On 10/04/21 at 11:54, Thomas Schmitt wrote: > Hi, > > mett wrote: > > the final solution is: > > -disable the certs with an ! before the cert name > > (vi /etc/ca-certificates.conf: !DST_Root_CA_X3.crt) > > -then, rebuild the cert directory (update-ca-certificates --fresh) > > Indeed this brought success with wget on the Debian 8 machine. > > $ wget https://lists.debian.org > ... > 2021-10-04 11:48:12 (7.34 MB/s) - ‘index.html’ saved [7533/7533] > $ > > I copied > /usr/share/ca-certificates > /etc/ca-certificates.conf > /etc/ssl/certs > from the Debian 10 machine (dist-upgraded last week) to the Debian 8. > But with or without a run of > update-ca-certificates --fresh > wget did not work. > The proposal of mett finally got wget to download lists.debian.org with > certificate check enabled. > > > Now i am puzzled why this operation is not necessary on Debian 10 from > where the file /etc/ca-certificates.conf was copied. > The entry is in /etc/ca-certificates.conf, > DST_Root_CA_X3.crt exists in /usr/share/ca-certificates, > the link DST_Root_CA_X3.pem exists in /etc/ssl/certs. > Nevertheless wget works on my Debian 10 with https://lists.debian.org. Maybe the default CA for Let's Encrypt are different on Debian 8 and Debian 9/10.
> > > -then, restart your servers. > > I am not aware of any servers on the Debian 8 machine which would have to > do with certificates. I had not to restart anything after > update-ca-certificates --fresh > wget worked immediately after. > > Do SSL clients depend on a local service ? SSL clients do not depend on a local service. Just I had a similar problem with different parameters: -a debian 8 server -and php. That is why I said restart your servers (thinking apache and php-fpm). Sorry for that. > > > Have a nice day :) > > Thomas > Have a nice day too!
