Debian Packages Not Trusted, APT Linux

scottalanmiller

When doing an "apt update", getting this error on Debian 11 Bullseye..

The repository 'http://ftp.debian.org/debian bullseye-updates InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

We have the GPG keys, and the initial install was fine. This is a system that has been in production for a while. How do we get it to accept these repos?

1337

@scottalanmiller said in Debian Packages Not Trusted, APT Linux:

When doing an "apt update", getting this error on Debian 11 Bullseye..

The repository 'http://ftp.debian.org/debian bullseye-updates InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

We have the GPG keys, and the initial install was fine. This is a system that has been in production for a while. How do we get it to accept these repos?

It's not hard to get past that message. But the real question is why you get it. Something has to be wrong.

1337

@Pete-S said in Debian Packages Not Trusted, APT Linux:

@scottalanmiller said in Debian Packages Not Trusted, APT Linux:

When doing an "apt update", getting this error on Debian 11 Bullseye..

The repository 'http://ftp.debian.org/debian bullseye-updates InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

We have the GPG keys, and the initial install was fine. This is a system that has been in production for a while. How do we get it to accept these repos?

It's not hard to get past that message. But the real question is why you get it. Something has to be wrong.

Maybe it's because Bullseye is stable now.

What does /etc/apt/sources.list look like?

scottalanmiller

@Pete-S said in Debian Packages Not Trusted, APT Linux:

@Pete-S said in Debian Packages Not Trusted, APT Linux:

@scottalanmiller said in Debian Packages Not Trusted, APT Linux:

When doing an "apt update", getting this error on Debian 11 Bullseye..

The repository 'http://ftp.debian.org/debian bullseye-updates InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

We have the GPG keys, and the initial install was fine. This is a system that has been in production for a while. How do we get it to accept these repos?

It's not hard to get past that message. But the real question is why you get it. Something has to be wrong.

Maybe it's because Bullseye is stable now.

What does /etc/apt/sources.list look like?

I don't think so. I have scores of these servers with the same package list. But most don't have this issue.

1337

@scottalanmiller said in Debian Packages Not Trusted, APT Linux:

@Pete-S said in Debian Packages Not Trusted, APT Linux:

@Pete-S said in Debian Packages Not Trusted, APT Linux:

@scottalanmiller said in Debian Packages Not Trusted, APT Linux:

When doing an "apt update", getting this error on Debian 11 Bullseye..

The repository 'http://ftp.debian.org/debian bullseye-updates InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

We have the GPG keys, and the initial install was fine. This is a system that has been in production for a while. How do we get it to accept these repos?

It's not hard to get past that message. But the real question is why you get it. Something has to be wrong.

Maybe it's because Bullseye is stable now.

What does /etc/apt/sources.list look like?

I don't think so. I have scores of these servers with the same package list. But most don't have this issue.

It's also strange that you have ftp.debian.org as repository when deb.debian.org should be the default.

If you use the latter you will be fetching files over a CDN.

scottalanmiller

@Pete-S said in Debian Packages Not Trusted, APT Linux:

@scottalanmiller said in Debian Packages Not Trusted, APT Linux:

@Pete-S said in Debian Packages Not Trusted, APT Linux:

@Pete-S said in Debian Packages Not Trusted, APT Linux:

@scottalanmiller said in Debian Packages Not Trusted, APT Linux:

When doing an "apt update", getting this error on Debian 11 Bullseye..

The repository 'http://ftp.debian.org/debian bullseye-updates InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

We have the GPG keys, and the initial install was fine. This is a system that has been in production for a while. How do we get it to accept these repos?

It's not hard to get past that message. But the real question is why you get it. Something has to be wrong.

Maybe it's because Bullseye is stable now.

What does /etc/apt/sources.list look like?

I don't think so. I have scores of these servers with the same package list. But most don't have this issue.

It's also strange that you have ftp.debian.org as repository when deb.debian.org should be the default.

If you use the latter you will be fetching files over a CDN.

oh, good point. ftp works elsewhere and is provided by ProxMox, but I'll check that.

1337

@Pete-S said in Debian Packages Not Trusted, APT Linux:

@scottalanmiller said in Debian Packages Not Trusted, APT Linux:

@Pete-S said in Debian Packages Not Trusted, APT Linux:

@Pete-S said in Debian Packages Not Trusted, APT Linux:

@scottalanmiller said in Debian Packages Not Trusted, APT Linux:

When doing an "apt update", getting this error on Debian 11 Bullseye..

The repository 'http://ftp.debian.org/debian bullseye-updates InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

We have the GPG keys, and the initial install was fine. This is a system that has been in production for a while. How do we get it to accept these repos?

It's not hard to get past that message. But the real question is why you get it. Something has to be wrong.

