I am using Pureos Byzantium on Librem 14. Installed is/was ca-certificates-20210119, which according to the Debian package changelogs is seriously out of date, containing expired and missing certificates. So I followed the steps set out here to use Debian testing: When are debian testing packages merged to PureOS 10 repo? - #4 by amosbatto
I installed the ca-certificates-20250419 from Debian testing. No other packages. The ncurses menu popped up to allow selection of trusted certs, as expected. However, it looked like a list of additional certs to install, not a whole new list. Then, when config was over and the program to finish installing, an error occured:
"W:/usr/share/ca-certificates/mozilla/QuoVadis Root CA.crt not found, but listed in ca-certificates.conf.
rehash warning: ca-certificates.crt, it does not contain exactly one certificate or CRL
…
updating /etc/ssl/certs…
"W:/usr/share/ca-certificates/mozilla/QuoVadis Root CA.crt not found, but listed in ca-certificates.conf.
0 added and 0 removed
then proceeds to run update.d
Looking at ca-certificates.conf, the file is the same as 2021 original, with no new listings for the 2025 new certs. And no changes to /etc/ssl/certs either.
EDIT: /usr/share/ca-certificates/mozilla was updated with new certs.
When running <<apt-get --dry-run remove ca-certificates>>, the associated packages to be removed along with it is long, including important packages associated with gnome-software.
Not sure how fix this. My experience with and resorting to an outside repo is limited.
Any ideas or guidance is appreciated.
My guess is that the “QuoVadis” CA cert was removed when you installed ca-certificates-20250419 but for some reason it was not removed from the ca-certificates.conf file. So you could try doing that yourself: open the ca-certificates.conf file with a text editor and remove the line(s) involving “QuoVadis”.
Does that help?
(save a copy of the original ca-certificates.conf file before editing it, so that you can change back again if needed)
Just removed QuoVadis_Root_CA.crt from the ca-certificates.conf file.
Ran update-ca-certificates. Result 0 added, 0 removed.
No change – perhaps because the the ca-certificates.conf file never changed. How do
I get an updated conf file?
Even apt-get install --reinstall ca-certificates fails:
“Unable to locate package ca-certificates-20250419”
Despite the package showing in apt-cache:
apt-cache show ca-certificates
Package: ca-certificates
Version: 20250419
Installed-Size: 390
Maintainer: Julien Cristau jcristau@debian.org
Architecture: all
Depends: openssl (>= 1.1.1), debconf (>= 0.5) | debconf-2.0
Enhances: openssl
Breaks: ca-certificates-java (<< 20121112+nmu1)
Description: Common CA certificates
Description-md5: e867d2a359bea1800b5bff209fc65bd1
Multi-Arch: foreign
Tag: protocol::ssl, role::app-data, security::authentication
Section: misc
Priority: standard
Filename: pool/main/c/ca-certificates/ca-certificates_20250419_all.deb
Size: 161704
MD5sum: ea04777e0779a9e36b0a13bac0e61b4b
SHA256: ef590f89563aa4b46c8260d49d1cea0fc1b181d19e8df3782694706adf05c184
Dpkg-query indicates that the ca-certificates pkg installed is the 20250419 version.
So I guess how do I force apt to recognize the pacakge in the cache and “install --reinstall”?
EDIT:
apt-get install --reinstall --no-download ca-certificates
Starts install – with the same error, although offending QuoVadis CA.crt was removed from ca-certificates.conf:
After this operation, 0 B of additional disk space will be used.
Preconfiguring packages …
(Reading database … 266578 files and directories currently installed.)
Preparing to unpack …/ca-certificates_20250419_all.deb …
Unpacking ca-certificates (20250419) over (20250419) …
Setting up ca-certificates (20250419) …
Updating certificates in /etc/ssl/certs…
W: /usr/share/ca-certificates/mozilla/QuoVadis_Root_CA.crt not found, but listed in /etc/ca-certificates.conf.
0 added, 0 removed; done.
Processing triggers for man-db (2.9.4-2) …
Processing triggers for ca-certificates (20250419) …
Updating certificates in /etc/ssl/certs…
W: /usr/share/ca-certificates/mozilla/QuoVadis_Root_CA.crt not found, but listed in /etc/ca-certificates.conf.
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d…
done.
Has anyone else had such an experience with ca-certificates?
Using another repo where the repo overlaps with the existing repo(s) can be fraught.
If your concern is only with web browsing then you may be better off attempting to import extra CA certificates directly into the browser but I don’t have a step-by-step procedure for doing that (and you can manually disable any expired CA certificates).
Yes, that has come up a few times. Obviously for you it was only a dry run so no harm done.
Unless you’re experiencing a real tangible issue because of missing root certificates, there’s no reason to update ca-certificates package - and if you do, that’s an issue to report to Debian bullseye which is still under security support.
You definitely shouldn’t go and install packages built for different suites and different distros on your system unless you know exactly what you’re doing (or your intent is to break stuff for educational or entertainment purposes ).