Table of Contents
Update packages on Debian when certificate is expired
If you see an error like this when trying to update the packages:
... Hit:10 https://download.docker.com/linux/debian buster InRelease Err:11 https://pkg.jenkins.io/debian-stable binary/ Release Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 2a04:4e42::645 443] ...
First try upgrading the ca-certificates package. If that doesn't work continue with below.
Test the site on ssl labs. You should see that there are 2 certificate chain paths, one of which is expired.
Comment out the offending certificate in /etc/ca-certificates.conf by appending a “!” in front of mozilla/DST_Root_CA_X3.crt .
How it should look like:
... mozilla/DigiCert_Trusted_Root_G4.crt !mozilla/DST_Root_CA_X3.crt mozilla/D-TRUST_Root_Class_3_CA_2_2009.crt ...
Now run update-ca-certificates command:
root@server:~# update-ca-certificates Updating certificates in /etc/ssl/certs... 0 added, 1 removed; done. Running hooks in /etc/ca-certificates/update.d... done.
apt update should no longer show this error.
- Debian 10 Buster