Hi, as tomas predicted it can be done by handwork.
Tobias Diekershoff gave a good hint but i was not smart enough to make use of it before i found out the clicky way. The solution was to import to iceweasel the certificate file /etc/ssl/certs/ISRG_Root_X1.pem ------------------------------------------------------------------------ Long story: I replaced the directory trees /etc/ssl/certs /usr/share/ca-certificates and the file /etc/ca-certificates.conf by their counterparts of Debian 10. Then i ran update-ca-certificates This did not help, even with newly started Iceweasel. So i clicked my way through Preferences -> Advanced -> Cerificates to button "View Certificates" which offers me an obscure list and a button "Import". This gives me a file browser which i navigate to /etc/ssl/certs. There are 128 .pem files from Debian 10. To reduce the work i diffed the list of .pem files in both /etc/ssl/certs and began to add those which are new in Debian 10: 49 files. Many new ones did have no effect. But /etc/ssl/certs/ISRG_Root_X1.pem gives me back a lot of those sites which were unaccessible since yesterday. I will have to wait for complaints to see if any of the previously working sites still fails. A quick tour over the usual suspects finds none. I nevertheless investied the clickwork to import the other new .pem files. Just in case i forget what i did today. Tobias Diekershoff wrote: > Are the untrusted certificates LetsEncrypt issued certs? Their old > R3 cert (signed by DST Root CA X3) expired Sept 29th (see e.g. > https://community.letsencrypt.org/t/help-thread-for-dst-root-ca-x3-expiratio > n-september-2021/149190 Looks like you are right. In hindsight the hint to "ISRG Root X1" is in there. But i don't understand their nomenclature. I looked for "DST*R3*.pem" but found no such file in /etc/ssl/certs. (It's like with man pages: I understand their text only when i finally found out by try and error.) ------------------------------------------------------------------------- Remaining riddles: How i would be supposed to find the name of the decisive certificate when iceweasel refuses ? Another riddle is why wget still does not work without option --no-check-certificate I found no hint in its man page about its default stash of certificates. Will have to go on with research next week ... Have a nice day :) Thomas
