On 2021-12-26 at 13:43 +0100, SZÉPE Viktor wrote: > Idézem/Quoting Mauricio Tavares <raubvo...@gmail.com>: > > > raub@testbox:~$ wget > > https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-11.2.0-amd64-netinst.iso > > --2021-12-26 07:15:41-- > > https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-11.2.0-amd64-netinst.iso > > Resolving cdimage.debian.org... 194.71.11.173, 194.71.11.165, > > 2001:6b0:19::173, ... > > Connecting to cdimage.debian.org|194.71.11.173|:443... connected. > > ERROR: cannot verify cdimage.debian.org's certificate, issued by > > '/C=US/O=Let\'s Encrypt/CN=R3': > > Issued certificate has expired. > > To connect to cdimage.debian.org insecurely, use `--no-check- > > certificate'.. > > raub@testbox:~$ > > Hello Mauricio! > > Your CA-s may include an expired one. > Try excluding mozilla/DST_Root_CA_X3.crt in /etc/ca-certificates.conf >
See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995432, Mauricio. As Viktor says, you can put a ! in front of mozilla/DST_Root_CA_X3.crt in /etc/ca-certificates.conf and run update-ca-certificates to update the certificates Not having the expired DST Root CA should make it able to find the other, non-expired root. Best regards
