If you see an error like this when trying to update the packages:

...
Hit:10 https://download.docker.com/linux/debian buster InRelease                                                                                                                              
Err:11 https://pkg.jenkins.io/debian-stable binary/ Release                                                                                                                                   
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 2a04:4e42::645 443]
...

First try upgrading the ca-certificates package. If that doesn't work continue with below.

Test the site on ssl labs. You should see that there are 2 certificate chain paths, one of which is expired.

Comment out the offending certificate in /etc/ca-certificates.conf by appending a “!” in front of mozilla/DST_Root_CA_X3.crt .

How it should look like:

...
mozilla/DigiCert_Trusted_Root_G4.crt
!mozilla/DST_Root_CA_X3.crt
mozilla/D-TRUST_Root_Class_3_CA_2_2009.crt
...

Now run update-ca-certificates command:

root@server:~# update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 1 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

apt update should no longer show this error.

• Debian 10 Buster

• https://www.claudiokuenzler.com/blog/1135/lets-encrypt-root-ca-expired-git-server-certificate-verification-failed-x3