antisaWiki

User Tools

Site Tools

Trace: update_packages_debian_certificate_expired
wiki:update_packages_debian_certificate_expired

This is an old revision of the document!

Table of Contents

, ,

Update packages on Debian when certificate is expired

If you see an error like this when trying to update the packages: 

...
Hit:10 https://download.docker.com/linux/debian buster InRelease                                                                                                                              
Err:11 https://pkg.jenkins.io/debian-stable binary/ Release                                                                                                                                   
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 2a04:4e42::645 443]
...

Test the site on ssl labs. You should see that there are 2 certificate chain paths, one of which is expired.

Comment out the offending certificate in /etc/ca-certificates.conf by appending a “!” in front of mozilla/DST_Root_CA_X3.crt .

How it should look like: 

...
mozilla/DigiCert_Trusted_Root_G4.crt
!mozilla/DST_Root_CA_X3.crt
mozilla/D-TRUST_Root_Class_3_CA_2_2009.crt
...

Now run update-ca-certificates command: 

root@server:~# update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 1 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

apt update should no longer show this error.

Tested on

  • Debian 10 Buster

See also

References

wiki/update_packages_debian_certificate_expired.1639495058.txt.gz · Last modified: 2021/12/14 15:17 by antisa
Except where otherwise noted, content on this wiki is licensed under the following license: CC0 1.0 Universal
CC0 1.0 Universal Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki