Hi there,
this afternoon we identified an issue which may prevent some installations / upgrade due to a recently expired root CA certificate. As a result, commands like
wget https://fluxbb.org/
may return something like
ERROR: The certificate of ‘fluxbb.org’ is not trusted.
ERROR: The certificate of ‘fluxbb.org’ has expired.
despite the certificate being valid…
Note that:
- this affect some websites but not others depending on their certificate issuer
- the command will work on your laptop if it’s reasonably up to date, but won’t work on your yunohost server
There are detailed explanations available here :
- https://www.reddit.com/r/linux/comments/gshh70/sectigo_root_ca_expiring_may_not_be_handled_well/
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=96190
- https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020
A manual fix is to run the following commands on your server:
sudo sed -i 's@^mozilla/AddTrust_External_Root.crt$@#mozilla/AddTrust_External_Root.crt@g' /etc/ca-certificates.conf
sudo update-ca-certificates -f -v
Debian is expected to release an updated version of ca-certificates
in the coming hours / days, which should fix the issue without any manual tinkering.