I've ran into a strange problem where a server that's running Debian 7 won't connect to some websites using SSL. After debugging, it turns out that the root certificates for those sites are not known and therefore not trusted. The case I was debugging was from DigiCert "DigiCert Global Root G2".
Of course I tried updating the system and running sudo update-ca-certificates
, but it didn't solve the problem. However, looking at Debian's git repository, it looks like ca-certificates is up-to-date. In fact, the one I was looking for is there.
Am I missing something? Do I need to do something special to keep up-to-date? Or is the version in git just not released yet? In that case, what can I do to be more up-to-date regardless? I'd rather not manually add root certificates.
Update
sudo apt-cache policy ca-certificates
ca-certificates:
Installed: 20130119+deb7u1
Candidate: 20130119+deb7u2
Version table:
20130119+deb7u2 0
500 http://security.debian.org/ wheezy/updates/main amd64 Packages
*** 20130119+deb7u1 0
500 http://ftp.nl.debian.org/debian/ wheezy/main amd64 Packages
100 /var/lib/dpkg/status
I'm not exactly sure what happened, but I'm only getting this after I changed my source list. Seeing as it is from security.debian.org, I'm worried that the repo didn't work before.
Best Answer
You can try and refresh your certificate links in
/etc/ssl/certs
withupdate-ca-certificates --fresh
which redoes all the symlinks in
/etc/ssl/certs
. If that does not help, lets see if your packages are up-to-dateMake sure you have the security repos in your
/etc/apt/sources.list
looking like this (addcontrib
andnon-free
as you wish)or in your case
then try
apt-get update && apt-get upgrade -y
verify it via
apt-cache policy ca-certificates
and compare installed with candidate while this is the latest version.
If you don't see the latest version, your repository might be outdated.
Off Topic
Debian has stated this about what LTS actually means to them, since 6.0.
Also, LTS is not done by the Debian security Team, that handles stable release security patches but by a "separate group of volunteers and companies interested". Also, they seem to pick-and-choose the packages, quote "The amount of packages which are properly supported depends directly on the level of support that we get"
As I understand it, for Wheezy, this means that since Jessie was release on April 25th 2016, you can actually expect timely security updates and patches until April 25th 2016 - especially since Stretch was released on June 17th of 2017.
But you can always contact them and ask for help with LTS here.