kaqCUPBqhg8gvjhJNDKQVSd5y0BtW4gMRF6f\n1OYEO2mRnyS6MtJsu9S8d7S4ZZ+SPoJgAxZrEeSbxZqnS/c8G6a2p+rQW2S/cr/x\nuLw1lVUD6uUY39ZSms0ga9/MuKKrttegU5ctxxJ3WCTZ6na6QMnImF9n8uEZkpIX\nzmbLbLBFBRXZOt4S7wCctT6VJRy/amWQpY0TDHMqNFBhwkFMhkxcVTEA4J/Y2LR7\nai64YHWPX+2kC0aH8zaSqfSolWVwjjwTGSxO0QgwBh28VHAtg7l29AK6U8q2cDL8\nYH5+yRMV60TQ2nli5VProkR2DPPGbIC+Zf2vCtAFVXahXagrDnqHE6arWNzVRaiS\ngF2o+3Jiw/lpM60N4Oo0jDcIvlE3dZVW3ljdEY8HqguaLnDKSVJcge/JTHGj7pug\nacamliHSsQFsKQe1LC5P69uizduU1bCkVcyjC18gQkn8StQ1vyxN7X+NVhh/fxBX\nzZF6LR0sRFpNtPECAwEAAaNmMGQwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoG\nCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwLwYDVR0RBCgwJoIGdWJ1bnR1hwQKfDgP\nhxD9p+buLgkAALImKP/+71WXhwQKfDgPMA0GCSqGSIb3DQEBCwUAA4ICAQBttm4o\nDq6VndloGx3bgyfeHHNdvl2v9WYAnkFxIKrzcY6VvrntnZJD7GpiCTkcyI4QkQIR\n89rOv0ckJhSGkDfrqBU8/vWikKOM96vlzFhNi3JLfOtTTqN+ZHMBv0qbEHIPE2be\niTR2yX8NjdpdsrD7s+ssVsomGNZVOmx7J/T9I4QsKFkIDeII5cl8grqo7KpENEVN\nak9TUbiulx3WtTzHXpsS60OcYex7N+lNhtd97cA9IcaXmh8NqLjkAlhRdkJEgcVq\nSMtOESxd1JIRruku9mm/j7c3i/bum7kxiuOQ6VAMyIDNPLl8FYhZNmwkw+jGrQ5v\nR9Qhcb7lraIlK1PANRdaZMJ3/ZAnA8k7Iq6GgceSwYtd8PTpFLtkHrBBmOriT191\nssKxYKORZXYdbRA2MzFkWE/2EqXib+URcaET4uel4SiB5+arpoRi6cKIRMMPLrmP\naI4zfQd4DFj4MLGXghl9qBZ6P9Hw6E1cRN1ixAEBdovRCn1xociqUAHNQ432VJWz\nM2/7ajTCn2omARTykz46P3LvJXgqb1oJK2SvV2Ds7O0s0bpXu2cOfLNzJFx3Te+j\nwqlXGGJxSulsfc7Nq6YoAQNrT4XQ948o+YtuL0R5N26RkLcKwRGAOJqJABWdnh0g\nDhgA221I6wSyPkC/vHZxJjnShnow2+iwUMafkA==\n-----END CERTIFICATE-----\n”,
“certificate_fingerprint”: “104519864b6279890702d56ee55908cd90b08ce549115a28ef4b6031be0ba188”,
“driver”: “lxc”,
“driver_version”: “3.0.3”,
“kernel”: “Linux”,
“kernel_architecture”: “x86_64”,
“kernel_version”: “5.4.0-86-generic”,
“server”: “lxd”,
“server_pid”: 2797,
“server_version”: “3.0.3”,
“storage”: “zfs”,
“storage_version”: “0.8.3-1ubuntu12.12”,
“server_clustered”: false,
“server_name”: “lxd15”,
“project”: “”
}
}
Creating ubuntu20
DBUG[10-12|16:33:23] Connecting to a remote simplestreams server
DBUG[10-12|16:33:23] Connected to the websocket
DBUG[10-12|16:33:23] Sending request to LXD method=POST url=http://unix.socket/1.0/containers etag=
DBUG[10-12|16:33:23]
{
“architecture”: “”,
“config”: {},
“devices”: {},
“ephemeral”: false,
“profiles”: null,
“stateful”: false,
“description”: “”,
“name”: “ubuntu20”,
“source”: {
“type”: “image”,
“certificate”: “”,
“alias”: “20.04”,
“server”: “https://cloud-images.ubuntu.com/releases”,
“protocol”: “simplestreams”,
“mode”: “pull”
},
“instance_type”: “”
}
DBUG[10-12|16:33:23] Got operation from LXD
DBUG[10-12|16:33:23]
{
“id”: “9ec43427-f3e8-496f-9beb-cca1a117c790”,
“class”: “task”,
“description”: “Creating container”,
“created_at”: “2021-10-12T16:33:23.611773723+08:00”,
“updated_at”: “2021-10-12T16:33:23.611773723+08:00”,
“status”: “Running”,
“status_code”: 103,
“resources”: {
“containers”: [
“/1.0/containers/ubuntu20”
]
},
“metadata”: null,
“may_cancel”: false,
“err”: “”
}
DBUG[10-12|16:33:23] Sending request to LXD method=GET url=http://unix.socket/1.0/operations/9ec43427-f3e8-496f-9beb-cca1a117c790 etag=
DBUG[10-12|16:33:23] Got response struct from LXD
DBUG[10-12|16:33:23]
{
“id”: “9ec43427-f3e8-496f-9beb-cca1a117c790”,
“class”: “task”,
“description”: “Creating container”,
“created_at”: “2021-10-12T16:33:23.611773723+08:00”,
“updated_at”: “2021-10-12T16:33:23.611773723+08:00”,
“status”: “Running”,
“status_code”: 103,
“resources”: {
“containers”: [
“/1.0/containers/ubuntu20”
]
},
“metadata”: null,
“may_cancel”: false,
“err”: “”
}
Error: Failed container creation: Get https://cloud-images.ubuntu.com/releases/streams/v1/index.json: x509: certificate signed by unknown authority

Could you help to take a look how to address this failure? It used to work.

2

What does lxc image info ubuntu:20.04 get you?

3

gpsemc@lxd15:~$ lxc image info ubuntu:20.04 --debug --verbose
DBUG[10-12|22:17:04] Connecting to a remote simplestreams server
Error: Get https://cloud-images.ubuntu.com/releases/streams/v1/index.json: x509: certificate signed by unknown authority

4

And what does curl https://cloud-images.ubuntu.com/releases/streams/v1/index.json -o /dev/null get you?

