The error messages clearly indicate a system-wide certificate verification failure, where APT cannot verify the authenticity of repository servers. This typically occurs when:
- System CA certificates are missing or corrupted
- SSL/TLS libraries are misconfigured
- Third-party software (like VPN clients) modified system trust stores
For temporary testing (not production), you could bypass certificate checks:
sudo apt-get update -o Acquire::https::Verify-Peer=false -o Acquire::https::Verify-Host=falseWarning: This disables all SSL verification and exposes you to MITM attacks.
The most reliable fix is to reinstall the certificate package:
sudo apt-get install --reinstall ca-certificates
sudo update-ca-certificates --fresh
sudo apt-get updateIf the above fails, try manually syncing certificates from Ubuntu's archive:
sudo wget -O /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt https://letsencrypt.org/certs/isrgrootx1.pem
sudo wget -O /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt https://letsencrypt.org/certs/dst-root-ca-x3.pem
sudo dpkg-reconfigure ca-certificates
sudo update-ca-certificatesFor problematic repositories like Docker or Google Chrome, you may need to:
# For Google repositories
sudo apt-get install -y wget
wget -q -O - https://dl.google.com/linux/linux_signing_key.pub | sudo apt-key add -
# For Microsoft repositories
curl -sSL https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -To diagnose specific repository issues:
openssl s_client -connect dl.google.com:443 -showcerts < /dev/null
openssl s_client -connect packages.microsoft.com:443 -showcerts < /dev/nullCheck for "Verify return code: 0 (ok)" in output.
Create a backup of your certificates:
sudo tar -czvf /root/ca-cert-backup.tar.gz /etc/ssl/certs /usr/share/ca-certificatesAnd consider using a dedicated VPN profile that doesn't modify system certificates.
For development environments with custom CAs:
# Create custom certs directory
sudo mkdir -p /usr/local/share/ca-certificates/extra
# Place your custom CA certs here (PEM format)
sudo cp your-ca-cert.pem /usr/local/share/ca-certificates/extra/
# Update system store
sudo update-ca-certificatesWhen you're seeing certificate verification errors across multiple repositories like Google Chrome, WineHQ, Docker, and NVIDIA CUDA during apt-get update, it typically means your system's CA certificates bundle has been compromised or removed. The checkpoint VPN software installation likely overwrote or corrupted your system's certificate store.
First, let's verify if the core certificate packages are intact:
dpkg -l | grep -E 'ca-certificates|openssl'
If either package is missing or marked as "ii" (installed), we need to proceed with restoration.
1. Reinstall CA Certificates Offline
Since your internet connections are failing due to certificate issues, we'll use Ubuntu's local archives:
sudo apt-get download ca-certificates
sudo dpkg -i --force-overwrite ca-certificates*.deb
2. Force Refresh the Certificate Store
After reinstalling, update the certificates:
sudo update-ca-certificates --fresh
export SSL_CERT_DIR=/etc/ssl/certs
3. Temporary Workaround for Critical Updates
For absolutely essential updates while fixing, you can temporarily bypass verification (use cautiously):
sudo apt-get -o Acquire::AllowInsecureRepositories=true update
sudo apt-get -o Acquire::AllowInsecureRepositories=true install --fix-broken
Some repositories need special handling. For example, Microsoft's repositories:
curl -sSL https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
sudo apt-add-repository https://packages.microsoft.com/ubuntu/20.04/prod
For Docker:
sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
After addressing the certificates, perform a complete system repair:
sudo apt-get update
sudo apt-get install --reinstall ca-certificates openssl
sudo apt-get dist-upgrade
sudo update-ca-certificates
Create a backup of your certificates:
sudo tar czvf /root/ca-certificates-backup.tar.gz /etc/ssl/certs /usr/share/ca-certificates /etc/ca-certificates.conf
Consider using a configuration management tool like Ansible to maintain certificate integrity:
- name: Ensure CA certificates are intact
apt:
name: ca-certificates
state: latest
force: yes