Same for RPM:

$ curl -fsSL https://rpm.nodesource.com/setup_12.x | bash -
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

UPDATE: Fixed with yum update ca-certificates

Same

same issue as well

We are aware of the situation and are actively working to fix it, thank you for your patience.

Same issue here, I was able to fix a similar problem on my own server with the following command:

sudo certbot certonly --nginx -d [domain] --dry-run --preferred-chain="ISRG Root X1"

That was from here: https://community.letsencrypt.org/t/help-thread-for-dst-root-ca-x3-expiration-september-2021/149190/283

On the client (Ubuntu), doing this prior to install allowed me to pass through the certificate error:
sudo apt install ca-certificates

Edit: might need apt update first

The "September 30" syndrome?

On the client, doing this prior to install allowed me to pass through the certificate error: sudo apt install ca-certificates

Unfortunately that did not work in my case since I was already at latest.

curl -fsSLk https://rpm.nodesource.com/setup_12.x | bash - could be a good short-term solution (-k disables the client-side SSL verification).

apt update not working, same issue:
Creating gitversion file Get:1 http://security.debian.org/debian-security stretch/updates InRelease [53.0 kB] Ign:2 http://deb.debian.org/debian stretch InRelease Get:3 http://deb.debian.org/debian stretch-updates InRelease [93.6 kB] Get:4 http://deb.debian.org/debian stretch Release [118 kB] Get:5 http://deb.debian.org/debian stretch Release.gpg [3177 B] Get:6 https://download.docker.com/linux/debian stretch InRelease [44.8 kB] Get:7 http://security.debian.org/debian-security stretch/updates/main amd64 Packages [718 kB] Ign:8 https://deb.nodesource.com/node_10.x stretch InRelease Err:9 https://deb.nodesource.com/node_10.x stretch Release server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none Get:10 http://deb.debian.org/debian stretch/main amd64 Packages [7080 kB] Get:11 https://download.docker.com/linux/debian stretch/stable amd64 Packages [15.9 kB] Reading package lists... E: The repository 'https://deb.nodesource.com/node_10.x stretch Release' does no longer have a Release file.

For Debian buster, updating the libgnutls30 package appears to fix the certificate verification.

apt-get update; apt-get install libgnutls30

Along with this problem, if I bypass the SSL problem, still I can't install in Amazon Linux 1 getting an error like:

## Your distribution, identified as "system-release-2018.03-0.2.noarch", is not currently supported, please contact NodeSource at https://github.com/nodesource/distributions/issues if you think this is incorrect or would like your distribution to be considered for support

Whereas it was working 2 hours ago.

Same. I got past the SSL issue with curl -fsSLk http://deb.nodesource.com/setup_12.x | bash but now I see:

## Your distribution, identified as "stretch", is not currently supported, please contact NodeSource at https://github.com/nodesource/distributions/issues if you think this is incorrect or would like your distribution to be considered for support

@gonzaloaune,
same here

Problem with Amazon Linux 1

@dgarbus 's solution above (install libgnutls30) worked for me on Debian Stretch.

Hello there.
Updating ca-certificates on my base Docker image fixed the issue in my pipelines.
Hope this helps !

For Debian buster, updating the libgnutls30 package appears to fix the certificate verification.

apt-get update; apt-get install libgnutls30

This solution worked for us.

For those wondering why updating ca-certificates solves the problem, the old Lets Encrypt root certificate expired, and you need to download a new one.

In an up-to-date browser, you should be able to load this page without a problem: https://deb.nodesource.com/setup_12.x
But not on a server with out-of-date certificates:

$ curl https://deb.nodesource.com/setup_12.x
curl: (60) SSL certificate problem: certificate has expired
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Following this exact message (removing the bad cert and forcing Ubuntu to update CA certificates) hotfixed the issue and saved the night for us (Xenial): https://community.letsencrypt.org/t/help-thread-for-dst-root-ca-x3-expiration-september-2021/149190/324

getting buster not supported upon installing any NodeSource repo

I saw this from a docker build. I added this as a workaround so apt update would work again.

RUN apt-get update ; apt-get install ca-certificates \
    && apt-get update \
    && apt-get install -y \
...

As temp solutions works at Ubuntu20

$curl -s http://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add -

$ sudo sh -c "echo deb http://deb.nodesource.com/node_14.x focal main > /etc/apt/sources.list.d/nodesource.list"
$ sudo apt-get update
$ sudo apt-get install nodejs

I hope it will works for other distros and nodeversions
Http not https

Any solution for Amazon Linux 2 ? :) I still have the certificate issue and when i try to bypass it, i have the following message:
Your distribution, identified as "system-release-2-12.amzn2.x86_64", is not currently supported, please contact NodeSource at https://github.com/nodesource/distributions/issues if you think this is incorrect or would like your distribution to be considered for support

I'm working through this right now, but you have to set up a .curlrc to set the -k flag on all curl calls because the script that ends up running also ends up making a curl call to the nodesource domain

In my image build workflow, I was able to workaround it like this:

# Workaround for: https://github.com/nodesource/distributions/issues/1266
mv /etc/apt/sources.list.d/nodesource.list /etc/apt/sources.list.d/nodesource.list.disabled
apt-get update
apt-get -y upgrade
apt-get  install -y \
    ca-certificates \
    libgnutls30 
mv /etc/apt/sources.list.d/nodesource.list.disabled /etc/apt/sources.list.d/nodesource.list

This was causing by BitBucket pipelines to fail and the following changes seem to have fixed it:

Original steps:
- curl -sL https://deb.nodesource.com/setup_12.x | bash -
- apt-get install -y nodejs

New Steps:
- apt-get update
- apt-get install -y ca-certificates libgnutls30
- echo '-k' > ~/.curlrc
- curl -sL https://deb.nodesource.com/setup_12.x | bash -
- apt-get install -y nodejs

