wiki:update_packages_debian_certificate_expired
This is an old revision of the document!
Table of Contents
Update packages on Debian when certificate is expired
If you see an error like this when trying to update the packages:
... Hit:10 https://download.docker.com/linux/debian buster InRelease Err:11 https://pkg.jenkins.io/debian-stable binary/ Release Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 2a04:4e42::645 443] ...
Test the site on ssl labs. You should see that there are 2 certificate chain paths, one of which is expired.
Comment out the offending certificate in /etc/ca-certificates.conf by appending a “!” in front of mozilla/DST_Root_CA_X3.crt .
How it should look like:
... mozilla/DigiCert_Trusted_Root_G4.crt !mozilla/DST_Root_CA_X3.crt mozilla/D-TRUST_Root_Class_3_CA_2_2009.crt ...
Now run update-ca-certificates command:
root@server:~# update-ca-certificates Updating certificates in /etc/ssl/certs... 0 added, 1 removed; done. Running hooks in /etc/ca-certificates/update.d... done.
apt update should no longer show this error.
Tested on
- Debian 10 Buster
See also
References
wiki/update_packages_debian_certificate_expired.1639495058.txt.gz · Last modified: 2021/12/14 15:17 by antisa