Google Chrome install error even everything is up to date

I did it, it says it is expired. I have 3.7.7 btw

merve@endless:~$ wget -nv https://ostree.endlessm.com/keys/eos-ostree-keyring.gpg
ERROR: The certificate of ‘ostree.endlessm.com’ is not trusted.
ERROR: The certificate of ‘ostree.endlessm.com’ has expired.

Then I searched around and saw one of the old comments of yours and tried that also;

merve@endless:~$ sudo flatpak remote-delete --force eos-apps
merve@endless:~$ wget -O /tmp/eos-flatpak-keyring.gpg https://ostree.endlessm.com/keys/eos-flatpak-keyring.gpg
--2021-10-21 00:29:03--  https://ostree.endlessm.com/keys/eos-flatpak-keyring.gpg
Resolving ostree.endlessm.com (ostree.endlessm.com)... 199.232.18.132
Connecting to ostree.endlessm.com (ostree.endlessm.com)|199.232.18.132|:443... connected.
ERROR: The certificate of ‘ostree.endlessm.com’ is not trusted.
ERROR: The certificate of ‘ostree.endlessm.com’ has expired.
merve@endless:~$ sudo flatpak remote-add --collection-id=com.endlessm.Apps --default-branch=eos3 --gpg-import=/tmp/eos-flatpak-keyring.gpg eos-apps https://ostree.endlessm.com/ostree/eos-apps
error: GPG: Unable to export keys: GPGME: No data
merve@endless:~$

@Merve_Algin could you try running this command and pasting the output back?

openssl s_client -connect ostree.endlessm.com:443 </dev/null

Also, the output from the following:

sudo ostree admin config-diff

Finally, could you upload the file /etc/ssl/certs/ca-certificates.crt? I think the issue is related to Let’s Encrypt, but I’m not sure why it’s a problem on your system.

Thanks but still says no such file in the directory Just copy pasting below what happened;

  merve@endless:~$ openssl s_client -connect ostree.endlessm.com:443 </dev/null
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = ostree.endlessm.com
verify return:1
---
Certificate chain
 0 s:CN = ostree.endlessm.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFLDCCBBSgAwIBAgISA/2X3dL6ZCoEZsdrGVLohD1mMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTEwMDkxNzQ0MjhaFw0yMjAxMDcxNzQ0MjdaMB4xHDAaBgNVBAMT
E29zdHJlZS5lbmRsZXNzbS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCyx0McfVEdp8nxXIMGidJd5ht35ANeGq2iIC5A4ZzG7w/S7pbHSnV2C/8J
mj+mvX1ulaXcSE1eWDsOMFv0Unug8Dr8hEWoA2D2TQvCZdFNQ9qlk7IpO3snawxH
Qr8Kkao9EnjtepV4pUy6uU1wgx1vipkJLx2G8HqVWdmN9giqudJ0pJ9pSGmD84qw
u2L/TUxbpG26lZUq4XYTA8cbLy01b9Jua5CJ0bRN55T1qtCzCOEJOCrmsxnm63Eb
7+tEPTZCqR2uxTTSlGxh4fgBgGNbERnmSQlM0qy8cgjPmpOCJs/5KViUJAGCWYfC
KLvWD9KKcbT3wGpXSk8gNKXL0DDnAgMBAAGjggJOMIICSjAOBgNVHQ8BAf8EBAMC
BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAw
HQYDVR0OBBYEFMiFdrFrm9tEMyRrpd8FsHvyBeOYMB8GA1UdIwQYMBaAFBQusxe3
WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0
cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5j
ci5vcmcvMB4GA1UdEQQXMBWCE29zdHJlZS5lbmRsZXNzbS5jb20wTAYDVR0gBEUw
QzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDov
L2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgBB
yMqx3yJGShDGoToJQodeTjGLGwPr60vHaPCQYpYG9gAAAXxmXufGAAAEAwBHMEUC
IA5OMDSQyJr5xzy6GoqrMcRGesyD7LRux5huac2VIdXLAiEA0rilINZe+s4j/A9j
NA/lO8xToQ/rg4JhHLs5pb2XhEkAdgBGpVXrdfqRIDC1oolp9PN9ESxBdL79SbiF
q/L8cP5tRwAAAXxmXunZAAAEAwBHMEUCIGk5JDS+OWRKvFfCiCiRhcDrvO39FGUq
V4Gme2bss+DCAiEA415r8/gxh1qBIv8AKWLcHDshaQG9j4aFO7kWLHRjZxwwDQYJ
KoZIhvcNAQELBQADggEBAGCtKMa93lerNmlsvaIybW4LfS06ywcT4gfA8UvyxMC4
SM6BBxH/goYJBWTKbnMM6fkXnpZhIACZmYi43uccBcsjS+jiuMc6Zczr3J+vjvLd
FHq5IzSoaB9wKZWQPY6JhFmNmStKdJa+D/DpTJ60bUoaXBs7/lfmWhDgVzNF61ua
reEMmFxtSLUhULHTnWwiOeuZbvkmNSsTghbyaB/TKIXjbrZE/dfuUPSt70NQqov5
uYIeh44ecDzE3BxhsLp9hg8mPlRaq2DL6/CSM4Op4vfT0A0eDHKIQ38O37tMJy6E
3sgnKOFH9aCQyLh3u02gH3eIS9jeDCSJS/ZsxYBkqcs=
-----END CERTIFICATE-----
subject=CN = ostree.endlessm.com

