On 10/04/21 at 11:54, Thomas Schmitt wrote:
> Hi,
>
> mett wrote:
> > the final solution is:
> > -disable the certs with an ! before the cert name
> > (vi /etc/ca-certificates.conf: !DST_Root_CA_X3.crt)
> > -then, rebuild the cert directory (update-ca-certificates --fresh)
>
> Indeed this brought success with wget on the Debian 8 machine.
>
> $ wget https://lists.debian.org
> ...
> 2021-10-04 11:48:12 (7.34 MB/s) - ‘index.html’ saved [7533/7533]
> $
>
> I copied
> /usr/share/ca-certificates
> /etc/ca-certificates.conf
> /etc/ssl/certs
> from the Debian 10 machine (dist-upgraded last week) to the Debian 8.
> But with or without a run of
> update-ca-certificates --fresh
> wget did not work.
> The proposal of mett finally got wget to download lists.debian.org with
> certificate check enabled.
>
>
> Now i am puzzled why this operation is not necessary on Debian 10 from
> where the file /etc/ca-certificates.conf was copied.
> The entry is in /etc/ca-certificates.conf,
> DST_Root_CA_X3.crt exists in /usr/share/ca-certificates,
> the link DST_Root_CA_X3.pem exists in /etc/ssl/certs.
> Nevertheless wget works on my Debian 10 with https://lists.debian.org.
Maybe the default CA for Let's Encrypt
are different on Debian 8 and Debian 9/10.
>
> > -then, restart your servers.
>
> I am not aware of any servers on the Debian 8 machine which would have to
> do with certificates. I had not to restart anything after
> update-ca-certificates --fresh
> wget worked immediately after.
>
> Do SSL clients depend on a local service ?
SSL clients do not depend on a local service.
Just I had a similar problem with
different parameters:
-a debian 8 server
-and php.
That is why I said restart your servers
(thinking apache and php-fpm).
Sorry for that.
>
>
> Have a nice day :)
>
> Thomas
>
Have a nice day too!
