I may be wrong, but I believe you have a bad certificate on the "security" subdomain of debian.org.
I can't use the bug reporter program because I'm only halfway to finishing a working Stretch installation. I haven't got X working yet. I'm trying to do it all https. I have the apt-transport-https package installed & appropriate lines in my sources.list, but when I do: apt-get update Along with other normal output I get 5 lines like this: Ign:13 https://security.debian.org stretch/updates/main Sources and then I get this: Err:13 https://security.debian.org stretch/updates/main Sources server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none Consequentially at the end I get: E: Failed to fetch https://security.debian.org/dists/stretch/updates/main/source/Sources server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none E: Some index files failed to download. They have been ignored, or old ones used instead. When I check https://security.debian.org in palemoon browser (run from an ultra-light custom Ubuntu 16.04, 64 bit, built from the mini.iso with X & Openbox, kind of like a leaner version of Lubuntu) I get: = = = = = = = = = = = = = = = = = = = = = This Connection is Untrusted You have asked Pale Moon to connect securely to security.debian.org, but we can't confirm that your connection is secure. Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified. What Should I Do? If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue. security.debian.org uses an invalid security certificate. The certificate is only valid for www.debian.org (Error code: ssl_error_bad_cert_domain) = = = = = = = = = = = = = = = = = = = = = So, it seems the certificate is bad for the subdomain 'security'. How's that for irony? The perplexing thing to me is that `apt-get update` seems to look there 6 times in the same run, and thinks it is ok 5 times and only notices the bad cert the 6th & final time. It's not a fluke - I've gotten the same result several times over several hours. Palemoon consistently sees it as a bad certificate. I know lots of ways to work around this but they all defeat the purpose of using https in the first place. I'm aware of the people who argue that https is superfluous in this application; but I'm also aware of technically astute people who argue to the contrary on technical grounds and, more importantly to me, of social-responsibility arguments for encryption of everything where it is at all possible. So I don't really want to forgo https if I can possibly make it work. Here's my sources.list: deb cdrom:[Debian GNU/Linux 9.3.0 _Stretch_ - Official amd64 xfce-CD Binary-1 20171209-12:11]/ stretch main deb https://deb.debian.org/debian stretch main deb-src https://deb.debian.org/debian stretch main deb https://deb.debian.org/debian stretch-updates main deb-src https://deb.debian.org/debian stretch-updates main deb https://security.debian.org/ stretch/updates main deb-src https://security.debian.org/ stretch/updates main Sent with [ProtonMail](https://protonmail.com) Secure Email.