5

gpsemc@lxd15:~$ curl https://cloud-images.ubuntu.com/releases/streams/v1/index.json -o /dev/null
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:–:-- 0:00:01 --:–:-- 0
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: curl - SSL CA Certificates

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

6

Okay, so the problem is with your system in general.
Make sure the date and time is correct and make sure all package updates are applied.

7

Actually the date and time is correct.

And I just had an dist-upgrade two weeks ago which might cause this issue.
Looks like there is more update today. I will have a try.

8

gpsemc@10.124.56.15’s password:
Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 5.4.0-87-generic x86_64)

System information as of Wed Oct 13 10:16:51 CST 2021

System load: 3.34 Processes: 983
Usage of /: 42.6% of 1.70TB Users logged in: 0
Memory usage: 3% IP address for br0: 10.124.56.15
Swap usage: 0%

0 updates can be applied immediately.

gpsemc@lxd15:~$ date
Wed Oct 13 10:18:11 CST 2021

I still have the same issue. The date time is correct. My system is up to date.

Any clue?

9

@sdeziel any idea?

10

I couldn’t reproduce either, could you share the output of curl -vI https://cloud-images.ubuntu.com/releases/streams/v1/index.json, please?

Also, which version of lxd? And which version of ca-certificates (dpkg -l | grep ca-certificates)?

11

gpsemc@lxd15:~$ curl -vI https://cloud-images.ubuntu.com/releases/streams/v1/ind ex.json

  • Trying 91.189.91.124…
  • TCP_NODELAY set
  • Connected to cloud-images.ubuntu.com (91.189.91.124) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (OUT), TLS alert, Server hello (2):
  • SSL certificate problem: self signed certificate in certificate chain
  • stopped the pause stream!
  • Closing connection 0
    curl: (60) SSL certificate problem: self signed certificate in certificate chain
    More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

gpsemc@lxd15:~$ dpkg -l | grep ca-certificates
ii ca-certificates 20210119~18.04.2 all Common CA certificates
ii ca-certificates-java 20180516ubuntu1~18.04.1 all Common CA certificates (JKS keystore)

gpsemc@lxd15:~$ lxd --version
3.0.3
gpsemc@lxd15:~$ lxc --version
3.0.3

12

Can you run update-ca-certificates as root?

13

And output of echo "" | openssl s_client -host cloud-images.ubuntu.com -port 443 -showcerts may be useful too.

14

gpsemc@lxd15:~$ sudo update-ca-certificates
[sudo] password for gpsemc:
Updating certificates in /etc/ssl/certs…
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d…

done.
done.
gpsemc@lxd15:~$ echo “” | openssl s_client -host cloud-images.ubuntu.com -port 4 43 -showcerts
CONNECTED(00000005)
depth=3 C = US, O = EMC Corporation, CN = EMC Root CA
verify error:num=19:self signed certificate in certificate chain

