User Tools

Site Tools


Update packages on Debian when certificate is expired

If you see an error like this when trying to update the packages:

Hit:10 buster InRelease                                                                                                                              
Err:11 binary/ Release                                                                                                                                   
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 2a04:4e42::645 443]

First try upgrading the ca-certificates package. If that doesn't work continue with below.

Test the site on ssl labs. You should see that there are 2 certificate chain paths, one of which is expired.

Comment out the offending certificate in /etc/ca-certificates.conf by appending a “!” in front of mozilla/DST_Root_CA_X3.crt .

How it should look like:


Now run update-ca-certificates command:

root@server:~# update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 1 removed; done.
Running hooks in /etc/ca-certificates/update.d...

apt update should no longer show this error.

Tested on

  • Debian 10 Buster

See also


wiki/update_packages_debian_certificate_expired.txt · Last modified: 2021/12/14 16:23 by antisa

Except where otherwise noted, content on this wiki is licensed under the following license: CC0 1.0 Universal
CC0 1.0 Universal Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki