It's possible in certain upgrade scenarios that the certs have been permanently blacklisted on your system.
Look at the /etc/ca-certificates.conf file to see if the following two lines start with a "!" character: mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt mozilla/VeriSign_Universal_Root_Certification_Authority.crt If they do begin with "!", you need to reconfigure ca-certificates with: sudo dpkg-reconfigure ca-certificates That should ask you which certificates to activate. Make sure those two are checked. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1913951 Title: ca-certificates: Symantec CA blacklisted for non-TLS uses Status in ca-certificates package in Ubuntu: Fix Released Status in ca-certificates source package in Groovy: Fix Released Status in ca-certificates source package in Hirsute: Fix Released Status in ca-certificates package in Debian: Fix Committed Bug description: ~$ lsb_release -rd Description: Ubuntu 20.10 Release: 20.10 ~$ apt list --installed | grep ca-certificates WARNING: apt does not have a stable CLI interface. Use with caution in scripts. ca-certificates/groovy-updates,groovy-security,now 20201027ubuntu0.20.10.1 all [installed,automatic] Repro steps: 1. Open Terminal. 2. Execute: wget https://dot.net/v1/dotnet-install.sh chmod +x ./dotnet-install.sh ./dotnet-install.sh -c 5.0 export DOTNET_ROOT=$HOME/.dotnet export PATH=$PATH:$HOME/.dotnet dotnet new console dotnet add package System.Collections.Immutable Expected result: Package restore will succeed. Actual result: Package restore fails with: error: NU3028: Package 'System.Collections.Immutable 5.0.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain There has been a planned process to distrust Symantec certificates in the certificate store over the past two years. The Debian ca-certificates package removed this CA for both TLS (expected) and other uses (like timestamping) (unexpected). Trust was added back in a subsequent update. See https://release.debian.org/proposed-updates/stable.html#ca-certificates_20200601~deb10u2 for details. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1913951/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