Certificate chain
0 s:CN = cloud-images.ubuntu.com
i:emailAddress = CyberSecurity_Network_Ops@dell.com, C = US, O = Dell Technol ogy Incorprated, OU = CyberSecurity, CN = DELL SSL Decyption Authority
-----BEGIN CERTIFICATE-----
MIIEPDCCAySgAwIBAgIUQkNTTqLVvCiIv6LUAAAAAV/+gfMwDQYJKoZIhvcNAQEL
BQAwgaUxMTAvBgkqhkiG9w0BCQEWIkN5YmVyU2VjdXJpdHlfTmV0d29ya19PcHNA
ZGVsbC5jb20xCzAJBgNVBAYTAlVTMSQwIgYDVQQKExtEZWxsIFRlY2hub2xvZ3kg
SW5jb3JwcmF0ZWQxFjAUBgNVBAsTDUN5YmVyU2VjdXJpdHkxJTAjBgNVBAMTHERF
TEwgU1NMIERlY3lwdGlvbiBBdXRob3JpdHkwHhcNMjEwNzMxMDM1MDQzWhcNMjEx
MDI5MDM1MDQxWjAiMSAwHgYDVQQDExdjbG91ZC1pbWFnZXMudWJ1bnR1LmNvbTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANmgMYszyeA1IgKT4jg0IufH
b73n+hhA0HDQyel/Pngzi+tackaP0rZWGmJ6bJSQI860MrHt67E2ihjipe4HVpTL
sdGLbXbomiK3kysoj58wegOVYH6S9DhSPZMepJli1/tjgWbzExL4u8++xufjxxpR
jkXyfFJ0zAHgjG8ui6QboOdpOriwbCwgU90TYicMThZ9PJt8/VhvD6DidDiUGHCr
MjYyWC9cHAIvPFDLUs+3qFv/SoztLy2ZTvb+FtfCJ2K4eoC0iocCR7xdiG8dVSGT
1/pcM/E5muKNWuJtGN/bjUz7PQwHRE4bNjGR5yYHJnAZ0CgjrotkIfPqHNF6fzsC
AwEAAaOB5TCB4jAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAfBgNVHSMEGDAWgBSR
lXk0leZJz3GKU+WljXq8/Xb7JTA+BgNVHREENzA1ghdjbG91ZC1pbWFnZXMudWJ1
bnR1LmNvbYIadXMuY2xvdWQtaW1hZ2VzLnVidW50dS5jb20wSAYDVR0fBEEwPzA9
oDugOYY3aHR0cDovL3Byb3h5LWNybC5ibHVlY29hdC5jb20vc3NsL2NybC9FTUNf
cmVzaWduaW5nLmNybDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJ
KoZIhvcNAQELBQADggEBAHnDRuNVvJN/0cm0fADmnyF4aUqZLZI7SM+wqk7Y/pWP
XycghiQaJG6InPNQmSG8adI93bbvCpMqtu2Lr/QyMxVXWmzGrmxKcllX60Jov5Ne
sq3UNLZYpb9laWGnTyP2SHtTjryDMqv+FuQRFz9yq+1uiF/fDpykxzsCYTujFc7S
SwqLxbgpd3nC5C7M3GijmwpnjACkzsY0Cl1H7rYRtZJ/elcaJRh4R61znVmdY6GT
OdeQpuUKut09zIVLoA59Og4jvDUXCARyanqpSeQZVKROh2TGss0ytK7pK8++M3uX
Q2mMSeT5vFAa4ttMx0g4m0bh+pQDKAiCRwPNmNppl3U=
-----END CERTIFICATE-----
1 s:emailAddress = CyberSecurity_Network_Ops@dell.com, C = US, O = Dell Technol ogy Incorprated, OU = CyberSecurity, CN = DELL SSL Decyption Authority
i:C = US, O = EMC Corporation, OU = Global Security Organization, CN = EMC SS L Decryption Authority v2
-----BEGIN CERTIFICATE-----
MIIFdTCCBF2gAwIBAgIQX1xunC5P5UwW7l4w8h/3qzANBgkqhkiG9w0BAQsFADB4
MQswCQYDVQQGEwJVUzEYMBYGA1UEChMPRU1DIENvcnBvcmF0aW9uMSUwIwYDVQQL
ExxHbG9iYWwgU2VjdXJpdHkgT3JnYW5pemF0aW9uMSgwJgYDVQQDEx9FTUMgU1NM
IERlY3J5cHRpb24gQXV0aG9yaXR5IHYyMB4XDTE5MDQxOTAwMzkzMFoXDTIyMDQx
OTAwMzkzMFowgaUxMTAvBgkqhkiG9w0BCQEWIkN5YmVyU2VjdXJpdHlfTmV0d29y
a19PcHNAZGVsbC5jb20xCzAJBgNVBAYTAlVTMSQwIgYDVQQKExtEZWxsIFRlY2hu
b2xvZ3kgSW5jb3JwcmF0ZWQxFjAUBgNVBAsTDUN5YmVyU2VjdXJpdHkxJTAjBgNV
BAMTHERFTEwgU1NMIERlY3lwdGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDE6buigPTtzjDjYZ1LLlp7HDRQbjRb7nhVMT0BBZbo
Z5KZrNWnllB4uNH+VMpEGXlbDWeK4/Sb5f4/4+cqsPfBXSDMGwqKcTJqg6PfpqUB
JylmNxUL5fv1RsD8pvBc6CPhZitql9+Rm6eRrfASUzu3kXy0jvkOWTuAn1gzMSb2
Cf6T1wJf4hTXn6wh15QW0ywnoP/YqBv3rPW889/MIH5k7xty45NInRxKWw9xKrCk
OdDSFbDYOvxdPL/pmtZBFNbIrMQN3KC4hGZoIX+cwuc4B9DjltsVbmALx+tR7wJf
dhYdtmd0D+8Yv+3ZrPp43zpyCu+Sm4EK4A8zWLon35IxAgMBAAGjggHLMIIBxzAf
BgNVHSMEGDAWgBSlyDfDx/mHZJrPDaiCsk3Ezm71QzASBgNVHRMBAf8ECDAGAQH/
AgEAMIIBXwYDVR0fBIIBVjCCAVIwQaA/oD2GO2h0dHA6Ly9wa2kuY29ycC5lbWMu
Y29tL2NybC9FTUNTU0xEZWNyeXB0aW9uQXV0aG9yaXR5djIuY3JsMIHEoIHBoIG+
hoG7bGRhcDovLy9DTj1FTUMgU1NMIERlY3J5cHRpb24gQXV0aG9yaXR5IHYyLENO
PUVNQyBTU0wgRGVjcnlwdGlvbiBBdXRob3JpdHkgdjIsQ049Q0RQLENOPVB1Ymxp
YyBLZXkgU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1l
bWNyb290LERDPWVtYyxEQz1jb20/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdDBG
oESgQoZAaHR0cDovL2VudGVycHJpc2VjYS5jb3JwLmVtYy5jb20vRU1DU1NMRGVj
cnlwdGlvbkF1dGhvcml0eXYyLmNybDAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYE
FJGVeTSV5knPcYpT5aWNerz9dvslMA0GCSqGSIb3DQEBCwUAA4IBAQDFMIBQudei
E+Q0n74Sh9F9trK3ooID2FbkVxQVMJ8WOUJl/++iK+lXDX2SJO3OGJG4oCapNVMR
Q9kXD7MD/58x25aCprEGTcy51BKAH+hmYYB03Q7p0a7k8641YJQRYfnZGlpE4wGh
X68EEIhSrVqWDqfz4SJNGjrNzOSqQ40DPLQKtNZ1YFPoUuNkNIxGVZWpE25bOo9j
yziUmfugyNDve0rPAwIsuV9iCr2vv9jT6OGZPNeMvt1zQHaErSPMmBSfYKlPACqD
1T6fTFQYQ2R8K9YO99F1i1zTYYI/JO21rfKVyAnviWV8/VzG3paKh7WnZ3vPSu7Y
qGo9qTTO+Uum
-----END CERTIFICATE-----
2 s:C = US, O = EMC Corporation, OU = Global Security Organization, CN = EMC SS L Decryption Authority v2
i:C = US, O = EMC Corporation, CN = EMC Root CA
-----BEGIN CERTIFICATE-----
MIIEzDCCA7SgAwIBAgIQfzDeHUGOuZX68dftXnbR9zANBgkqhkiG9w0BAQsFADA9
MQswCQYDVQQGEwJVUzEYMBYGA1UEChMPRU1DIENvcnBvcmF0aW9uMRQwEgYDVQQD
EwtFTUMgUm9vdCBDQTAeFw0xNTEwMTUxNzAwMzJaFw0yNjAzMDYwMjM5MzNaMHgx
CzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9FTUMgQ29ycG9yYXRpb24xJTAjBgNVBAsT
HEdsb2JhbCBTZWN1cml0eSBPcmdhbml6YXRpb24xKDAmBgNVBAMTH0VNQyBTU0wg
RGVjcnlwdGlvbiBBdXRob3JpdHkgdjIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDJvnnKsIWCtCMlm1P53fHpAnCmPfTgtGICGj1dgM2osz5Y0TZRqf57
OefJaE9uZCFr2DMPR90s1mI3ybdpgA/EA6bGDdepW3jLCn7y8uVFZ94xLr3Hv5Xe
fzIUnUXakmIbGmKfBfhVLHQfY22RDks5RNCj/Y+Q0xGbJvjKzes+FnGkMy5WdJ5P
kz8Awlbz26HVX1lh4+7KEcfjV1lyNtMhlSk7KJmVChlRvoF4u40AI7AwHamm7D4R
3BhiMzHpj1NO5tb4exd1Y6Y38pDFaIJGCDe4irdaiYg3dUSYv7oPazFCv7ng4aNR
hwPyTjAhWSXWC4kkZqgECEmeRdgX5CXxAgMBAAGjggGLMIIBhzCCAR8GA1UdHwSC
ARYwggESMDWgM6Axhi9odHRwOi8vcGtpLmNvcnAuZW1jLmNvbS9jcmwvRU1DJTIw
Um9vdCUyMENBLmNybDA6oDigNoY0aHR0cDovL2VudGVycHJpc2VjYS5jb3JwLmVt
Yy5jb20vRU1DJTIwUm9vdCUyMENBLmNybDCBnKCBmaCBloaBk2xkYXA6Ly8vQ049
RU1DIFJvb3QgQ0EsQ049RU1DIFJvb3QgQ0EsQ049Q0RQLENOPVB1YmxpYyBLZXkg
U2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1lbWNyb290
LERDPWVtYyxEQz1jb20/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdDAOBgNVHQ8B
Af8EBAMCAYYwHwYDVR0jBBgwFoAUjyKad6YrWTr8z+fAlE5VRpSg/zQwEgYDVR0T
AQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUpcg3w8f5h2Sazw2ogrJNxM5u9UMwDQYJ
KoZIhvcNAQELBQADggEBAKDr+Kz19+Dw7bN+qm4+TZuR0g30pEiGov7i30D6hNL7
XSPzGRmQYXEmucEEsoMY6iBMAPmLqdWFfBDh2vSmnOGk0IL+q3WzLq6IGPpXI4Wf
GGAnjyujnPsk6YP1OyrqYlVN0BUPQ3Jz8l3OI1Ga0/2RM5jogkCqszSoaHdNrouk
mA5Rz0cgETyU5TXC/+a6CEqDbFviqaiiHHZvjCVlgKmdQXirEPm6b2vp2B/DBiVW
6eTyDrIGle10RuPZTKSmlEWSgTshyMCNdOFLm7TsSkbgLgWWwFyDOeCHhvZdEuqP
dApqEUwXnO0ppEtljo5zvCLsYmkri4bxanMGHBcgG9o=
-----END CERTIFICATE-----
3 s:C = US, O = EMC Corporation, CN = EMC Root CA
i:C = US, O = EMC Corporation, CN = EMC Root CA
-----BEGIN CERTIFICATE-----
MIIDajCCAlKgAwIBAgIQDnpJf/sai2ikg8QrEDRcejANBgkqhkiG9w0BAQUFADA9
MQswCQYDVQQGEwJVUzEYMBYGA1UEChMPRU1DIENvcnBvcmF0aW9uMRQwEgYDVQQD
EwtFTUMgUm9vdCBDQTAeFw0xMTAzMDgwMjM1MThaFw0yNjAzMDgwMjM1MThaMD0x
CzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9FTUMgQ29ycG9yYXRpb24xFDASBgNVBAMT
C0VNQyBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwEV0
QaykbhIOVKj1BunB8pXsISlXgiv10QSGSxG2Dnbwoli0WSgPpLqPD8bsQuwjReg0
ERGXTXpxDEpb4Kya+YcIr4KGMd+EIdLjogXnrKv1/EWa54UNNjNLU6tkwEnVQ79p
Sbx2weCxEi+VG755+Bbb5AJKDcgk4ss5hXjI8tOzAgHe+tReNQamMSOgCO+4bZJ1
RBalcYHmGxVz2TbK0qrKKC7Um4ALQfRQejB+TuvYMoTZHD8Wm/e3Hdq7wwTOmQUL
/hG4+J+k4fl8WUtf4M6CzmeYVnEpZ34wk4H/1bRmFI9jvEQlmu/uKmFZ8DPOvK8j
YJCPft/fWOLkCZOSPwIDAQABo2YwZDAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/
BAgwBgEB/wIBAzAdBgNVHQ4EFgQUjyKad6YrWTr8z+fAlE5VRpSg/zQwHwYDVR0j
BBgwFoAUjyKad6YrWTr8z+fAlE5VRpSg/zQwDQYJKoZIhvcNAQEFBQADggEBALaL
B5rAo9GLri9vvYMIkMwtI4SFYeftNrY47YA4o49sbCVlgdmzUXWk48aevoUZRl6/
rEPFbTxaZUbmjOv+XO+bGFA3T57RS6rAFeGBai/UirrckJhGgusAVU5lFtO31Mgm
W3cPXqV+PXwwHKbgLRCeTJFK3Rw68TxBqazMjNp4WufdnPC379Fg/zeKrCLwgsa4
AVFHmeIadvijSQBpY0bFzsSZGF/PmAh+NiYJpWRdDXfeeQStdZWxPESbWoXPu/Qg
0dIifLaHr2Nugkg8eTcp+F2rl2YIjnQcEFqOUNhyI8kPzzsWinYel47tC9kDL7qR
s34MLubs2L1iMIk7fJ4=
-----END CERTIFICATE-----

