[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

How to make apt-transport-https accept security.debian.org bad certificate?

Hello.
I intend to use a secure connection (that means at the *transport* level) for downloading packages and lists from the Debian repository. I installed apt-transport-https. There seems to be no list of mirrors that accept HTTPS; nonetheless, I found that some listed mirrors accept HTTPS (for example mirrors.kernel.org). I configured one of them in my "sources.list". 

When I run "apt-get update", I get the following error:

-----BEGIN PASTED TEXT----
Err https://security.debian.org wheezy/updates/main Sources
SSL: certificate subject name (debian.org) does not match target host name 'security.debian.org' 
Err https://security.debian.org wheezy/updates/main amd64 Packages
SSL: certificate subject name (debian.org) does not match target host name 'security.debian.org' 
Fetched 7637 kB in 33s (231 kB/s)
W: Failed to fetch https://security.debian.org/dists/wheezy/updates/main/source/Sources SSL: certificate subject name (debian.org) does not match target host name 'security.debian.org'
W: Failed to fetch https://security.debian.org/dists/wheezy/updates/main/binary-amd64/Packages SSL: certificate subject name (debian.org) does not match target host name 'security.debian.org'
E: Some index files failed to download. They have been ignored, or old ones used instead. 
-----END PASTED TEXT----
There is a problem: security.debian.org has a bad certificate and there are no official mirrors. The certificate is only valid for "www.debian.org" and "debian.org", not "security.debian.org". You can check this with your browser by going to https://security.debian.org/.
My question is: How can I make "apt-get" accept the certificate anyway, but only _this_ certificate or other certificates that are otherwise valid but have the same subdomain mismatch error (it should reject a bogus certificate from an attacker)?. In addition, where is the correct place to report this error?. 

The relevant lines in "/etc/apt/sources.list" are:

-----BEGIN PASTED TEXT----
deb https://security.debian.org/ wheezy/updates main
deb-src https://security.debian.org/ wheezy/updates main
-----END PASTED TEXT----
I know that the packages are signed. I am not looking for suggestions to not to use HTTPS. I can use unencrypted connections, of course, but I am looking to have an added layer of security. 

Regards and thanks in advance.
Reply to: