Onboarding of Ubuntu client fails with: Could not handshake: Error in the certificate verification

SUSE Multi-Linux Manager 5.0 Server

Onboarding of Ubuntu 20.04 client (or newer) using bootstrap script fails with following error message:

E: Failed to fetch https://some.hostname/pub/repositories/ubuntu/20/4/bootstrap/dists/bootstrap/main/binary-i386/Packages Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification. [IP: 192.168.12.12 443]

Certificate chain is correct on top of Ubuntu client (the CA certificate used to sign the server certificate is correctly imported within the Ubuntu client). Using wget or curl against the URL mentioned above is working without any issues, only apt fails with mentioned error. 

Check the permissions for /etc/ssl and /etc/ssl/certs whether they are set to 755 on top of affected Ubuntu client.

stat -c '%n %a' /etc/ssl /etc/ssl/certs

In case that no, change the permissions to 755 on both directories:

sudo chmod 755 /etc/ssl
sudo chmod 755 /etc/ssl/certs

Missing read permissions for "others" on top of /etc/ssl and /etc/ssl/certs directories.  

Triggering the apt command in debug mode on top of affected Ubuntu client using following options:

apt-get -o Debug::Acquire::https=true -o Debug::Acquire::CaInfo=/etc/ssl/certs/ca-certificates.crt update

reports also following errors:

W: https://some.hostname/pub/repositories/ubuntu/20/4/bootstrap/dists/bootstrap/main/cnf/Commands-amd64: No system certificates available. Try installing ca-certificates.

which indicates that apt’s HTTPS fetcher drops privileges into the unprivileged _apt user. If _apt can’t read the cert bundle, GnuTLS will load zero CAs and bail out with errors mentioned above.