bad certificate for 'security' subdomain on debian.org
I may be wrong, but I believe you have a bad certificate on the "security" subdomain of debian.org.
I can't use the bug reporter program because I'm only halfway to finishing a working Stretch installation. I haven't got X working yet. I'm trying to do it all https. I have the apt-transport-https package installed & appropriate lines in my sources.list, but when I do:
apt-get update
Along with other normal output I get 5 lines like this:
and then I get this:
server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Consequentially at the end I get:
E: Some index files failed to download. They have been ignored, or old ones used instead.
When I check
https://security.debian.org in palemoon browser (run from an ultra-light custom Ubuntu 16.04, 64 bit, built from the mini.iso with X & Openbox, kind of like a leaner version of Lubuntu) I get:
= = = = = = = = = = = = = = = = = = = = =
This Connection is Untrusted
You have asked Pale Moon to connect securely to security.debian.org, but we can't confirm that your connection is secure.
Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified.
What Should I Do?
If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue.
security.debian.org uses an invalid security certificate.
(Error code: ssl_error_bad_cert_domain)
= = = = = = = = = = = = = = = = = = = = =
So, it seems the certificate is bad for the subdomain 'security'. How's that for irony? The perplexing thing to me is that `apt-get update` seems to look there 6 times in the same run, and thinks it is ok 5 times and only notices the bad cert the 6th & final time. It's not a fluke - I've gotten the same result several times over several hours. Palemoon consistently sees it as a bad certificate.
I know lots of ways to work around this but they all defeat the purpose of using https in the first place. I'm aware of the people who argue that https is superfluous in this application; but I'm also aware of technically astute people who argue to the contrary on technical grounds and, more importantly to me, of social-responsibility arguments for encryption of everything where it is at all possible. So I don't really want to forgo https if I can possibly make it work.
Here's my sources.list:
deb cdrom:[Debian GNU/Linux 9.3.0 _Stretch_ - Official amd64 xfce-CD Binary-1 20171209-12:11]/ stretch main
Reply to: