bad certificate for 'security' subdomain on debian.org

[Philip Mundhenk <philip.mundhenk@protonmail.ch>]

I may be wrong, but I believe you have a bad certificate on the "security" subdomain of debian.org.

I can't use the bug reporter program because I'm only halfway to finishing a working Stretch installation. I haven't got X working yet. I'm trying to do it all https. I have the apt-transport-https package installed & appropriate lines in my sources.list, but when I do:

apt-get update

Along with other normal output I get 5 lines like this:

Ign:13 https://security.debian.org stretch/updates/main Sources

and then I get this:

Err:13 https://security.debian.org stretch/updates/main Sources

  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

Consequentially at the end I get:

E: Failed to fetch https://security.debian.org/dists/stretch/updates/main/source/Sources  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

E: Some index files failed to download. They have been ignored, or old ones used instead.

When I check https://security.debian.org in palemoon browser (run from an ultra-light custom Ubuntu 16.04, 64 bit, built from the mini.iso with X & Openbox, kind of like a leaner version of Lubuntu) I get:

= = = = = = = = = = = = = = = = = = = = =

This Connection is Untrusted

You have asked Pale Moon to connect securely to security.debian.org, but we can't confirm that your connection is secure.

Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified.

What Should I Do?

If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue.

security.debian.org uses an invalid security certificate.

The certificate is only valid for www.debian.org

(Error code: ssl_error_bad_cert_domain)

= = = = = = = = = = = = = = = = = = = = =

So, it seems the certificate is bad for the subdomain 'security'. How's that for irony? The perplexing thing to me is that `apt-get update` seems to look there 6 times in the same run, and thinks it is ok 5 times and only notices the bad cert the 6th & final time. It's not a fluke - I've gotten the same result several times over several hours. Palemoon consistently sees it as a bad certificate.

I know lots of ways to work around this but they all defeat the purpose of using https in the first place. I'm aware of the people who argue that https is superfluous in this application; but I'm also aware of technically astute people who argue to the contrary on technical grounds and, more importantly to me, of social-responsibility arguments for encryption of everything where it is at all possible. So I don't really want to forgo https if I can possibly make it work.

Here's my sources.list:

deb cdrom:[Debian GNU/Linux 9.3.0 _Stretch_ - Official amd64 xfce-CD Binary-1 20171209-12:11]/ stretch main

deb  https://deb.debian.org/debian stretch main

deb-src  https://deb.debian.org/debian stretch main

deb  https://deb.debian.org/debian stretch-updates main

deb-src  https://deb.debian.org/debian stretch-updates main

deb https://security.debian.org/ stretch/updates main

deb-src https://security.debian.org/ stretch/updates main

Sent with ProtonMail Secure Email.