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4584 bytes and written 391 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 6E642C3984FFF41ECB00F7DC98B1DC1D5AE803F91D5EBD097A59B7BA173FE3AE
    Session-ID-ctx: 
    Resumption PSK: 7C72695AEA1B937CEDF43900A103B6990566DB07D5509ABF7D4606B96C0A8EA18DBE3BEDD5C14338C02A8842784978A7
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 604800 (seconds)
    TLS session ticket:
    0000 - cb e0 c8 ba 63 9e 5e 4d-a4 a5 b0 14 48 9f 0e 18   ....c.^M....H...
    0010 - 16 4a 93 5b ee be 8d 5a-22 bd 1b 31 5a 24 8d d9   .J.[...Z"..1Z$..
    0020 - ba 13 0d 63 1c 3e d6 11-bd 02 ff 57 87 1b 5c 86   ...c.>.....W..\.
    0030 - 53 23 20 0c 33 c7 c1 24-70 06 73 11 e6 27 e8 40   S# .3..$p.s..'.@
    0040 - a9 04 21 61 ab b7 0c 81-28 03 70 d0 13 ae 6a d7   ..!a....(.p...j.
    0050 - a3 ab 90 a4 58 3a 91 71-0d fc 12 7e ef c8 e4 6b   ....X:.q...~...k
    0060 - 7e ce 84 8e f9 47 68 a0-fc a2 fe bd 52 57 ab 01   ~....Gh.....RW..
    0070 - da 23 ec a7 5d 6f 04 a3-7f b8 a6 69 0c 56 83 9c   .#..]o.....i.V..
    0080 - 4e a0 1f 3b d5 a4 83 22-e7 fa 96 1a fc dd 8f 85   N..;..."........
    0090 - 56 14 5c 7c 1c 4d 9e ff-4c 55 b2 1d fb 84 e1 ed   V.\|.M..LU......
    00a0 - 4f be f3 0f d9 e7 8c 2a-d0 e4 da 30 5f d8 93 50   O......*...0_..P

    Start Time: 1634830622
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
DONE
merve@endless:~$ sudo ostree admin config-diff
M    localtime
M    mtab
M    avahi/services
M    cups
M    cups/ppd
M    cups/ssl
M    eos-google-chrome-helper/eos-google-chrome-helper.conf
M    metrics
M    metrics/eos-metrics-permissions.conf
M    subuid
M    subgid
M    timezone
M    passwd
M    machine-id
M    group
M    shadow
M    gshadow
M    fake-hwclock.data
A    NetworkManager/system-connections/Tech_D3737987.nmconnection
A    cups/subscriptions.conf.O
A    cups/subscriptions.conf
A    default/keyboard
A    metrics/location.conf
A    metrics/cache-size.conf
A    resolv.conf
A    .updated
A    gshadow-
A    shadow-
A    subuid-
A    subgid-
A    vconsole.conf
A    group-
A    passwd-

Don’t see anything wrong in the openssl output

I have modified the commands in the support article to ignore the error when fetching the new certificates, please run:

cd
wget -nv --no-check-certificate https://ostree.endlessm.com/keys/eos-ostree-keyring.gpg
wget -nv --no-check-certificate https://ostree.endlessm.com/keys/eos-flatpak-keyring.gpg
sudo ostree remote gpg-import -k eos-ostree-keyring.gpg eos
sudo ostree remote gpg-import -k eos-ostree-keyring.gpg eos-runtimes
sudo ostree remote gpg-import -k eos-flatpak-keyring.gpg eos-apps
sudo ostree remote gpg-import -k eos-flatpak-keyring.gpg eos-sdk

Thanks for your patience.

This is an issue with gnutls that’s fixed in EOS 3.8 and newer. So, you’re kind of in a bind until you can get an OS upgrade. Both ostree and wget use gnutls rather than openssl.

I haven’t tested this yet, but I think this should work. First, pull the OS upgrade while temporarily using the http:// URL rather than the https:// URL:

sudo ostree pull --url=http://ostree.endlessm.com/ostree/eos eos os/eos/amd64/eos3a

Now just do the upgrade without trying to pull the OS again:

sudo ostree admin upgrade --deploy-only

I haven’t tested this step yet. After that you’d reboot into the new OS where gnutls doesn’t have this bug.

The other way is just to edit the URLs in /ostree/repo/config to use http://ostree.endlessm.com, but you’d really want to change that back later after rebooting into the upgraded OS.

I have tried both of your suggestions, still says “Unacceptable TLS certificate” when I try to update. I am frustrated at this point… Thanks for the help anyway

I just tested out the steps on a cleanly installed 3.7.7 and they work as expected, yielding a working 3.9.5 after the two steps.

Sorry to hear that

Where there any errors when you ran the commands?

So this is the result;

merve@endless:~$ sudo ostree pull --url=http://ostree.endlessm.com/ostree/eos eos os/eos/amd64/eos3a


GPG: Verification enabled, found 2 signatures:

  Signature made Fri 02 Jul 2021 10:05:16 PM +03 using RSA key ID 9E08D8DABA02FC46
  Good signature from "EOS OSTree Signing Key 1 <maintainers@endlessm.com>"
  Key expires Sat 30 Jun 2029 07:18:11 PM +03

  Signature made Fri 02 Jul 2021 10:05:16 PM +03 using RSA key ID FCF17B17F1F8E157
  Can't check signature: public key not found
1 metadata, 0 content objects fetched; 1 KiB transferred in 1 seconds           
merve@endless:~$ sudo ostree admin upgrade --deploy-only

No update available.
merve@endless:~$

Also this happened;

