{{tag>ssl apt debian}}

====== Update packages on Debian when certificate is expired ======
If you see an error like this when trying to update the packages:
<code>
...
Hit:10 https://download.docker.com/linux/debian buster InRelease                                                                                                                              
Err:11 https://pkg.jenkins.io/debian-stable binary/ Release                                                                                                                                   
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 2a04:4e42::645 443]
...
</code>

First try upgrading the //ca-certificates// package. If that doesn't work continue with below.

Test the site on [[https://www.ssllabs.com/ssltest/analyze.html?d=pkg.jenkins.io&s=2a04%3a4e42%3a0%3a0%3a0%3a0%3a0%3a645&latest|ssl labs]]. You should see that there are 2 certificate chain paths, one of which is expired.

{{:wiki:screenshots:ssl_labs_2path_chain_expired.png|}}

Comment out the offending certificate in ///etc/ca-certificates.conf// by appending a "!" in front of mozilla/DST_Root_CA_X3.crt  .

How it should look like:

  ...
  mozilla/DigiCert_Trusted_Root_G4.crt
  !mozilla/DST_Root_CA_X3.crt
  mozilla/D-TRUST_Root_Class_3_CA_2_2009.crt
  ...

Now run update-ca-certificates command:

  root@server:~# update-ca-certificates
  Updating certificates in /etc/ssl/certs...
  0 added, 1 removed; done.
  Running hooks in /etc/ca-certificates/update.d...
  done.

apt update should no longer show this error.
====== Tested on ======
  * Debian 10 Buster

====== See also ======

====== References ======
  * https://www.claudiokuenzler.com/blog/1135/lets-encrypt-root-ca-expired-git-server-certificate-verification-failed-x3