Trust Error with letsencrypt

You are using UBOS in a virtual machine, or in the cloud. Please tell us which.
Post Reply
pwhermanson
Posts: 3
Joined: Wed Dec 19, 2018 9:23 pm

Trust Error with letsencrypt

Post by pwhermanson » Wed Dec 19, 2018 11:52 pm

I am attempting to install nextcloud onto Amazon EC2 using your instructions. In testing, I have successfully installed an unsecure HTTP version using the command: sudo ubos-admin createsite.

However, when appending letsencrypt to the command,(% sudo ubos-admin createsite --tls --letsencrypt) I receive the following errors:


First app to run (or leave empty when no more apps): nextcloud
App nextcloud suggests context path /nextcloud
Enter context path:
Any accessories for nextcloud? Enter list:
Downloading packages...
ERROR: Failed to install package(s): certbot-apache. Pacman says: error: python-mock: signature from "Eli Schwartz <eschwartz@archlinux.org>" is unknown trust
error: python-augeas: signature from "Eli Schwartz <eschwartz@archlinux.org>" is unknown trust
error: failed to commit transaction (invalid or corrupted package)
[shepherd@ubos-ec2 ~]$



j12t
Posts: 79
Joined: Tue Dec 12, 2017 9:17 pm
Contact:

Re: Trust Error with letsencrypt

Post by j12t » Thu Dec 20, 2018 12:54 am

This doesn't actually have anything to do with letsencrypt per se, but that one of the Arch Linux maintainers has upgraded his package signing key, and the UBOS image doesn't know about that yet.

Which exact version of the EC2 image are you using? (It shouldn't be doing this.)

To fix, this should work:

Code: Select all

sudo pacman -Syu
sudo pacman -S archlinux-keyring
sudo pacman -S certbot
Then try again. If there is any error whatsoever, please post the entire transcript. Thanks.

pwhermanson
Posts: 3
Joined: Wed Dec 19, 2018 9:23 pm

Re: Trust Error with letsencrypt

Post by pwhermanson » Thu Dec 20, 2018 1:20 am

Yes, I tried several times and received the same errors. The error has occurred on two EC2 instances I have been testing.

t2.medium
us-east-1c
December 19, 2018 at 1:21:49 PM UTC-6

t2.large
us-east-1c
December 19, 2018 at 6:56:30 PM UTC-6


Here is the transcript:

Using username "shepherd".
Authenticating with public key "imported-openssh-key"
[shepherd@ubos-ec2 ~]$ systemctl is-system-running
running
[shepherd@ubos-ec2 ~]$ sudo ubos-admin update
No packages installed or upgraded.
[shepherd@ubos-ec2 ~]$ sudo ubos-admin createsite --tls --letsencrypt
** First a few questions about the website that you are about to create:
Hostname (or * for any): demo.bizclouder.com
Site admin user id (e.g. admin): admin
Site admin user name (e.g. John Doe): admin
Site admin user password (e.g. s3cr3t):
Repeat site admin user password:
Site admin user e-mail (e.g. foo@bar.com): qualitydigitalartistry@gmail.com
** Now a few questions about the app(s) you are going to deploy to this site:
First app to run (or leave empty when no more apps): nextcloud
Downloading packages...
App nextcloud suggests context path /nextcloud
Enter context path:
Any accessories for nextcloud? Enter list:
Downloading packages...
ERROR: Failed to install package(s): php-gd certbot-apache php-apcu. Pacman says : warning: dependency cycle detected:
warning: harfbuzz will be installed before its freetype2 dependency
error: python-mock: signature from "Eli Schwartz <eschwartz@archlinux.org>" is u nknown trust
error: python-augeas: signature from "Eli Schwartz <eschwartz@archlinux.org>" is unknown trust
error: failed to commit transaction (invalid or corrupted package)
[shepherd@ubos-ec2 ~]$ sudo pacman -Syu
:: Synchronizing package databases...
hl is up to date
os is up to date
tools is up to date
:: Starting full system upgrade...
there is nothing to do
[shepherd@ubos-ec2 ~]$ sudo pacman -S archlinux-keyring
warning: archlinux-keyring-20180808-1 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...

Packages (1) archlinux-keyring-20180808-1

Total Installed Size: 0.82 MiB
Net Upgrade Size: 0.00 MiB

:: Proceed with installation? [Y/n] Y
(1/1) checking keys in keyring [#######################################] 100%
(1/1) checking package integrity [#######################################] 100%
(1/1) loading package files [#######################################] 100%
(1/1) checking for file conflicts [#######################################] 100%
(1/1) checking available disk space [#######################################] 100%
:: Processing package changes...
(1/1) reinstalling archlinux-keyring [#######################################] 100%
==> Appending keys from archlinux.gpg...
==> Locally signing trusted keys in keyring...
-> Locally signing key DDB867B92AA789C165EEFA799B729B06A680C281...
-> Locally signing key 684148BB25B49E986A4944C55184252D824B18E8...
-> Locally signing key 91FFE0700E80619CEB73235CA88E23E377514E00...
-> Locally signing key AB19265E5D7D20687D303246BA1DFB64FFF979E7...
-> Locally signing key 0E8B644079F599DFC1DDC3973348882F6AC6A4C2...
==> Importing owner trust values...
==> Disabling revoked keys in keyring...
-> Disabling key 7FA647CD89891DEDC060287BB9113D1ED21E1A55...
-> Disabling key D4DE5ABDE2A7287644EAC7E36D1A9E70E19DAA50...
-> Disabling key 40440DC037C05620984379A6761FAD69BA06C6A9...
-> Disabling key B1F2C889CB2CCB2ADA36D963097D629E437520BD...
-> Disabling key BC1FBE4D2826A0B51E47ED62E2539214C6C11350...
-> Disabling key 63F395DE2D6398BBE458F281F2DBB4931985A992...
-> Disabling key 8F76BEEA0289F9E1D3E229C05F946DED983D4366...
-> Disabling key 4FCF887689C41B09506BE8D5F3E1D5C5D30DB0AD...
-> Disabling key FB871F0131FEA4FB5A9192B4C8880A6406361833...
-> Disabling key 81D7F8241DB38BC759C80FCE3A726C6170E80477...
-> Disabling key 5E7585ADFF106BFFBBA319DC654B877A0864983E...
-> Disabling key 50F33E2E5B0C3D900424ABE89BDCF497A4BBCC7F...
-> Disabling key E7210A59715F6940CF9A4E36A001876699AD6E84...
-> Disabling key F5A361A3A13554B85E57DDDAAF7EF7873CFD4BB6...
-> Disabling key 40776A5221EF5AD468A4906D42A1DB15EC133BAD...
-> Disabling key 8CF934E339CAD8ABF342E822E711306E3C4F88BC...
-> Disabling key 5696C003B0854206450C8E5BE613C09CB4440678...
-> Disabling key 9515D8A8EAB88E49BB65EDBCE6B456CAF15447D5...
-> Disabling key 4A8B17E20B88ACA61860009B5CED81B7C2E5C0D2...
-> Disabling key 0B20CA1931F5DA3A70D0F8D2EA6836E1AB441196...
-> Disabling key 34C5D94FE7E7913E86DC427E7FB1A3800C84C0A5...
-> Disabling key 39F880E50E49A4D11341E8F939E4F17F295AFBF4...
-> Disabling key 66BD74A036D522F51DD70A3C7F2A16726521E06D...
-> Disabling key DBE7D3DD8C81D58D0A13D0E76BC26A17B9B7018A...
-> Disabling key 07DFD3A0BC213FA12EDC217559B3122E2FA915EC...
-> Disabling key 44D4A033AC140143927397D47EFD567D4C7EA887...
-> Disabling key 27FFC4769E19F096D41D9265A04F9397CDFD6BB0...
-> Disabling key 8840BD07FC24CB7CE394A07CCF7037A4F27FB7DA...
==> Updating trust database...
gpg: next trustdb check due at 2018-12-31
:: Running post-transaction hooks...
(1/1) Arming ConditionNeedsUpdate...
[shepherd@ubos-ec2 ~]$ sudo ubos-admin createsite --tls --letsencrypt
** First a few questions about the website that you are about to create:
Hostname (or * for any): demo.bizclouder.com
Site admin user id (e.g. admin): admin
Site admin user name (e.g. John Doe): admin
Site admin user password (e.g. s3cr3t):
Repeat site admin user password:
Site admin user e-mail (e.g. foo@bar.com): qualitydigitalartistry@gmail.com
** Now a few questions about the app(s) you are going to deploy to this site:
First app to run (or leave empty when no more apps): nextcloud
App nextcloud suggests context path /nextcloud
Enter context path:
Any accessories for nextcloud? Enter list:
Downloading packages...
ERROR: Failed to install package(s): certbot-apache php-gd php-apcu. Pacman says: warning: dependency cycle detected:
warning: harfbuzz will be installed before its freetype2 dependency
error: python-mock: signature from "Eli Schwartz <eschwartz@archlinux.org>" is unknown trust
error: python-augeas: signature from "Eli Schwartz <eschwartz@archlinux.org>" is unknown trust
error: failed to commit transaction (invalid or corrupted package)
[shepherd@ubos-ec2 ~]$ sudo pacman -S certbot
resolving dependencies...
looking for conflicting packages...

