Just installed PureOS9 - Error certificate NOT trusted - what do i do with this error?

The issue is an intermediate expiration of certificates in the CA chain of trust: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

This is biting a lot of folks and we’re working on fixes for PureOS 9 Amber and PureOS 10 Byzantium.

I’ll look into that ASAP.

source.puri.sm has an updated cert as of October 5th.

1 Like

I have had the same issue on my laptop for the last 3 days. I can’t install software from the pure OS software center, I can’t update my system either. I was able enable flatpaks, which is the only way to install something on my system. All terminal commands to update and install are failed due to “certificate NOT trusted” errors.

Yes my clock is set correctly, I have rebooted several times, tried different ethernet connections & even usb tethering from my phone. I have tried all the terminal commands to update & upgrade. All terminal commands fail to the same certificate NOT trusted error. I was just about to re-install my OS from scratch but decided to check the forum before I did.

I am willing and able to install the beta version of Pure OS if it will correct the issue. What can I do to correct this error?

1 Like

You don’t need to do anything, nor can you realistically.

You wait until the server end resolves the issue. You can see from the above posts that this issue has “director level” attention!

However it may now already be fixed because I see “Validity Not Before Wed, 06 Oct 2021 05:35:40 GMT” for Purism’s repo certificate i.e. freshly baked.

So perhaps try again now.

Can you use the command line? If so, you can try to run sudo apt update (it’ll ask you for your password which you can safely give.) I just did this on a local Amber (PureOS 9) system and I was able to update successfully.

1 Like

Hi Jeremiah, Thank you for your response. I did try the sudo apt update command. It still does not work for me. Here is a screen shot of my tilix session trying the command & the results.

1 Like

If you were to install a package called ‘ca-certificates’ you should solve this issue. On Amber I did;

$ sudo apt install ca-certificates
$ update-ca-certificates

This fixed the error for me.

1 Like

One option might be to use the http: repo for the first apt-get update and then switch back to the https: repos. While you lose a little confidentiality, you won’t lose any security because the packages themselves are signed with PureOS’ key.

1 Like

Thank you again, I tried those terminal commands and it did not fix the certificate issue. However I just did a fresh install of Byzantium and everything is working fine. My certificate errors were on amber. Thanks for all the help.

1 Like

Excellent! :slight_smile:

Same problem as the others I’m afraid. Cannot get an update on a fresh install of PureOS 9 on two computers. With PureOS 10 still not a stable release, we’re left with a difficult choice of beginning the process of abandoning PureOS for Debian Bullseye, something which we’d rather not do.

1 Like

This is a known bug that also affected Debian Bullseye. It is due to the expiration of a Let’s Encrypt intermediate certificate and how that is handled. If you were to use the http repos for PureOS (http://repo.puri.sm/pureos/) then you would be able to upgrade and get the fix. Again, you will lose confidentiality but not security since the packages are signed with the PureOS key.

Thanks. I did as you suggested and all works. Used http for the first upgrade and then afterwards added https back in and everything works. I haven’t experienced this on the computers I’ve installed Debian 11 on. Nonetheless all sorted on PureOS 9 now. Thanks.

1 Like

I’m glad it worked out. I’m sorry about the hassle.

Hi, how do you use these http repos for PureOS 9.0? I’m having this problem too (and doing sudo apt install ca-certificates | sudo update-ca-certificates did not fix it)

It’s preventing me from installing any other software, or updating PureOS.

Never mind, I figured it out. You need to edit /etc/apt/sources.list in an editor like vi (can’t install anything else until this is fixed, and no built-in gui text editor… kind of weird but anyways) to remove the https part and replace with http (PureOS repository not updating?).

Respectfully, I think this should have been explained for those users who aren’t very familiar with Linux. This is the OS that came bundled with a pricey (if worth it) computer.

1 Like

Ideally this issue wouldn’t have happened and for many folks it didn’t. However, those that have recently installed PureOS 9 or have recently received their Librem 14, this has, unfortunately, been an issue. It is not PureOS specific rather this is an issue in the way widely used software chooses to validate intermediate certificates. PureOS and Purism have no control over those intermediate certificate nor over software like OpenSSL.

Hi. I think I was told to move my issue here.
Essentially, I purchased Liberum 5 from someone who says it was new. I followed the instructions to boot it up with an activated AT&T sim card. I can send/receive messages and send/receive calls. I cannot access the internet via mobile data–only wifi. I have tried to update with wifi, but it gives me:
E: https://repo.pureos.net/pureos amber-updates/main arm 64 bsdutils arm64
1:2,33.1-0.1pureos1 is not (yet) available
(certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the
certificate verification (and then shows an IP address I don’t to attach)

-I have set the date/time manually.
-I can see my provider as active in Mobile settings.
-I purchased it from someone who got it new and never used it.
-It has Amber not Byzantium.
-I know nothing of how to use linux or command, and was directed here.
-I did try: $ apt update with no success, more errors not trusted or something. Also tried, $ sudo apt install ca-certificates --and then-- $ update-ca-certificates, but nothing.
-I do not understand “One option might be to use the http: repo for the first apt-get update and then switch back to the https: repos.”
-I don’t know how to do this. Is there some tutorial somewhere for people like me?

Thanks for any help you could give.

EDIT: This has been fixed. See below for anyone who needs step-by-step instructions if you cannot update & are getting a certificate error.

1 Like

That was the purpose of @amarok’s instructions, which I reproduce here for when other people have the same issue. Librem 5 will not update with wifi


OK, since you’re getting the certificate error, let’s see if we can do this, as mentioned in the other post:
  1. Open the terminal and type sudo nano /etc/apt/sources.list and enter your passcode. (This opens a system file that you’ll edit from the terminal.)
  2. On the keyboard, click on the globe icon and choose “Terminal” which will reveal some keys you’ll need.
  3. Using the down-arrow key, scroll through the displayed text until you’re positioned on the lines that contain links with “https:” in them.
  4. Navigating with the arrow keys, delete the s so that only “http:” is left. (Use backspace or delete, depending on where your cursor is positioned.) Change all the https to http. MAKE SURE you don’t change anything else.
  5. Finally, tap the “Control” key on the keyboard - it’s sticky - followed by the “x” key to exit.
  6. Confirm save, and save as same name.
  7. Tap on Control key to unstick it.

Now, with WiFi on, exit the terminal, go to the PureOS store, and select the Updates tab. Hit the refresh icon, and then approve any updates.

At some point, you’ll want to repeat this process to add the s back to “https:”, once the certificates get sorted out.

2 Likes