Just installed PureOS9 - Error certificate NOT trusted - what do i do with this error?

Can you use the command line? If so, you can try to run sudo apt update (it’ll ask you for your password which you can safely give.) I just did this on a local Amber (PureOS 9) system and I was able to update successfully.

1 Like

Hi Jeremiah, Thank you for your response. I did try the sudo apt update command. It still does not work for me. Here is a screen shot of my tilix session trying the command & the results.

1 Like

If you were to install a package called ‘ca-certificates’ you should solve this issue. On Amber I did;

$ sudo apt install ca-certificates
$ update-ca-certificates

This fixed the error for me.

1 Like

One option might be to use the http: repo for the first apt-get update and then switch back to the https: repos. While you lose a little confidentiality, you won’t lose any security because the packages themselves are signed with PureOS’ key.

1 Like

Thank you again, I tried those terminal commands and it did not fix the certificate issue. However I just did a fresh install of Byzantium and everything is working fine. My certificate errors were on amber. Thanks for all the help.

1 Like

Excellent! :slight_smile:

Same problem as the others I’m afraid. Cannot get an update on a fresh install of PureOS 9 on two computers. With PureOS 10 still not a stable release, we’re left with a difficult choice of beginning the process of abandoning PureOS for Debian Bullseye, something which we’d rather not do.

1 Like

This is a known bug that also affected Debian Bullseye. It is due to the expiration of a Let’s Encrypt intermediate certificate and how that is handled. If you were to use the http repos for PureOS (http://repo.puri.sm/pureos/) then you would be able to upgrade and get the fix. Again, you will lose confidentiality but not security since the packages are signed with the PureOS key.

1 Like

Thanks. I did as you suggested and all works. Used http for the first upgrade and then afterwards added https back in and everything works. I haven’t experienced this on the computers I’ve installed Debian 11 on. Nonetheless all sorted on PureOS 9 now. Thanks.


I’m glad it worked out. I’m sorry about the hassle.

1 Like

Hi, how do you use these http repos for PureOS 9.0? I’m having this problem too (and doing sudo apt install ca-certificates | sudo update-ca-certificates did not fix it)

It’s preventing me from installing any other software, or updating PureOS.

Never mind, I figured it out. You need to edit /etc/apt/sources.list in an editor like vi (can’t install anything else until this is fixed, and no built-in gui text editor… kind of weird but anyways) to remove the https part and replace with http (PureOS repository not updating?).

Respectfully, I think this should have been explained for those users who aren’t very familiar with Linux. This is the OS that came bundled with a pricey (if worth it) computer.

1 Like

Ideally this issue wouldn’t have happened and for many folks it didn’t. However, those that have recently installed PureOS 9 or have recently received their Librem 14, this has, unfortunately, been an issue. It is not PureOS specific rather this is an issue in the way widely used software chooses to validate intermediate certificates. PureOS and Purism have no control over those intermediate certificate nor over software like OpenSSL.

Hi. I think I was told to move my issue here.
Essentially, I purchased Liberum 5 from someone who says it was new. I followed the instructions to boot it up with an activated AT&T sim card. I can send/receive messages and send/receive calls. I cannot access the internet via mobile data–only wifi. I have tried to update with wifi, but it gives me:
E: https://repo.pureos.net/pureos amber-updates/main arm 64 bsdutils arm64
1:2,33.1-0.1pureos1 is not (yet) available
(certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the
certificate verification (and then shows an IP address I don’t to attach)

-I have set the date/time manually.
-I can see my provider as active in Mobile settings.
-I purchased it from someone who got it new and never used it.
-It has Amber not Byzantium.
-I know nothing of how to use linux or command, and was directed here.
-I did try: $ apt update with no success, more errors not trusted or something. Also tried, $ sudo apt install ca-certificates --and then-- $ update-ca-certificates, but nothing.
-I do not understand “One option might be to use the http: repo for the first apt-get update and then switch back to the https: repos.”
-I don’t know how to do this. Is there some tutorial somewhere for people like me?

Thanks for any help you could give.

EDIT: This has been fixed. See below for anyone who needs step-by-step instructions if you cannot update & are getting a certificate error.

1 Like

That was the purpose of @amarok’s instructions, which I reproduce here for when other people have the same issue. Librem 5 will not update with wifi

OK, since you’re getting the certificate error, let’s see if we can do this, as mentioned in the other post:
  1. Open the terminal and type sudo nano /etc/apt/sources.list and enter your passcode. (This opens a system file that you’ll edit from the terminal.)
  2. On the keyboard, click on the globe icon and choose “Terminal” which will reveal some keys you’ll need.
  3. Using the down-arrow key, scroll through the displayed text until you’re positioned on the lines that contain links with “https:” in them.
  4. Navigating with the arrow keys, delete the s so that only “http:” is left. (Use backspace or delete, depending on where your cursor is positioned.) Change all the https to http. MAKE SURE you don’t change anything else.
  5. Finally, tap the “Control” key on the keyboard - it’s sticky - followed by the “x” key to exit.
  6. Confirm save, and save as same name.
  7. Tap on Control key to unstick it.

Now, with WiFi on, exit the terminal, go to the PureOS store, and select the Updates tab. Hit the refresh icon, and then approve any updates.

At some point, you’ll want to repeat this process to add the s back to “https:”, once the certificates get sorted out.


Hi, I am having trouble installing gnuhealth on PureOS as when I give the install command, it tells me that the Tryton certificate is not trusted or has expired.

I have tried troubleshooting the system as you say here and also removing the s from the https from the sources.list file as listed in this thread but I have not been able to perform the installation of GnuHealth,

I am keeping track of my actions in install gnu in pureos

could you please help me?

Translated with www.DeepL.com/Translator (free version)

Please post the contents of this file. Preferably without the comment lines i.e. without the lines that start with #

Putting aside GnuHealth for a moment, is your system up to date? After editing sources.list in the manner described, you need to update your system i.e. update PureOS.

PS It may help to show us the actual install command that you issued. The screenshot that you linked to, admittedly in a foreign language, does not appear to include the actual command and all the output.

Hello, I was able to move forward in the installation of GnuHealth with your help, because I started to think with your comment if I had updated and in fact yes, I had done it from the terminal, but reading more in this forum I saw that the update should be done from the application management applications of the operating system and I did, the computer was restarted for that purpose and after that, I could return to do the relevant steps, now I get other errors that I am trying to solve concerning the actual installation of GnuHealth.

Thank you very much!

1 Like

May I suggest starting a separate topic for that - as it has nothing to do with certificates in PureOS.

I myself am not familiar at all with GnuHealth or for that matter with the Python language. So I don’t think I’ll be able to troubleshoot that.

If you start a new topic then I suggest cutting and pasting in the actual text from the terminal session (the command that you entered and all the output that it produced) rather than pasting in a screenshot.