Qubes-dom0-update failing --releasever=4.1

Franz · March 7, 2023, 3:59pm

Dear friends
I have seen this topic has already been discussed, but solutions do not seem to work for me.

I reinstalled 4.1.1 and dom0 update failed, So tried installing 4.1.2 rc1 and again got the same error on sys-firewall, suggesting to try --releasever=

I tried
sudo qubes-dom0-update --releasever=4.1 or
sudo qubes-dom0-update --releasever=4.1.2

but I always get the same error. What am I doing wrong?

unman · March 7, 2023, 4:12pm

You have not provided any detail of what the error is.
You should also say what template is used by the dom0 updatevm (see
global settings).

You should use the update GUI tool, rather than qubes-dom0-update - I
assume that your qubes-dom0-updater was a typo in your post, rather
than on your machine, even though repeated.

cayce · March 7, 2023, 4:38pm

Spending so much time fussing with something you are not versed in and, subsequently NOT providing “the same error” to those who are?

My best “guess” is that you’re simply misinterpreting what you see. Next “guess” is that you aren’t using the necessary CLI flags which, is leading to output which is confusing you.

Franz · March 7, 2023, 6:08pm

I did try to copy the error from the sys-firewall window, but it did not let me to copy. So, sorry for my laziness, but, copying manually, it is:

Unable to detect release version (use “–releasever” to specify release)
Fedora 32-x86_84 updates …
Errors during downloading metadata for repository’updates:

Curl error (60) SSL peer certificate or SSH remote key was not OK for https://mirrors.fedoraproject.org/metalink?repo=updates-released-f32&arch=x86_64 [server certificate verification failed. CAfile: none CRLfile: none]

then it repeats again the same error

template used by sys-firewall is Debian 11

The dom0 GUI update tool gives the same result

Franz · March 7, 2023, 6:22pm

In additions to the errors now reported, Tried to update debian 11 template and it gives similar errors:

Certificate verification failed: The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded. The certificate chain uses expired certificate…

cayce · March 7, 2023, 6:41pm

You chose Fedora-* for your sys-firewall template, yes? Is that version of Fedora EOL?

Quick fix might be to:

A) Create & start an AppVM/DispVM based on debian-*

B) Install the qubes-core-agent-dom0-updates package like this:

# apt install -y qubes-core-agent-dom0-updates

$ sudo apt install -y qubes-core-agent-dom0-updates

C) Open “Qubes Global Settings” and chose the AppVM/DispVM you just installed qubes-core-agent-dom0-updates in

D) Try your update again

Franz · March 7, 2023, 7:04pm

many thanks @cayce

You chose Fedora-* for your sys-firewall template, yes? Is that version of Fedora EOL?

No, I am using debian-11

cayce · March 7, 2023, 7:14pm

Odd, sounds like this may be a result of an update of your core debian-11 TemplateVM?

Maybe, try this:

A) Start your debian-11 TemplateVM

B) Open a console and login to debian-11

C) Look for any errors upon login

D) Try:

# apt update

E) And, see if you have any messages about broken packages or the like. If so:

# apt --fix-broken install

Franz · March 7, 2023, 7:34pm

No, this is brand new installation of 4.1.2 no update yet

I got the following errors, but I see nothing about broken packages:

user@debian-11:~$ sudo apt update
Err:1 https://deb.qubes-os.org/r4.1/vm bullseye InRelease                      
  Certificate verification failed: The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 127.0.0.1 8082]
Err:2 https://deb.debian.org/debian bullseye InRelease                         
  Certificate verification failed: The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 127.0.0.1 8082]
Err:3 https://deb.debian.org/debian-security bullseye-security InRelease
  Certificate verification failed: The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 127.0.0.1 8082]
Reading package lists... Done                        
E: Failed to fetch https://deb.debian.org/debian/dists/bullseye/InRelease  Certificate verification failed: The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 127.0.0.1 8082]
E: Failed to fetch https://deb.debian.org/debian-security/dists/bullseye-security/InRelease  Certificate verification failed: The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 127.0.0.1 8082]
E: Failed to fetch https://deb.qubes-os.org/r4.1/vm/dists/bullseye/InRelease  Certificate verification failed: The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 127.0.0.1 8082]
E: Some index files failed to download. They have been ignored, or old ones used instead.
user@debian-11:~$

cayce · March 7, 2023, 7:50pm

Haven’t seen other’s running into this issue, sound fubar to me. It’s as if, the proper cert was not installed?

Did you use the latest to install?

Franz · March 7, 2023, 8:03pm

I downloaded 4.1.2 a couple of days ago and it passed gpg verification, but it was NOT rc2, it was rc1 as the only one provided on the Qubes download page, when I downloaded it. I did not that a rc2 was available. I imagine you now suggest ot install rc2.

Also a very similar issue with the same error happened a few days ago when I installed version 4.1 stable, even if I only checked sys-firewall, not debian-11. So, if this is a rare issue, as you say, how is it possible that it happens with two very distinct releases?

cayce · March 7, 2023, 8:16pm

On a fresh install that’s not happy with it’s cert? Absolutely. Primarily because it’s likely faster than a bunch of troubleshooting + “dirty” manual modifications.

One could manually fetch/verify/supply the cert but …

SteveC · March 7, 2023, 8:42pm

[deleted]

SteveC · March 7, 2023, 8:42pm

It literally came out today so of course you didn’t know it a couple of days ago.

ChrisA · March 7, 2023, 8:44pm

What do you get, if you run

date

?

The “not before” and “not after” in the certificate, might cause issues, if the date on your machine is wrong…

cayce · March 7, 2023, 8:48pm

Nice catch!

Franz · March 7, 2023, 8:50pm

Date is 03 Jan 2044,

we removed for five minutes the battery to reset the computer for boot issues.

I imagine this is the problem. Never thought about it
\Many thanks @ChrisA hris

cayce · March 7, 2023, 9:05pm

ChrisA · March 7, 2023, 9:08pm

In that case, my statement really should be updated to:

… that will cause issues with “not after” in the certificates.

Personally I had expected something in Jan 1970 (epoch) or when the BIOS in your machine was released … had I actually read (and not just scrolled quickly), I should have spotted: