User Tools

Site Tools


wiki:update_packages_debian_certificate_expired

Update packages on Debian when certificate is expired

If you see an error like this when trying to update the packages:

...
Hit:10 https://download.docker.com/linux/debian buster InRelease                                                                                                                              
Err:11 https://pkg.jenkins.io/debian-stable binary/ Release                                                                                                                                   
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 2a04:4e42::645 443]
...

First try upgrading the ca-certificates package. If that doesn't work continue with below.

Test the site on ssl labs. You should see that there are 2 certificate chain paths, one of which is expired.

Comment out the offending certificate in /etc/ca-certificates.conf by appending a “!” in front of mozilla/DST_Root_CA_X3.crt .

How it should look like:

...
mozilla/DigiCert_Trusted_Root_G4.crt
!mozilla/DST_Root_CA_X3.crt
mozilla/D-TRUST_Root_Class_3_CA_2_2009.crt
...

Now run update-ca-certificates command:

root@server:~# update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 1 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

apt update should no longer show this error.

Tested on

  • Debian 10 Buster

See also

References

wiki/update_packages_debian_certificate_expired.txt · Last modified: 2021/12/14 16:23 by antisa

Except where otherwise noted, content on this wiki is licensed under the following license: CC0 1.0 Universal
CC0 1.0 Universal Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki