Issue with some app installs, wget reporting "The certificate is not trusted"

Hi there,

this afternoon we identified an issue which may prevent some installations / upgrade due to a recently expired root CA certificate. As a result, commands like

wget https://fluxbb.org/

may return something like

ERROR: The certificate of ‘fluxbb.org’ is not trusted.
ERROR: The certificate of ‘fluxbb.org’ has expired.

despite the certificate being valid…

Note that:

  • this affect some websites but not others depending on their certificate issuer
  • the command will work on your laptop if it’s reasonably up to date, but won’t work on your yunohost server

There are detailed explanations available here :

A manual fix is to run the following commands on your server:

sudo sed -i 's@^mozilla/AddTrust_External_Root.crt$@#mozilla/AddTrust_External_Root.crt@g' /etc/ca-certificates.conf
sudo update-ca-certificates -f -v 

Debian is expected to release an updated version of ca-certificates in the coming hours / days, which should fix the issue without any manual tinkering.

2 Likes

@Aleks
thank you for this report

I have a question about packaging apps (with this issue).
Would it be a good idea to add the “manual fix” in the install script or is it better to wait for the ca-certificates update ?

Not sure what’s the relation with “packaging apps” … It was basically a “system” issue caused and fixed by Debian upstream so …?

Edit: ugh now I understand the question I think … it’s fixed in the debian repository so just upgrade your system