secureboot-certs install fails
apz last edited by
This is a fresh 8.2 system with the secure boot features added per XCP-ng documentation. The secureboot-certs install however fails:
# secureboot-certs install No arguments provided to command install, default arguments will be used: - PK: default - KEK: default - db: default - dbx: latest Downloading https://www.microsoft.com/pkiops/certs/MicCorKEKCA2011_2011-06-24.crt... Downloading https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt... Downloading https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt... Downloading https://uefi.org/sites/default/files/resources/dbxupdate_x64.bin... error: unable to retrieve certificate from URL: https://uefi.org/sites/default/files/resources/dbxupdate_x64.bin. Error message: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)>. If the failure can't be fixed at the network configuration level, consider downloading the certificates manually and then loading one or more of them with secureboot-certs install <PK-filename>|default <KEK-filename>|default <db-filename>|default <dbx-filename>|latest. Check secureboot-certs install -h for usage details as well as a list of the download links used by secureboot-certs install.
The system's clock is correct and the uefi.org certificate seems fine to me:
* Server certificate: * subject: CN=uefi.org * start date: Oct 19 13:50:03 2021 GMT * expire date: Jan 17 13:50:02 2022 GMT * common name: uefi.org * issuer: CN=R3,O=Let's Encrypt,C=US
wget on the same system says the certificate is expired. A desktop's browser was fine with it and allowed me to download the file. Is there something I missed here? I did the same kind of installation couple of months back and had no issues with that.
It's related to the expiry of a root certificate and sub-optimal behaviour of the version of openssl we have in XCP-ng.
You can fix it by updating the
ca-certificatesRPM (it's been validated internally already and will be released to everyone with our next updates).
yum update ca-certificates --enablerepo=xcp-ng-testing