This just bit me today, so I thought I'd share this if other people come across the same.
TL;DR: there's nothing wrong with the repository's certificate, but your local CA store may present an expired root certificate. Details and workaround in https://bugs.debian.org/961907 Having configured the Consol repository for a Debian/buster installation (with HTTPS), apt-get update would fail with: -------------------------------- Ign:1 https://labs.consol.de/repo/stable/debian buster InRelease Err:2 https://labs.consol.de/repo/stable/debian buster Release Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 2a03:3680:0:2::21 443] -------------------------------- But the Consol certificate is not really expired at all: -------------------------------- $ echo | openssl s_client -connect labs.consol.de:443 2>&1 | head -7 depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA verify return:1 depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.consol.de verify return:1 CONNECTED(00000003) -------------------------------- For OpenSSL, "verify return:1" means "verification succeeded"[0]. However, the HTTPS transport for apt-get is not linked to OpenSSL but to GnuTLS: -------------------------------- $ ldd /usr/lib/apt/methods/https | grep tls libgnutls.so.30 => /usr/lib/x86_64-linux-gnu/libgnutls.so.30 -------------------------------- And indeed, the GnuTLS client errors out with: -------------------------------- $ gnutls-cli labs.consol.de:443 [...] - subject `CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x2766ee56eb49f38eabd770a2fc84de22, RSA key 4096 bits, signed using RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', pin-sha256="grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME=" - Status: The certificate is NOT trusted. The certificate chain uses expired certificate. -------------------------------- The root certifcate for the "COMODO RSA Certification Authority" appears to be expired: -------------------------------- $ openssl x509 -in $(locate -i addtrust | grep -i external) -noout -dates notBefore=May 30 10:48:38 2000 GMT notAfter=May 30 10:48:38 2020 GMT -------------------------------- And while the OpenSSL client (or "curl", for that matter) apparently doesn't check on the expiration date of intermediate or root certificates, GnuTLS does and thus /usr/lib/apt/methods/https resp. apt-get fails :( Details and workaround, for a Debian system: https://bugs.debian.org/961907 sudo sed 's|mozilla/AddTrust_External_Root.crt|!&|' -i.bak /etc/ca-certificates.conf sudo update-ca-certificates For the record, other local certificate stores are affectes as well. For example, on a current openSUSE system: $ openssl x509 -in /var/lib/ca-certificates/openssl/AddTrust_External_Root.pem -noout -dates notBefore=May 30 10:48:38 2000 GMT notAfter=May 30 10:48:38 2020 GMT Maybe it's time to switch to Let's Encrypt certificates? Their ISRG root is good until 2035 ;-) HTH, Christian. [0] https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_verify.html -- BOFH excuse #273: The cord jumped over and hit the power switch.
