On Fri, Oct 01, 2021 at 09:41:45AM +0200, Thomas Schmitt wrote: > Hi, > > i am confronted with an old Debian 8 "jessie" machine where since > (probably) yesterday the Iceweasel browser does not work any more > with many websites. E.g. > > This Connection is Untrusted > ... > lists.debian.org uses an invalid security certificate. > The certificate is not trusted because the issuer certificate is unknown. > (Error code: sec_error_unknown_issuer) > > Googling around (with Debian 10) gives me the idea that the installed > package ca-certificates is outdated. > > It is currently not an option to upgrade the system to a newer Debian > version. I am even scared to do what i deduce from > > https://serverfault.com/questions/891734/debian-wheezy-outdated-root-certificates > namely: > > - add to /etc/apt/sources.list : > deb http://ftp.de.debian.org/debian-security/ jessie/updates main > > - run: > apt-get update > apt-get install ca-certificates > > Is this a good idea ? Will it do harm to the 6 year old system ? > > --------------------------------------------------------------------------- > If not a good idea: > > Is there a known procedure to get and install the certificates manually ? > I see proposals to download .crt files and run > update-ca-certificates --fresh > > Where would i get a current set of certificates ? > > How do i identify the certificates which the browser does not accept ? > wget does not tell me the certificate name either. > > > Have a nice day :) > > Thomas >
Honestly - I'd suggest disconnecting the machine from the Internet until you are able to upgrade it - it's far enough out of support that it's now ELTS. https://deb.freexian.com/extended-lts/ I'd suggest that you consider immediate upgrade if you can - what is the reason you cannot? All the very best, as ever, Andy Cater