Maybe it's because Bullseye is stable now.

What does /etc/apt/sources.list look like?

I don't think so. I have scores of these servers with the same package list. But most don't have this issue.

It's also strange that you have ftp.debian.org as repository when deb.debian.org should be the default.

If you use the latter you will be fetching files over a CDN.

I wonder if this is a clean bullseye (debian 11) install or has it been updated from buster or earlier?

scottalanmiller

Updated, but same issue...

deb http://db.debian.org/debian bullseye main contrib
deb http://deb.debian.org/debian bullseye-updates main contrib

# PVE pve-no-subscription repository provided by proxmox.com,
# NOT recommended for production use
deb http://download.proxmox.com/debian/pve bullseye pve-no-subscription

# security updates
deb http://security.debian.org/debian-security bullseye-security main contrib

1337

@scottalanmiller said in Debian Packages Not Trusted, APT Linux:

Updated, but same issue...

deb http://db.debian.org/debian bullseye main contrib
deb http://deb.debian.org/debian bullseye-updates main contrib

# PVE pve-no-subscription repository provided by proxmox.com,
# NOT recommended for production use
deb http://download.proxmox.com/debian/pve bullseye pve-no-subscription

# security updates
deb http://security.debian.org/debian-security bullseye-security main contrib

Ah, it's proxmox. If I remember correctly they started to use Debian 11 before it became Debian stable. It should probably not matter though.

When I look at debian gpg keys (apt-key list) on Debian 11 in front of me, it looks like this:

Do you have the same three Bullseye keys?

1337

You should probably check that you can get to the repository at all from that machine. It could potentially be a repository problem.

For example using wget or curl fetch this file:
http://deb.debian.org/debian/dists/bullseye-updates/InRelease

It's the first file that apt is trying to fetch.

1337

@scottalanmiller said in Debian Packages Not Trusted, APT Linux:

deb http://deb.debian.org/debian bullseye-updates main contrib

If you just want to get past the error, you can change the above line to:

deb [trusted=yes] http://deb.debian.org/debian/dists/bullseye-updates/InRelease

I think you might end up with another error instead though. Because I don't think it's the actual problem.

scottalanmiller

@Pete-S said in Debian Packages Not Trusted, APT Linux:

http://deb.debian.org/debian/dists/bullseye-updates/InRelease

YOu are right, it's blocked. I get a 403 error on that machine. But not on others!

scottalanmiller

@Pete-S said in Debian Packages Not Trusted, APT Linux:

@scottalanmiller said in Debian Packages Not Trusted, APT Linux:

deb http://deb.debian.org/debian bullseye-updates main contrib

If you just want to get past the error, you can change the above line to:

deb [trusted=yes] http://deb.debian.org/debian/dists/bullseye-updates/InRelease

I think you might end up with another error instead though. Because I don't think it's the actual problem.

Right, I think that the CDN is blocking this for some reason.

1337

@scottalanmiller said in Debian Packages Not Trusted, APT Linux:

@Pete-S said in Debian Packages Not Trusted, APT Linux:

@scottalanmiller said in Debian Packages Not Trusted, APT Linux:

deb http://deb.debian.org/debian bullseye-updates main contrib

If you just want to get past the error, you can change the above line to:

deb [trusted=yes] http://deb.debian.org/debian/dists/bullseye-updates/InRelease

I think you might end up with another error instead though. Because I don't think it's the actual problem.

Right, I think that the CDN is blocking this for some reason.

Go to the bottom of the page and you'll find all official debian mirrors all over the world.
https://www.debian.org/mirror/list

Pick a mirror and see if you can access the InRelease file from the server. Then you can change the /etc/apt/sources.list and then run apt update again.

scottalanmiller

@Pete-S said in Debian Packages Not Trusted, APT Linux:

@scottalanmiller said in Debian Packages Not Trusted, APT Linux:

@Pete-S said in Debian Packages Not Trusted, APT Linux:

@scottalanmiller said in Debian Packages Not Trusted, APT Linux:

deb http://deb.debian.org/debian bullseye-updates main contrib

If you just want to get past the error, you can change the above line to:

deb [trusted=yes] http://deb.debian.org/debian/dists/bullseye-updates/InRelease

I think you might end up with another error instead though. Because I don't think it's the actual problem.

Right, I think that the CDN is blocking this for some reason.

Go to the bottom of the page and you'll find all official debian mirrors all over the world.
https://www.debian.org/mirror/list

Pick a mirror and see if you can access the InRelease file from the server. Then you can change the /etc/apt/sources.list and then run apt update again.

Yup, I grabbed one manually and it "just worked". It's something broken in the mirrors!!

scottalanmiller

Thanks, we are up and running again!