This is a fresh 8.2 system with the secure boot features added per XCP-ng documentation. The secureboot-certs install however fails:
# secureboot-certs install
No arguments provided to command install, default arguments will be used:
- PK: default
- KEK: default
- db: default
- dbx: latest
error: unable to retrieve certificate from URL: https://uefi.org/sites/default/files/resources/dbxupdate_x64.bin. Error message: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)>.
If the failure can't be fixed at the network configuration level, consider downloading the certificates manually and then loading one or more of them with secureboot-certs install <PK-filename>|default <KEK-filename>|default <db-filename>|default <dbx-filename>|latest. Check secureboot-certs install -h for usage details as well as a list of the download links used by secureboot-certs install.
The system's clock is correct and the uefi.org certificate seems fine to me:
* Server certificate:
* subject: CN=uefi.org
* start date: Oct 19 13:50:03 2021 GMT
* expire date: Jan 17 13:50:02 2022 GMT
* common name: uefi.org
* issuer: CN=R3,O=Let's Encrypt,C=US
wget on the same system says the certificate is expired. A desktop's browser was fine with it and allowed me to download the file. Is there something I missed here? I did the same kind of installation couple of months back and had no issues with that.