I'm opening this issue here to actually document the solution.
Upgrading from jessie to stretch, or actually from older to newer may result a non-working https repo which fail the certificate verification.
The problem occurs when there was either no way to perform a dist-upgrade first, or somehow "some" packages get upgraded. It is pretty easy to reach a state when apt cannot update from enterprise repo:
And apt failing without the Release file and if you're not cautious you end up proxmox removed since it doesn't have a repo anymore.
The problem isn't with the repo, the problem isn't with ca-certificates, and usually not by ssl/certs directory permission (though there may cause similar problems), and it is fsck hard to figure out what. Upgrading gnutls and its libs manually doesn't help either.
The culprit in my case - and repeatedly in the past - was librtmp1 which is not directly depended on the failing tools; however it does have a nasty symbol clash which results the joyful failure messages.
Updating the said lib magically resolves the issue.
(If it wouldn't fix for you - try to upgrade tls/ssl related libs first.)
Upgrading from jessie to stretch, or actually from older to newer may result a non-working https repo which fail the certificate verification.
The problem occurs when there was either no way to perform a dist-upgrade first, or somehow "some" packages get upgraded. It is pretty easy to reach a state when apt cannot update from enterprise repo:
Err:13 https://enterprise.proxmox.com/debian jessie Release
gnutls_handshake() failed: Public key signature verification has failed.
gnutls_handshake() failed: Public key signature verification has failed.
And apt failing without the Release file and if you're not cautious you end up proxmox removed since it doesn't have a repo anymore.
The problem isn't with the repo, the problem isn't with ca-certificates, and usually not by ssl/certs directory permission (though there may cause similar problems), and it is fsck hard to figure out what. Upgrading gnutls and its libs manually doesn't help either.
The culprit in my case - and repeatedly in the past - was librtmp1 which is not directly depended on the failing tools; however it does have a nasty symbol clash which results the joyful failure messages.
Updating the said lib magically resolves the issue.
(If it wouldn't fix for you - try to upgrade tls/ssl related libs first.)