Unable to claim node. error is: Failed to connect to https://app.netdata.cloud, return code 60

I am having trouble claiming a node to my netdata cloud. I am running on Ubuntu 16.04. I see that there is a similar problem on CentOS. Although the fix might not be the same for my environment.

Agent is running fine.

I am unable to curl https://app.netdata.cloud due the error: curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

This is the script I am using to claim the node

wget -O /tmp/netdata-kickstart.sh https://my-netdata.io/kickstart.sh && sh /tmp/netdata-kickstart.sh --stable-channel --claim-token TOKENXXXX --claim-rooms ROOMXXXX–claim-url https://app.netdata.cloud

Hi @driggsss, thanks for contacting us,

I cannot reproduce the problem, I was able to claim an agent using ubuntu 16.04, could you please share the error message you’re receiving when executing the claming command?

Just as a reminder:

  • it’s not needed to pass the --claim-url to the script (https://app.netdata.cloud) will be used automatically.
  • if you want to claim your agent to the “All-nodes” room, then --claim-rooms parameter is not necessary either, it will be claimed to that room automatically.


Here is the error on my end.

Could you please check that you are running the last versions of the packages ca-certificates and openssl?

You can update them to the last version by running the following command as root:

apt-get update && apt-get install ca-certificates openssl

After updating, last versions for Ubuntu 16.04 should be:

  • ca-certificates: 20210119~16.04.1
  • openssl: 1.0.2g-1ubuntu4.20

Hi @Juan seems like I already have the latest versions.

Hi @driggsss,

Part of the problem is that in September 2021, DST Root CA X3 certificate expired (the older root CA that Let’sEncrypt certs were using). Old versions of OpenSSL and maybe other TLS libraries were affected.

There may be something on your system that prevents you from using the latest OpenSSL library. The latest version of the 16.04 backports repo works fine (that’s why I managed to claim an agent from an Ubuntu 16.04 container), but a lot of 16.04 software can’t use it.

I list some options, I think in ascending level of difficulty/risk, that you can try to fix the issue. Try the agent claiming process after trying each of them:

  1. Upgrade all your system packages.

From the screenshot you provided above, it seems not all your packages are using the last version, I suggest to try a system upgrade, to discard any versioning issue on your side. To update the system run:

apt-get update && apt-get upgrade.

  1. Reconfigure the ca-certificates package

Maybe the reason is that some application is still using the old Root CA cert to validate our domain, one option would be to remove the expired CA file from your trusted certificates. In order to do that, you can reconfigure the package ca-certificates running:

dpkg-reconfigure ca-certificates

To the question “Trust new certificates from certificate authorities?” choose “yes”.
On the next screen, avoid selecting DST_Root_CA_X3.pem certificate.

  1. use a static version of netdata

Other option would be to install an static version of netdata, you can find more information at Netdata’s learn site.

  1. Use a more recent Ubuntu version

If after all the above it still doesn’t work, maybe the only option is to use a newer version of Ubuntu.


An alternative option (doable on command line with sed for bootstrap scripts) is to edit /etc/ca-certificates.conf and add a ! before the DST_Root_CA_X3.pem and run update-ca-certificates

The ! tell the program to remove the certificate from the list of authorized CA.

This one solved it. Thank you @Tensibai