Update OS: The certificate chain uses expired certificate


“$ sudo apt update” currently fails. Message “Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification.” shows.

Has this been noted and will the certificates been updates shortly?

Kind regards,

Is your date & time set right?

Data point: works fine for me.

After checking the date/time as the previous post suggests, if still not resolved then …

For starters you should confirm what host is being accessed e.g.

# apt update
Hit:1 https://repo.pureos.net/pureos amber InRelease
Get:2 https://repo.pureos.net/pureos amber-updates InRelease [5,843 B]
Get:3 https://repo.pureos.net/pureos amber-security InRelease [5,845 B]
Get:4 https://repo.pureos.net/pureos amber-phone InRelease [5,839 B]
Fetched 17.5 kB in 10s (1,812 B/s)      

and you should confirm what IP address that is
nslookup repo.pureos.net.

The above is on a Librem 5. YMMV if on a different device.

Thank you very much for your prompt reply.

Today updates were not an issue anymore.

Holen:5 https://mirror.linux.pizza/pureos amber InRelease [5.784 B]
Holen:6 https://mirror.linux.pizza/pureos amber-security InRelease [5.845 B]
Holen:7 https://mirror.linux.pizza/pureos amber-updates InRelease [5.843 B]

Still, I keep you suggestions in mind, if this issues shows again.

Kind regards!

1 Like

Just remember that if you are getting packages via a mirror then there is nothing that Purism can do to make the mirror have a valid certificate.

The most likely explanation here is that the mirror really did let the certificate expire. I’ve seen any number of web sites that are not closely managed, who only notice that the certificate expiry date approaches after the date has passed. So you will get a few days when the certificate genuinely is not valid.

That said, that site appears to be using Let’s Encrypt and I thought certificate updates were supposed to be automatic in that case …