Hi, mett wrote: > the final solution is: > -disable the certs with an ! before the cert name > (vi /etc/ca-certificates.conf: !DST_Root_CA_X3.crt) > -then, rebuild the cert directory (update-ca-certificates --fresh)
Indeed this brought success with wget on the Debian 8 machine. $ wget https://lists.debian.org ... 2021-10-04 11:48:12 (7.34 MB/s) - ‘index.html’ saved [7533/7533] $ I copied /usr/share/ca-certificates /etc/ca-certificates.conf /etc/ssl/certs from the Debian 10 machine (dist-upgraded last week) to the Debian 8. But with or without a run of update-ca-certificates --fresh wget did not work. The proposal of mett finally got wget to download lists.debian.org with certificate check enabled. Now i am puzzled why this operation is not necessary on Debian 10 from where the file /etc/ca-certificates.conf was copied. The entry is in /etc/ca-certificates.conf, DST_Root_CA_X3.crt exists in /usr/share/ca-certificates, the link DST_Root_CA_X3.pem exists in /etc/ssl/certs. Nevertheless wget works on my Debian 10 with https://lists.debian.org. > -then, restart your servers. I am not aware of any servers on the Debian 8 machine which would have to do with certificates. I had not to restart anything after update-ca-certificates --fresh wget worked immediately after. Do SSL clients depend on a local service ? Have a nice day :) Thomas