Packages (31) python-3.7.0-3 python-acme-0.26.1-1 python-appdirs-1.4.3-2 python-asn1crypto-0.24.0-2
python-cffi-1.11.5-2 python-chardet-3.0.4-2 python-configargparse-0.13.0-2 python-configobj-5.0.6-4
python-cryptography-2.3-1 python-future-0.16.0-3 python-idna-2.7-3 python-josepy-1.1.0-2
python-mock-2.0.0-4 python-packaging-17.1-2 python-parsedatetime-2.4-2 python-pbr-4.2.0-1
python-ply-3.11-2 python-pycparser-2.18-2 python-pyopenssl-18.0.0-2 python-pyparsing-2.2.0-2
python-pyrfc3339-1.1-2 python-pytz-2018.5-2 python-requests-2.19.1-2
python-requests-toolbelt-0.8.0-3 python-setuptools-1:39.2.0-3 python-six-1.11.0-3
python-urllib3-1.23-2 python-zope-component-4.4.1-2 python-zope-event-4.3.0-2
python-zope-interface-4.5.0-2 certbot-0.26.1-1

Total Download Size: 0.11 MiB
Total Installed Size: 168.78 MiB

:: Proceed with installation? [Y/n] Y
:: Retrieving packages...
python-mock-2.0.0-4-any 111.4 KiB 0.00B/s 00:00 [#######################################] 100%
(31/31) checking keys in keyring [#######################################] 100%
(31/31) checking package integrity [#######################################] 100%
error: python-mock: signature from "Eli Schwartz <eschwartz@archlinux.org>" is unknown trust
:: File /var/cache/pacman/pkg/python-mock-2.0.0-4-any.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] Y
error: failed to commit transaction (invalid or corrupted package)
Errors occurred, no packages were upgraded.
[shepherd@ubos-ec2 ~]$

j12t
Posts: 79
Joined: Tue Dec 12, 2017 9:17 pm
Contact:

Re: Trust Error with letsencrypt

Post by j12t » Thu Dec 20, 2018 5:05 am

What's the UBOS image version? The one linked from ubos.net/quickstart, i.e. ami-0156a08fad4671775?

If you aren't sure, the Amazon EC2 control panel shows it, I believe.

pwhermanson
Posts: 3
Joined: Wed Dec 19, 2018 9:23 pm

Re: Trust Error with letsencrypt

Post by pwhermanson » Thu Dec 20, 2018 10:55 pm

ubos-image-yellow 20180820 (ami-0156a08fad4671775)

j12t
Posts: 79
Joined: Tue Dec 12, 2017 9:17 pm
Contact:

Re: Trust Error with letsencrypt

Post by j12t » Fri Dec 21, 2018 1:06 am

Thanks for the info, I can reproduce the problem: It looks like the keypair used by the Arch developers to sign one of the packages (python-mock) expired a few days ago.

We have pushed a point patch. If you execute

Code: Select all

sudo ubos-admin update
one more time, the package with the updated signatures should be installed, and certbot should install without problems then. (It just did for me.)

Post Reply