Skip to content

Instantly share code, notes, and snippets.

@Lukas238
Last active November 16, 2021 15:19
Show Gist options
  • Save Lukas238/a27956da42eae5d082a04fe0f493a9e0 to your computer and use it in GitHub Desktop.
Save Lukas238/a27956da42eae5d082a04fe0f493a9e0 to your computer and use it in GitHub Desktop.
Let's Encrypt Root Certs update - Sept 2021 exiparion fix

Root Cert update

Error message:

server certificate verification failed. CAfile: /etc/ssl/certs/cacertificates.crt CRLfile: none

Up-to-date system

Run this commands to update the root certificates of your system:

apt update
apt upgrade
sudo dpkg-reconfigure ca-certificates

Outdated system

  1. Run this command to download the latest LetsEncrypt root CA certs:
sudo curl -k https://letsencrypt.org/certs/isrgrootx1.pem.txt -o /usr/local/share/ca-certificates/isrgrootx1.crt
sudo curl -k https://letsencrypt.org/certs/letsencryptauthorityx1.pem.txt -o /usr/local/share/ca-certificates/letsencryptauthorityx1.crt
sudo curl -k https://letsencrypt.org/certs/letsencryptauthorityx2.pem.txt -o /usr/local/share/ca-certificates/letsencryptauthorityx2.crt
sudo curl -k https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem.txt -o /usr/local/share/ca-certificates/letsencryptx1.crt
sudo curl -k https://letsencrypt.org/certs/lets-encrypt-x2-cross-signed.pem.txt -o /usr/local/share/ca-certificates/letsencryptx2.crt
sudo curl -k https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt -o /usr/local/share/ca-certificates/letsencryptx3.crt
sudo curl -k https://letsencrypt.org/certs/lets-encrypt-x4-cross-signed.pem.txt -o /usr/local/share/ca-certificates/letsencryptx4.crt
  1. Run this command to reconfigure the cets in your system: sudo dpkg-reconfigure ca-certificates
  • During reconfigure stage, please deselect "DST Root CA X3" certificate.

After these steps, apt update should work for LetsEncrypt based sources and wget and curl should not complain.

Note: curl -k parameter allows curl to connect to an 'insecure' SSL server, which is the case, as LetsEncrypt certificate is not trusted.


Via: https://stackoverflow.com/a/69562796/4681770

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment