I was updating my boxes as usual when I encountered an error when trying to run updates on my unifi controller. This lives on a slightly older box (I tried upgrading it at one point and not all the dependencies were supported yet on the newer version), and I ran into an error when running the apt commands. One of the keys was expired for a component needed by the controller. So lets figure out how to update that key so we can update the box once more.
root@unifi:/home/administrator# apt-get update
Hit:2 http://us.archive.ubuntu.com/ubuntu xenial InRelease
Get:1 http://dl.ubnt.com/unifi/debian stable InRelease [3,023 B]
Get:4 http://us.archive.ubuntu.com/ubuntu xenial-updates InRelease [109 kB]
Ign:5 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.4 InRelease
Hit:6 http://security.ubuntu.com/ubuntu xenial-security InRelease
Get:7 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.4 Release [3,457 B]
Get:8 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.4 Release.gpg [801 B]
Get:9 http://us.archive.ubuntu.com/ubuntu xenial-backports InRelease [107 kB]
Err:8 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.4 Release.gpg
The following signatures were invalid: KEYEXPIRED 1578250443
Get:3 https://www.ui.com/downloads/unifi/debian stable InRelease [185 B]
Fetched 226 kB in 1s (190 kB/s)
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.4 Release: The following signatures were invalid: KEYEXPIRED 1578250443
W: Failed to fetch http://repo.mongodb.org/apt/ubuntu/dists/xenial/mongodb-org/3.4/Release.gpg The following signatures were invalid: KEYEXPIRED 1578250443
W: Some index files failed to download. They have been ignored, or old ones used instead.
root@unifi:/home/administrator#To find the expired key, we’re going to be using apt-key list. This prints out all of the installed keys, and from here, we can see which keys are expired. We can grep the list in ubuntu 16.04 to find all of the expired keys from the list.
root@unifi:/home/administrator# apt-key list | grep -A 1 expired
pub 4096R/A15703C6 2016-01-11 [expired: 2020-01-05]
uid MongoDB 3.4 Release Signing Key <packaging@mongodb.com>For our key, the part we want to note is A15703C6. If there are multiple keys shown in the list, make sure to note each one. This will be used in the next step. On a side note ubuntu, 18.04 doesn’t let you grep the output from apt-key list.
Now that we know the key, we can renew it with the following command.
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys <KEY>
In our example case, that will end up being:
root@unifi:/home/administrator# sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys A15703C6
Executing: /tmp/tmp.WNQghYYTiy/gpg.1.sh --keyserver
hkp://keyserver.ubuntu.com:80
--recv-keys
A15703C6
gpg: requesting key A15703C6 from hkp server keyserver.ubuntu.com
gpg: key A15703C6: "MongoDB 3.4 Release Signing Key <packaging@mongodb.com>" 1 new signature
gpg: Total number processed: 1
gpg: new signatures: 1Lets finally run apt-get update to pull down the repos and start our upgrade process.
root@unifi:/home/administrator# apt-get update
Hit:1 http://us.archive.ubuntu.com/ubuntu xenial InRelease
Hit:3 http://us.archive.ubuntu.com/ubuntu xenial-updates InRelease
Ign:4 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.4 InRelease
Hit:5 http://us.archive.ubuntu.com/ubuntu xenial-backports InRelease
Get:6 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.4 Release [3,457 B]
Get:7 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.4 Release.gpg [801 B]
Hit:8 http://security.ubuntu.com/ubuntu xenial-security InRelease
Get:9 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.4/multiverse amd64 Packages [16.4 kB]
Get:2 https://www.ui.com/downloads/unifi/debian stable InRelease [185 B]
Get:10 http://dl.ubnt.com/unifi/debian stable InRelease [3,023 B]
Fetched 26.8 kB in 1s (20.0 kB/s)
Reading package lists... DoneNow the usual apt-get upgrade (or dist-upgrade) will work without any further problems.