Server certificate
subject=CN = cloud-images.ubuntu.com

issuer=emailAddress = CyberSecurity_Network_Ops@dell.com, C = US, O = Dell Techn ology Incorprated, OU = CyberSecurity, CN = DELL SSL Decyption Authority

No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits

SSL handshake has read 5115 bytes and written 451 bytes
Verification error: self signed certificate in certificate chain

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 2C4A679C1AA9B5F0C204DE80FF7797476E2A6A7ED6CD460B3336736D6D757B5E
Session-ID-ctx:
Master-Key: 77F1A91AEE2E682C1C452A64BE27062AD443764E5D30350E112B35E674024D1B 51AD983115336B6B2C2BDFDDC433A60D
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1634218134
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
Extended master secret: no

DONE
gpsemc@lxd15:~$

15

Looks like you are behind a TLS interceptor made by Dell. “CN = DELL SSL Decyption Authority” is not an official TLS cert. I find it funny that they typo’ed their common name :wink:

1 Like
16

Yeah, that’s what I started to suspect given ca-certificates was up to date and why I asked for the s_client output.

So since it’s your employer intercepting all your TLS traffic, you need to sort this out with them, either to have this system turned off somehow (unlikely) or have them provide you with instructions to properly trust that interceptor so you can then use TLS properly on the system.

17

Thanks Stgraber. We find all of our Linux machines have this problem.

18

Hi Stgraber,
Could you let me know how to workaround this issue?

Thanks,
Sharon

19

^ I already told you :slight_smile:

20

I have asked for a new certificate on my ubuntu, I’ve got a different result, but still it fails to launch for a LXD 20.04 container

Here is the output:

gpsemc@lxd15:~/.config/lxc$ lxc launch ubuntu:20.04 ubuntu20 --verbose --debug
DBUG[10-21|13:56:04] Connecting to a local LXD over a Unix socket
DBUG[10-21|13:56:04] Sending request to LXD method=GET url=http://unix.socket/1.0 etag=
DBUG[10-21|13:56:04] Got response struct from LXD
DBUG[10-21|13:56:04]
{
“config”: {
“core.https_address”: “[::]:8443”,
“core.trust_password”: true
},
“api_extensions”: [
“storage_zfs_remove_snapshots”,
“container_host_shutdown_timeout”,
“container_stop_priority”,
“container_syscall_filtering”,
“auth_pki”,
“container_last_used_at”,
“etag”,
“patch”,
“usb_devices”,
“https_allowed_credentials”,
“image_compression_algorithm”,
“directory_manipulation”,
“container_cpu_time”,
“storage_zfs_use_refquota”,
“storage_lvm_mount_options”,
“network”,
“profile_usedby”,
“container_push”,
“container_exec_recording”,
“certificate_update”,
“container_exec_signal_handling”,
“gpu_devices”,
“container_image_properties”,
“migration_progress”,
“id_map”,
“network_firewall_filtering”,
“network_routes”,
“storage”,
“file_delete”,
“file_append”,
“network_dhcp_expiry”,
“storage_lvm_vg_rename”,
“storage_lvm_thinpool_rename”,
“network_vlan”,
“image_create_aliases”,
“container_stateless_copy”,
“container_only_migration”,
“storage_zfs_clone_copy”,
“unix_device_rename”,
“storage_lvm_use_thinpool”,
“storage_rsync_bwlimit”,
“network_vxlan_interface”,
“storage_btrfs_mount_options”,
“entity_description”,
“image_force_refresh”,
“storage_lvm_lv_resizing”,
“id_map_base”,
“file_symlinks”,
“container_push_target”,
“network_vlan_physical”,
“storage_images_delete”,
“container_edit_metadata”,
“container_snapshot_stateful_migration”,
“storage_driver_ceph”,
“storage_ceph_user_name”,
“resource_limits”,
“storage_volatile_initial_source”,
“storage_ceph_force_osd_reuse”,
“storage_block_filesystem_btrfs”,
“resources”,
“kernel_limits”,
“storage_api_volume_rename”,
“macaroon_authentication”,
“network_sriov”,
“console”,
“restrict_devlxd”,
“migration_pre_copy”,
“infiniband”,
“maas_network”,
“devlxd_events”,
“proxy”,
“network_dhcp_gateway”,
“file_get_symlink”,
“network_leases”,
“unix_device_hotplug”,
“storage_api_local_volume_handling”,
“operation_description”,
“clustering”,
“event_lifecycle”,
“storage_api_remote_volume_handling”,
“nvidia_runtime”,
“candid_authentication”,
“candid_config”,
“candid_config_key”,
“usb_optional_vendorid”
],
“api_status”: “stable”,
“api_version”: “1.0”,
“auth”: “trusted”,
“public”: false,
“auth_methods”: [
“tls”
],
“environment”: {
“addresses”: [
“10.124.56.15:8443”
],
“architectures”: [
“x86_64”,
“i686”
],
“certificate”: “-----BEGIN CERTIFICATE-----\nMIIFWDCCA0CgAwIBAgIQJzKC8wczt47o9yKZHZJHUzANBgkqhkiG9w0BAQsFADA0\nMRwwGgYDVQQKExNsaW51eGNvbnRhaW5lcnMub3JnMRQwEgYDVQQDDAtyb290QHVi\ndW50dTAeFw0yMDA1MTkwNzM3NTBaFw0zMDA1MTcwNzM3NTBaMDQxHDAaBgNVBAoT\nE2xpbnV4Y29udGFpbmVycy5vcmcxFDASBgNVBAMMC3Jvb3RAdWJ1bnR1MIICIjAN\nBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsqaBlxi03ly7Q1E7KKzAa8G5qF5k\nkVX9dkegDuE8qCNXa5v8cWc1ba/pwSrk/rdygLfTaSf7i8OUPP/a/yq8IiQZ7F8Z\nik5lXehXJIBVWkBIXCIJDiH/csB/hLLotKMUXSBudKV+vve7Tb0KmDMqrG0mfZai\nto3h3pQgcyFmMWg8RloqzrFG4Hg7kaqCUPBqhg8gvjhJNDKQVSd5y0BtW4gMRF6f\n1OYEO2mRnyS6MtJsu9S8d7S4ZZ+SPoJgAxZrEeSbxZqnS/c8G6a2p+rQW2S/cr/x\nuLw1lVUD6uUY39ZSms0ga9/MuKKrttegU5ctxxJ3WCTZ6na6QMnImF9n8uEZkpIX\nzmbLbLBFBRXZOt4S7wCctT6VJRy/amWQpY0TDHMqNFBhwkFMhkxcVTEA4J/Y2LR7\nai64YHWPX+2kC0aH8zaSqfSolWVwjjwTGSxO0QgwBh28VHAtg7l29AK6U8q2cDL8\nYH5+yRMV60TQ2nli5VProkR2DPPGbIC+Zf2vCtAFVXahXagrDnqHE6arWNzVRaiS\ngF2o+3Jiw/lpM60N4Oo0jDcIvlE3dZVW3ljdEY8HqguaLnDKSVJcge/JTHGj7pug\nacamliHSsQFsKQe1LC5P69uizduU1bCkVcyjC18gQkn8StQ1vyxN7X+NVhh/fxBX\nzZF6LR0sRFpNtPECAwEAAaNmMGQwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoG\nCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwLwYDVR0RBCgwJoIGdWJ1bnR1hwQKfDgP\nhxD9p+buLgkAALImKP/+71WXhwQKfDgPMA0GCSqGSIb3DQEBCwUAA4ICAQBttm4o\nDq6VndloGx3bgyfeHHNdvl2v9WYAnkFxIKrzcY6VvrntnZJD7GpiCTkcyI4QkQIR\n89rOv0ckJhSGkDfrqBU8/vWikKOM96vlzFhNi3JLfOtTTqN+ZHMBv0qbEHIPE2be\niTR2yX8NjdpdsrD7s+ssVsomGNZVOmx7J/T9I4QsKFkIDeII5cl8grqo7KpENEVN\nak9TUbiulx3WtTzHXpsS60OcYex7N+lNhtd97cA9IcaXmh8NqLjkAlhRdkJEgcVq\nSMtOESxd1JIRruku9mm/j7c3i/bum7kxiuOQ6VAMyIDNPLl8FYhZNmwkw+jGrQ5v\nR9Qhcb7lraIlK1PANRdaZMJ3/ZAnA8k7Iq6GgceSwYtd8PTpFLtkHrBBmOriT191\nssKxYKORZXYdbRA2MzFkWE/2EqXib+URcaET4uel4SiB5+arpoRi6cKIRMMPLrmP\naI4zfQd4DFj4MLGXghl9qBZ6P9Hw6E1cRN1ixAEBdovRCn1xociqUAHNQ432VJWz\nM2/7ajTCn2omARTykz46P3LvJXgqb1oJK2SvV2Ds7O0s0bpXu2cOfLNzJFx3Te+j\nwqlXGGJxSulsfc7Nq6YoAQNrT4XQ948o+YtuL0R5N26RkLcKwRGAOJqJABWdnh0g\nDhgA221I6wSyPkC/vHZxJjnShnow2+iwUMafkA==\n-----END CERTIFICATE-----\n”,
“certificate_fingerprint”: “104519864b6279890702d56ee55908cd90b08ce549115a28ef4b6031be0ba188”,
“driver”: “lxc”,
“driver_version”: “3.0.3”,
“kernel”: “Linux”,
“kernel_architecture”: “x86_64”,
“kernel_version”: “5.4.0-87-generic”,
“server”: “lxd”,
“server_pid”: 3230,
“server_version”: “3.0.3”,
“storage”: “zfs”,
“storage_version”: “0.8.3-1ubuntu12.12”,
“server_clustered”: false,
“server_name”: “lxd15”,
“project”: “”
}
}
Creating ubuntu20
DBUG[10-21|13:56:04] Connecting to a remote simplestreams server
DBUG[10-21|13:56:04] Connected to the websocket
DBUG[10-21|13:56:04] Sending request to LXD method=POST url=http://unix.socket/1.0/containers etag=
DBUG[10-21|13:56:04]
{
“architecture”: “”,
“config”: {},
“devices”: {},
“ephemeral”: false,
“profiles”: null,
“stateful”: false,
“description”: “”,
“name”: “ubuntu20”,
“source”: {
“type”: “image”,
“certificate”: “”,
“alias”: “20.04”,
“server”: “Ubuntu Cloud Images”,
“protocol”: “simplestreams”,
“mode”: “pull”
},
“instance_type”: “”
}
DBUG[10-21|13:56:04] Got operation from LXD
DBUG[10-21|13:56:04]
{
“id”: “bf0bc52b-67c3-45d0-8c01-aa6d98edc6b1”,
“class”: “task”,
“description”: “Creating container”,
“created_at”: “2021-10-21T13:56:04.433944373+08:00”,
“updated_at”: “2021-10-21T13:56:04.433944373+08:00”,
“status”: “Running”,
“status_code”: 103,
“resources”: {
“containers”: [
“/1.0/containers/ubuntu20”
]
},
“metadata”: null,
“may_cancel”: false,
“err”: “”
}
DBUG[10-21|13:56:04] Sending request to LXD method=GET url=http://unix.socket/1.0/operations/bf0bc52b-67c3-45d0-8c01-aa6d98edc6b1 etag=
DBUG[10-21|13:56:04] Got response struct from LXD
DBUG[10-21|13:56:04]
{
“id”: “bf0bc52b-67c3-45d0-8c01-aa6d98edc6b1”,
“class”: “task”,
“description”: “Creating container”,
“created_at”: “2021-10-21T13:56:04.433944373+08:00”,
“updated_at”: “2021-10-21T13:56:04.433944373+08:00”,
“status”: “Running”,
“status_code”: 103,
“resources”: {
“containers”: [
“/1.0/containers/ubuntu20”
]
},
“metadata”: null,
“may_cancel”: false,
“err”: “”
}
Error: Failed container creation: Get https://cloud-images.ubuntu.com/releases/streams/v1/index.json: x509: certificate signed by unknown authority