merve@endless:~$ cd
merve@endless:~$ wget -nv --no-check-certificate https://ostree.endlessm.com/keys/eos-ostree-keyring.gpg
WARNING: The certificate of ‘ostree.endlessm.com’ is not trusted.
WARNING: The certificate of ‘ostree.endlessm.com’ has expired.
2021-10-25 11:26:09 URL:https://ostree.endlessm.com/keys/eos-ostree-keyring.gpg [1189/1189] -> "eos-ostree-keyring.gpg" [1]
merve@endless:~$ wget -nv --no-check-certificate https://ostree.endlessm.com/keys/eos-flatpak-keyring.gpg
WARNING: The certificate of ‘ostree.endlessm.com’ is not trusted.
WARNING: The certificate of ‘ostree.endlessm.com’ has expired.
2021-10-25 11:26:28 URL:https://ostree.endlessm.com/keys/eos-flatpak-keyring.gpg [1190/1190] -> "eos-flatpak-keyring.gpg" [1]
merve@endless:~$ sudo ostree remote gpg-import -k eos-ostree-keyring.gpg eos
Imported 0 GPG keys to remote "eos"
merve@endless:~$ sudo ostree remote gpg-import -k eos-ostree-keyring.gpg eos-runtimes
Imported 0 GPG keys to remote "eos-runtimes"
merve@endless:~$ sudo ostree remote gpg-import -k eos-flatpak-keyring.gpg eos-apps
Imported 0 GPG keys to remote "eos-apps"
merve@endless:~$ sudo ostree remote gpg-import -k eos-flatpak-keyring.gpg eos-sdk
Imported 0 GPG keys to remote "eos-sdk"
merve@endless:~$ sudo ostree admin upgrade

error: Unacceptable TLS certificate

Are you already at 3.9.5 at this moment? The message with “No update available” should only appear then.

Regarding the TLS certificate and “0 keys imported”. This means also that the new keys are already there. I know that this doesn’t help you, but just wanted to point it out for other readers in case they have some idea.

@dan, @Daniel
Any further ideas in this case?

Nope, still 3.7.7…

Can you please give me the output of

ostree admin status

Sorry for the trouble as we work through this situation.

Please try these commands, and again show the output if they don’t work.

sudo ostree pull --url=http://ostree.endlessm.com/ostree/eos eos os/eos/nexthw/eos3.7
sudo ostree admin upgrade --deploy-only

IMG_20211025_1354132000×922 1.05 MB

O meu não está indo também e está dando isso

@Emily_Aparecida please follow these steps:

sudo ostree pull --url=http://ostree.endlessm.com/ostree/eos eos os/eos/nexthw/eos3.6
sudo ostree admin upgrade --deploy-only

After that, running ostree admin status should have 2 listings. One should say Version: 3.9.5. When you reboot you’ll be in the new OS version and everything should work again.

Consegui, muito obrigada

merve@endless:~$ ostree admin status
* eos c8f12844bb99ca4663b02140b619a1cfd25eb60e28e5b1f11d32a0d586fb3c32.0
    Version: 3.7.7-nexthw1~200224-041440
    origin refspec: eos:os/eos/nexthw/eos3.7
    GPG: Signature made Mon 24 Feb 2020 07:44:11 AM +03 using RSA key ID 9E08D8DABA02FC46
    GPG: Good signature from "EOS OSTree Signing Key 1 <maintainers@endlessm.com>"
    GPG: Key expires Sat 30 Jun 2029 07:18:11 PM +03
    GPG: Signature made Mon 24 Feb 2020 07:44:14 AM +03 using RSA key ID FCF17B17F1F8E157
    GPG: Can't check signature: public key not found

Thanks Dan, still not updating tho

merve@endless:~$ sudo ostree pull --url=http://ostree.endlessm.com/ostree/eos eos os/eos/nexthw/eos3.7


GPG: Verification enabled, found 2 signatures:

  Signature made Tue 05 May 2020 09:35:46 AM +03 using RSA key ID 9E08D8DABA02FC46
  Good signature from "EOS OSTree Signing Key 1 <maintainers@endlessm.com>"
  Key expires Sat 30 Jun 2029 07:18:11 PM +03

  Signature made Tue 05 May 2020 09:35:48 AM +03 using RSA key ID FCF17B17F1F8E157
  Can't check signature: public key not found
3 metadata, 0 content objects fetched; 1 KiB transferred in 1 seconds           
merve@endless:~$ sudo ostree admin upgrade --deploy-only

Copying /etc changes: 18 modified, 0 removed, 15 added
Bootloader updated; bootconfig swap: yes; deployment count change: 1
Freed objects: 72.5 MB
merve@endless:~$ sudo ostree admin upgrade

error: Unacceptable TLS certificate