Hi, (please don't sent follow ups to "random" bugreports – at least you haven't said that you are using client certificates which is discussed in the bugreport… – and I have my doubts the bugreport is current given that curl changed to GnuTLS implementation to in the meantime, but I haven't invested enough time for a "checked and closed" yet) On Mon, May 02, 2016 at 11:07:50AM -0700, Ray Dillinger wrote: > I'm getting a message that the certificate for > "debian.org" is not applicable to "security.debian.org" > and therefore none of these packages can be verified. At a bare minimum we need the actual complete output rather than an anecdotal incomplete summary. But for starters: The security.debian.org archive isn't even available over https, so the error messages you see likely don't mean what you think they mean. I bet you have configured it as a https source anyhow and apt says it can't connect to the server, therefore can't download an (In)Release file and repositories without a Release file are dangerous as packages can't be verified without this file (as its the trust anchor). > On the other hand, the https certificate ought to have > no effect whatsoever on whether the packages can be > verified. The package signatures are all down to the > debian keyring, or ought to be. You are right, https has no effect on the packages verification. Still, if the certificates do not match what is expected apt will refuse talking to the server as https at least provides (weak) pseudo-secrecy [in so far as if your attacker listens closely on the line she will be able to figure out which files you download by observing the size of the data being transferred – so https gives you no strong benefits in the context of apt]. After all, if you don't want apt to do that, why are you using https… Best regards David Kalnischkies
Attachment:
signature.asc
Description: PGP signature