And here is the certificates:

gpsemc@lxd15:~/.config/lxc$ echo “” | openssl s_client -host cloud-images.ubuntu.com -port 443 -showcerts
CONNECTED(00000005)
depth=3 C = US, O = EMC Corporation, CN = EMC Root CA
verify return:1
depth=2 C = US, O = EMC Corporation, OU = Global Security Organization, CN = EMC SSL Decryption Authority v2
verify return:1
depth=1 emailAddress = CyberSecurity_Network_Ops@dell.com, C = US, O = Dell Technology Incorprated, OU = CyberSecurity, CN = DELL SSL Decyption Authority
verify return:1
depth=0 CN = cloud-images.ubuntu.com
verify return:1

Certificate chain
0 s:CN = cloud-images.ubuntu.com
i:emailAddress = CyberSecurity_Network_Ops@dell.com, C = US, O = Dell Technology Incorprated, OU = CyberSecurity, CN = DELL SSL Decyption Authority
-----BEGIN CERTIFICATE-----
MIIEPDCCAySgAwIBAgIUQkNTTqLVvCiIv6LUAAAAAWgBE+QwDQYJKoZIhvcNAQEL
BQAwgaUxMTAvBgkqhkiG9w0BCQEWIkN5YmVyU2VjdXJpdHlfTmV0d29ya19PcHNA
ZGVsbC5jb20xCzAJBgNVBAYTAlVTMSQwIgYDVQQKExtEZWxsIFRlY2hub2xvZ3kg
SW5jb3JwcmF0ZWQxFjAUBgNVBAsTDUN5YmVyU2VjdXJpdHkxJTAjBgNVBAMTHERF
TEwgU1NMIERlY3lwdGlvbiBBdXRob3JpdHkwHhcNMjExMDE1MDMyMDM1WhcNMjIw
MTEzMDMyMDM0WjAiMSAwHgYDVQQDExdjbG91ZC1pbWFnZXMudWJ1bnR1LmNvbTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ4Fl32uiCKybk9q/UWbI9ch
YDQfQiEcvz26vgoM6wljzgrvgrvI0Hk6DPkBpo9Z1c0QyWl5cIosP4PinGesyN6f
l19ukODSkzdGpWnZkXQ2qBM77B9pVxf1i0tTo8+gdA3C9TWDZrbVpbFN8al7Xp7s
CNOeaYcs9vMzwXPBgsjRkVXoOqcVpjoCFsy+xXPTrCrfof0WiHzKMxWf0vIZX+Be
0Dbl267y120aevcNHYkbMWjwsUhTfFzgaSkNp8wErejntzzqFJObI9vpCuNX1NZN
x6NAm4yNOuXINtWTTPUjnzLEtW3oRzIsrjRBn3dvuifvVWkC1IaIXKHig12viykC
AwEAAaOB5TCB4jAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAfBgNVHSMEGDAWgBSR
lXk0leZJz3GKU+WljXq8/Xb7JTA+BgNVHREENzA1ghdjbG91ZC1pbWFnZXMudWJ1
bnR1LmNvbYIadXMuY2xvdWQtaW1hZ2VzLnVidW50dS5jb20wSAYDVR0fBEEwPzA9
oDugOYY3aHR0cDovL3Byb3h5LWNybC5ibHVlY29hdC5jb20vc3NsL2NybC9FTUNf
cmVzaWduaW5nLmNybDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJ
KoZIhvcNAQELBQADggEBABJqWTaSmcpHm5/CQZYZllBctuDmdGfOKE17k1rUw0Ug
AafqILX8hLbEug0l1oOV2M/pA9dZ6SHqGuEhRzLmE3dA2hUAFi1z61CZiwwIHHF4
WqdG5jhGlfj4WMlyQgrut9buM56J9A9wQnIkQRJ5frwvX9AXzO7ONjWXW7hqWu4R
tODqM3+wA2fxR9wkaQBQco3ANp7TC7A2GPNerUpE9nFniv6/naxcgtusiE4YtSix
3yNfeZWzbOZTQYmMM2hY7IGdRuaMbEu9GikbfBThGell/Uin3nN2HqMn+oJ2BMcJ
rUXlOfKOPgLQLX+ow82iQrwj0WLyhZ7KdO90RI2++SA=
-----END CERTIFICATE-----
1 s:emailAddress = CyberSecurity_Network_Ops@dell.com, C = US, O = Dell Technology Incorprated, OU = CyberSecurity, CN = DELL SSL Decyption Authority
i:C = US, O = EMC Corporation, OU = Global Security Organization, CN = EMC SSL Decryption Authority v2
-----BEGIN CERTIFICATE-----
MIIFdTCCBF2gAwIBAgIQX1xunC5P5UwW7l4w8h/3qzANBgkqhkiG9w0BAQsFADB4
MQswCQYDVQQGEwJVUzEYMBYGA1UEChMPRU1DIENvcnBvcmF0aW9uMSUwIwYDVQQL
ExxHbG9iYWwgU2VjdXJpdHkgT3JnYW5pemF0aW9uMSgwJgYDVQQDEx9FTUMgU1NM
IERlY3J5cHRpb24gQXV0aG9yaXR5IHYyMB4XDTE5MDQxOTAwMzkzMFoXDTIyMDQx
OTAwMzkzMFowgaUxMTAvBgkqhkiG9w0BCQEWIkN5YmVyU2VjdXJpdHlfTmV0d29y
a19PcHNAZGVsbC5jb20xCzAJBgNVBAYTAlVTMSQwIgYDVQQKExtEZWxsIFRlY2hu
b2xvZ3kgSW5jb3JwcmF0ZWQxFjAUBgNVBAsTDUN5YmVyU2VjdXJpdHkxJTAjBgNV
BAMTHERFTEwgU1NMIERlY3lwdGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDE6buigPTtzjDjYZ1LLlp7HDRQbjRb7nhVMT0BBZbo
Z5KZrNWnllB4uNH+VMpEGXlbDWeK4/Sb5f4/4+cqsPfBXSDMGwqKcTJqg6PfpqUB
JylmNxUL5fv1RsD8pvBc6CPhZitql9+Rm6eRrfASUzu3kXy0jvkOWTuAn1gzMSb2
Cf6T1wJf4hTXn6wh15QW0ywnoP/YqBv3rPW889/MIH5k7xty45NInRxKWw9xKrCk
OdDSFbDYOvxdPL/pmtZBFNbIrMQN3KC4hGZoIX+cwuc4B9DjltsVbmALx+tR7wJf
dhYdtmd0D+8Yv+3ZrPp43zpyCu+Sm4EK4A8zWLon35IxAgMBAAGjggHLMIIBxzAf
BgNVHSMEGDAWgBSlyDfDx/mHZJrPDaiCsk3Ezm71QzASBgNVHRMBAf8ECDAGAQH/
AgEAMIIBXwYDVR0fBIIBVjCCAVIwQaA/oD2GO2h0dHA6Ly9wa2kuY29ycC5lbWMu
Y29tL2NybC9FTUNTU0xEZWNyeXB0aW9uQXV0aG9yaXR5djIuY3JsMIHEoIHBoIG+
hoG7bGRhcDovLy9DTj1FTUMgU1NMIERlY3J5cHRpb24gQXV0aG9yaXR5IHYyLENO
PUVNQyBTU0wgRGVjcnlwdGlvbiBBdXRob3JpdHkgdjIsQ049Q0RQLENOPVB1Ymxp
YyBLZXkgU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1l
bWNyb290LERDPWVtYyxEQz1jb20/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdDBG
oESgQoZAaHR0cDovL2VudGVycHJpc2VjYS5jb3JwLmVtYy5jb20vRU1DU1NMRGVj
cnlwdGlvbkF1dGhvcml0eXYyLmNybDAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYE
FJGVeTSV5knPcYpT5aWNerz9dvslMA0GCSqGSIb3DQEBCwUAA4IBAQDFMIBQudei
E+Q0n74Sh9F9trK3ooID2FbkVxQVMJ8WOUJl/++iK+lXDX2SJO3OGJG4oCapNVMR
Q9kXD7MD/58x25aCprEGTcy51BKAH+hmYYB03Q7p0a7k8641YJQRYfnZGlpE4wGh
X68EEIhSrVqWDqfz4SJNGjrNzOSqQ40DPLQKtNZ1YFPoUuNkNIxGVZWpE25bOo9j
yziUmfugyNDve0rPAwIsuV9iCr2vv9jT6OGZPNeMvt1zQHaErSPMmBSfYKlPACqD
1T6fTFQYQ2R8K9YO99F1i1zTYYI/JO21rfKVyAnviWV8/VzG3paKh7WnZ3vPSu7Y
qGo9qTTO+Uum
-----END CERTIFICATE-----
2 s:C = US, O = EMC Corporation, OU = Global Security Organization, CN = EMC SSL Decryption Authority v2
i:C = US, O = EMC Corporation, CN = EMC Root CA
-----BEGIN CERTIFICATE-----
MIIEzDCCA7SgAwIBAgIQfzDeHUGOuZX68dftXnbR9zANBgkqhkiG9w0BAQsFADA9
MQswCQYDVQQGEwJVUzEYMBYGA1UEChMPRU1DIENvcnBvcmF0aW9uMRQwEgYDVQQD
EwtFTUMgUm9vdCBDQTAeFw0xNTEwMTUxNzAwMzJaFw0yNjAzMDYwMjM5MzNaMHgx
CzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9FTUMgQ29ycG9yYXRpb24xJTAjBgNVBAsT
HEdsb2JhbCBTZWN1cml0eSBPcmdhbml6YXRpb24xKDAmBgNVBAMTH0VNQyBTU0wg
RGVjcnlwdGlvbiBBdXRob3JpdHkgdjIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDJvnnKsIWCtCMlm1P53fHpAnCmPfTgtGICGj1dgM2osz5Y0TZRqf57
OefJaE9uZCFr2DMPR90s1mI3ybdpgA/EA6bGDdepW3jLCn7y8uVFZ94xLr3Hv5Xe
fzIUnUXakmIbGmKfBfhVLHQfY22RDks5RNCj/Y+Q0xGbJvjKzes+FnGkMy5WdJ5P
kz8Awlbz26HVX1lh4+7KEcfjV1lyNtMhlSk7KJmVChlRvoF4u40AI7AwHamm7D4R
3BhiMzHpj1NO5tb4exd1Y6Y38pDFaIJGCDe4irdaiYg3dUSYv7oPazFCv7ng4aNR
hwPyTjAhWSXWC4kkZqgECEmeRdgX5CXxAgMBAAGjggGLMIIBhzCCAR8GA1UdHwSC
ARYwggESMDWgM6Axhi9odHRwOi8vcGtpLmNvcnAuZW1jLmNvbS9jcmwvRU1DJTIw
Um9vdCUyMENBLmNybDA6oDigNoY0aHR0cDovL2VudGVycHJpc2VjYS5jb3JwLmVt
Yy5jb20vRU1DJTIwUm9vdCUyMENBLmNybDCBnKCBmaCBloaBk2xkYXA6Ly8vQ049
RU1DIFJvb3QgQ0EsQ049RU1DIFJvb3QgQ0EsQ049Q0RQLENOPVB1YmxpYyBLZXkg
U2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1lbWNyb290
LERDPWVtYyxEQz1jb20/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdDAOBgNVHQ8B
Af8EBAMCAYYwHwYDVR0jBBgwFoAUjyKad6YrWTr8z+fAlE5VRpSg/zQwEgYDVR0T
AQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUpcg3w8f5h2Sazw2ogrJNxM5u9UMwDQYJ
KoZIhvcNAQELBQADggEBAKDr+Kz19+Dw7bN+qm4+TZuR0g30pEiGov7i30D6hNL7
XSPzGRmQYXEmucEEsoMY6iBMAPmLqdWFfBDh2vSmnOGk0IL+q3WzLq6IGPpXI4Wf
GGAnjyujnPsk6YP1OyrqYlVN0BUPQ3Jz8l3OI1Ga0/2RM5jogkCqszSoaHdNrouk
mA5Rz0cgETyU5TXC/+a6CEqDbFviqaiiHHZvjCVlgKmdQXirEPm6b2vp2B/DBiVW
6eTyDrIGle10RuPZTKSmlEWSgTshyMCNdOFLm7TsSkbgLgWWwFyDOeCHhvZdEuqP
dApqEUwXnO0ppEtljo5zvCLsYmkri4bxanMGHBcgG9o=
-----END CERTIFICATE-----
3 s:C = US, O = EMC Corporation, CN = EMC Root CA
i:C = US, O = EMC Corporation, CN = EMC Root CA
-----BEGIN CERTIFICATE-----
MIIDajCCAlKgAwIBAgIQDnpJf/sai2ikg8QrEDRcejANBgkqhkiG9w0BAQUFADA9
MQswCQYDVQQGEwJVUzEYMBYGA1UEChMPRU1DIENvcnBvcmF0aW9uMRQwEgYDVQQD
EwtFTUMgUm9vdCBDQTAeFw0xMTAzMDgwMjM1MThaFw0yNjAzMDgwMjM1MThaMD0x
CzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9FTUMgQ29ycG9yYXRpb24xFDASBgNVBAMT
C0VNQyBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwEV0
QaykbhIOVKj1BunB8pXsISlXgiv10QSGSxG2Dnbwoli0WSgPpLqPD8bsQuwjReg0
ERGXTXpxDEpb4Kya+YcIr4KGMd+EIdLjogXnrKv1/EWa54UNNjNLU6tkwEnVQ79p
Sbx2weCxEi+VG755+Bbb5AJKDcgk4ss5hXjI8tOzAgHe+tReNQamMSOgCO+4bZJ1
RBalcYHmGxVz2TbK0qrKKC7Um4ALQfRQejB+TuvYMoTZHD8Wm/e3Hdq7wwTOmQUL
/hG4+J+k4fl8WUtf4M6CzmeYVnEpZ34wk4H/1bRmFI9jvEQlmu/uKmFZ8DPOvK8j
YJCPft/fWOLkCZOSPwIDAQABo2YwZDAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/
BAgwBgEB/wIBAzAdBgNVHQ4EFgQUjyKad6YrWTr8z+fAlE5VRpSg/zQwHwYDVR0j
BBgwFoAUjyKad6YrWTr8z+fAlE5VRpSg/zQwDQYJKoZIhvcNAQEFBQADggEBALaL
B5rAo9GLri9vvYMIkMwtI4SFYeftNrY47YA4o49sbCVlgdmzUXWk48aevoUZRl6/
rEPFbTxaZUbmjOv+XO+bGFA3T57RS6rAFeGBai/UirrckJhGgusAVU5lFtO31Mgm
W3cPXqV+PXwwHKbgLRCeTJFK3Rw68TxBqazMjNp4WufdnPC379Fg/zeKrCLwgsa4
AVFHmeIadvijSQBpY0bFzsSZGF/PmAh+NiYJpWRdDXfeeQStdZWxPESbWoXPu/Qg
0dIifLaHr2Nugkg8eTcp+F2rl2YIjnQcEFqOUNhyI8kPzzsWinYel47tC9kDL7qR
s34MLubs2L1iMIk7fJ4=
-----END CERTIFICATE-----