Translated from tuna/issues#1342 (comment):

This is because LE's previous cross-root DST Root CA X3 expired at 22:00 on September 30. Please follow the table to upgrade the corresponding package to repair:

Ubuntu version	openssl	gnutls	ca-certificates
Precise(12.04)		Officially won't fix
Trusty (14.04)	Please wait for the official fix	Officially won't fix
Xenial (16.04)	libssl1.0.0 1.0.2g-1ubuntu4.20 or later	libgnutls30 3.4.10-4ubuntu1.9 or later	ca-certificates 20210119~16.04.1 or later
Bionic (18.04)		libgnutls30 3.5.18-1ubuntu1.5 or later	ca-certificates 20210119~18.04.2 or later
Focal (20.04)		Please wait for the official fix	ca-certificates 20210119~20.04.2 or later

Debian version	openssl	gnutls	ca-certificates
Stretch	libssl1.0.0 1.0.2u-1~deb9u5 or later	libgnutls30 3.5.8-5+deb9u6 or later
Buster		libgnutls30 3.6.7-4+deb10u5 or later

RHEL/CentOS version	ca-certificates
8	ca-certificates-2021.2.50-80.0.el8_4 or later
7	ca-certificates-2021.2.50-72.el7_9 or later
6	ca-certificates-2021.2.50-60.1.el6_10 or later

If you have difficulty obtaining the software package, you can use the following commands (from RHEL/CentOS 7 Fix for Let’s Encrypt Change) to temporarily fix with the problem:

trust dump --filter "pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1%4b%90%75%ff%c4%15%60%85%89%10" | openssl x509 | sudo tee /> etc/pki/ca-trust/source/blacklist/DST-Root-CA-X3.pem
sudo update-ca-trust extract

Possible solutions:

1. update package openssl / gnutls / ca-certificates:

sudo apt update
sudo apt install libgnutls30 ca-certificates
sudo update-ca-certificates

2. use HTTP rather than HTTPS in sources:

sudo sed -i 's|https://|http://|' /etc/apt/sources.list.d/nodesource.list  # at your own peril!

sudo sed -i 's|http://|https://|' /etc/apt/sources.list.d/nodesource.list  # change back

3. blacklist the root certificate (by RHEL/CentOS 7 Fix for Let’s Encrypt Change):

trust dump --filter "pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1%4b%90%75%ff%c4%15%60%85%89%10" | openssl x509 | sudo tee /etc/pki/ca-trust/source/blacklist/DST-Root-CA-X3.pem
sudo update-ca-trust extract

4. disable APT CA check (by The certificate for deb.nodesource seems to be expired #1266 (comment)):

echo "Acquire::https::Verify-Peer false;" | sudo tee -a /etc/apt/apt.conf.d/80ssl-exceptions  # at your own peril!
echo "Acquire::https::Verify-Host false;" | sudo tee -a /etc/apt/apt.conf.d/80ssl-exceptions

sudo rm -f /etc/apt/apt.conf.d/80ssl-exceptions  # change back

FYI
https://nsrc.io/3BpQXPB

FYI https://nsrc.io/3BpQXPB

Hi @igsu thanks for the update.

The article reads like a solution was found but it could and could not work.

1. Are there steps us users can do to check if we are using the correct trust chain?
2. Are there manual steps we can take to acquire and use the correct trust chain if we ended up getting the incorrect one?
3. The problem reads like it's an Akamai CDN thing (is it?), can this problem be resolved without going through Akamai if it reoccurs?
4. Are there alternative sources other than nodesource that we can rely on if this happens again in the future? (other than compiling node from source lol)

Sorry if lots of questions, just really curious, thank you 🙌

I put the below part right after base image installation and worked for me
RUN apt-get update && apt-get -y upgrade

We are aware of the situation and are actively working to fix it, thank you for your patience.

It's now November, this gave me significant difficulty upgrading a non-supported Ubuntu version, when is this going to be fixed?

Anyone has a solution for Mac OSX 10.10 and 10.11 ?

Thanks

Looks like the cert is fixed now?

Closing this, should be fixed now.

On Linux mint

DISTRO="$(lsb_release -s -c)"

i.e. DISTRO=uma

Does not work,
Setting DISTRO=focal works

lsb_release -a                                                                                              ✘ 130 
LSB Version:    core-11.1.0ubuntu2-noarch:printing-11.1.0ubuntu2-noarch:security-11.1.0ubuntu2-noarch
Distributor ID: Linuxmint
Description:    Linux Mint 20.2
Release:        20.2
Codename:       uma

HALP.

Cannot add PPA: '"Error reading https://launchpad.net/api/1.0/~oibaf/+archive/graphics-drivers: (60, 'server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none')"'.

This seems to have broken all launchpad PPAs for me. What do I do to fix it???

@Tectract Don't use https for PPA

This seems to be happening again: https://deb.nodesource.com/node_16.x/pool/

Hi... reopen this issue? seems its expired again?

Hi... reopen this issue? seems its expired again?

Someone already opened a new issue: #1507

Hi... reopen this issue? seems its expired again?

Same for me

Same here.

Guys, just need to update the ca-certificates from machine. The old certificate got untrusted, when it's updated, the error get vanished:

If you are using AMI Linux 2:

sudo yum update ca-certificates

If you are using Ubuntu:

sudo apt update -y
sudo apt install libgnutls30 ca-certificates -y
sudo update-ca-certificates

For Kali linux users, try this:

cd /etc/apt/sources.list.d
after that type ls and find the list added there, after that, you need to delete that list from directory, you can use this command for the same: rm -r <list-name>

It worked for me.

Try updating again your Kali linux: apt update && apt dist-upgrade -y

Hope this helps.