Debian Wheezy outdated root certificates

certificatedebian-wheezyupdate

I've ran into a strange problem where a server that's running Debian 7 won't connect to some websites using SSL. After debugging, it turns out that the root certificates for those sites are not known and therefore not trusted. The case I was debugging was from DigiCert "DigiCert Global Root G2".

Of course I tried updating the system and running sudo update-ca-certificates, but it didn't solve the problem. However, looking at Debian's git repository, it looks like ca-certificates is up-to-date. In fact, the one I was looking for is there.

Am I missing something? Do I need to do something special to keep up-to-date? Or is the version in git just not released yet? In that case, what can I do to be more up-to-date regardless? I'd rather not manually add root certificates.

Update

sudo apt-cache policy ca-certificates
ca-certificates:
  Installed: 20130119+deb7u1
  Candidate: 20130119+deb7u2
  Version table:
     20130119+deb7u2 0
        500 http://security.debian.org/ wheezy/updates/main amd64 Packages
 *** 20130119+deb7u1 0
        500 http://ftp.nl.debian.org/debian/ wheezy/main amd64 Packages
        100 /var/lib/dpkg/status

I'm not exactly sure what happened, but I'm only getting this after I changed my source list. Seeing as it is from security.debian.org, I'm worried that the repo didn't work before.

Best Answer

You can try and refresh your certificate links in /etc/ssl/certs with

update-ca-certificates --fresh

which redoes all the symlinks in /etc/ssl/certs. If that does not help, lets see if your packages are up-to-date

Make sure you have the security repos in your /etc/apt/sources.list looking like this (add contriband non-free as you wish)

deb http://security.debian.org/debian-security/ wheezy/updates main
deb http://deb.debian.org/debian/ wheezy-updates main

or in your case

deb http://ftp.nl.debian.org/debian-security/ wheezy/updates main
deb http://ftp.nl.debian.org/debian/ wheezy-updates main

then try

apt-get update && apt-get upgrade -y

verify it via

apt-cache policy ca-certificates

and compare installed with candidate while this is the latest version.

If you don't see the latest version, your repository might be outdated.

Off Topic

Debian has stated this about what LTS actually means to them, since 6.0.

Also, LTS is not done by the Debian security Team, that handles stable release security patches but by a "separate group of volunteers and companies interested". Also, they seem to pick-and-choose the packages, quote "The amount of packages which are properly supported depends directly on the level of support that we get"

As I understand it, for Wheezy, this means that since Jessie was release on April 25th 2016, you can actually expect timely security updates and patches until April 25th 2016 - especially since Stretch was released on June 17th of 2017.

But you can always contact them and ask for help with LTS here.

Related Solutions

Debian – update from debian lenny to squeeze

It seems you started off with the recommended procedure for upgrading which is great. I recommend trying to stick to that instead of prematurely doing a dist-upgrade. This procedure is worked out by testing on thousands of systems and is what we think is your best chance of a smooth upgrade.

In this case when you are doing apt-get upgrade we are EXPECTING lots of packages to be held back. That is by design. We want to do just a minimal upgrade in order to get the new kernel and udev installed, then reboot, then do the rest of the upgrade with dist-upgrade.

You should be concentrating on this error:

linux-image-2.6-amd64: Depends: linux-image-2.6.32-5-amd64 but it is not going to be installed

There is some reason why apt doesn't want to install linux-image-2.6.32-5-amd64. Find out by trying to install it directly with apt-get install linux-image-2.6.32-5-amd64, That will either install it, or will tell you specifically what is wrong with this package. When this results in a problem with another package, do the same with this package, by trying to install it directly, until you reach a root cause. Once the kernel is successfully installed, proceed with the upgrade instructions from there.

One artifact that doing this will have which may be undesired is marking the linux-image-2.6.32-5-amd64 package as automatically installed. After the upgrade is complete, and you are happy with the results, you might run apt-mark auto linux-image-2.6.32-5-amd64 to mark this package as automatically installed.

The reason that /etc/debian_version reads 6.0.5 is that you already update the base_files package. This is not a surpise.

The problems with mixing aptitude and apt-get were resolved with apt-get version 7.0 a few years ago, you should feel free to mix their use at will. In fact, Debian recommended aptitude for upgrading from one major release to another in the past and now recommends apt-get, so clearly Debian is recommending using both. We will recommend whichever one seems to work better for a given upgrade. On the lenny->squeeze upgrade, aptitude tends to think "too hard" about finding an optimal upgrade path, and the more simple dependency resolution in apt-get works for more people.

Debian Wheezy IPv6 isn’t configured with ifup post-up hook

I had the same issue that IPv6 configuration would fail when I would pass the ip parameter to the kernel. The problem is that the networking scripts try to add an IP address to the eth0 interface which is already there. This will of course fail and so further configuration is stopped.

The easiest solution was to simply remove the IPv4 part from /etc/network/interfaces since it's already configured through the ip parameter anyway:

auto eth0
iface eth0 inet6 static
        address 2001:db8:100:3022::2
        netmask 64
        gateway fe80::1

Update

Best Answer

Related Solutions

Debian – update from debian lenny to squeeze

Debian Wheezy IPv6 isn’t configured with ifup post-up hook

Related Topic