Server certificate
subject=CN = cloud-images.ubuntu.com

issuer=emailAddress = CyberSecurity_Network_Ops@dell.com, C = US, O = Dell Technology Incorprated, OU = CyberSecurity, CN = DELL SSL Decyption Authority

No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits

SSL handshake has read 5115 bytes and written 451 bytes
Verification: OK

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 56CCA4849D9F84E55C34C13F9CD336DF6700759DB820B0A0808865027F68C010
Session-ID-ctx:
Master-Key: 9A58AD93B37D3467F1EA66106FF473691055C3DF957F046A4D58653276B6BC6D0222646A18DE55BAE8919E14A44FEADD
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1634795836
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no

DONE

gpsemc@lxd15:~/.config/lxc$ curl -vI https://cloud-images.ubuntu.com/releases/streams/v1/ind ex.json

  • Trying 91.189.91.123…
  • TCP_NODELAY set
  • Connected to cloud-images.ubuntu.com (91.189.91.123) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Client hello (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
  • ALPN, server did not agree to a protocol
  • Server certificate:
  • subject: CN=cloud-images.ubuntu.com
  • start date: Oct 15 03:20:35 2021 GMT
  • expire date: Jan 13 03:20:34 2022 GMT
  • subjectAltName: host “cloud-images.ubuntu.com” matched cert’s “cloud-images.ubuntu.com
  • issuer: emailAddress=CyberSecurity_Network_Ops@dell.com; C=US; O=Dell Technology Incorprated; OU=CyberSecurity; CN=DELL SSL Decyption Authority
  • SSL certificate verify ok.

HEAD /releases/streams/v1/ind HTTP/1.1
Host: cloud-images.ubuntu.com
User-Agent: curl/7.58.0
Accept: /

< HTTP/1.1 404 Not Found
HTTP/1.1 404 Not Found
< Date: Thu, 21 Oct 2021 05:56:41 GMT
Date: Thu, 21 Oct 2021 05:56:41 GMT
< Server: Apache/2.4.29 (Ubuntu)
Server: Apache/2.4.29 (Ubuntu)
< Content-Type: text/html; charset=iso-8859-1
Content-Type: text/html; charset=iso-8859-1
< Connection: Keep-Alive
Connection: Keep-Alive

<

  • Connection #0 to host cloud-images.ubuntu.com left intact
  • Rebuilt URL to: ex.json/
  • Could not resolve host: ex.json
  • Closing connection 1
    curl: (6) Could not resolve host: ex.json

Could you help to take a look?