Debian Wheezy outdated root certificates
Solution 1:
You can try and refresh your certificate links in /etc/ssl/certs
with
update-ca-certificates --fresh
which redoes all the symlinks in /etc/ssl/certs
.
If that does not help, lets see if your packages are up-to-date
Make sure you have the security repos in your /etc/apt/sources.list
looking like this (add contrib
and non-free
as you wish)
deb http://security.debian.org/debian-security/ wheezy/updates main
deb http://deb.debian.org/debian/ wheezy-updates main
or in your case
deb http://ftp.nl.debian.org/debian-security/ wheezy/updates main
deb http://ftp.nl.debian.org/debian/ wheezy-updates main
then try
apt-get update && apt-get upgrade -y
verify it via
apt-cache policy ca-certificates
and compare installed with candidate while this is the latest version.
If you don't see the latest version, your repository might be outdated.
Off Topic
Debian has stated this about what LTS actually means to them, since 6.0.
Also, LTS is not done by the Debian security Team, that handles stable release security patches but by a "separate group of volunteers and companies interested". Also, they seem to pick-and-choose the packages, quote "The amount of packages which are properly supported depends directly on the level of support that we get"
As I understand it, for Wheezy, this means that since Jessie was release on April 25th 2016, you can actually expect timely security updates and patches until April 25th 2016 - especially since Stretch was released on June 17th of 2017.
But you can always contact them and ask for help with LTS here.
Solution 2:
I ran into the same problem on server still running Squeeze. I got it fixed by manually adding the required root certificate into the /usr/share/ca-certificates/cacert.org/cacert.org.crt
file:
su -
mkdir -p /usr/share/ca-certificates/cacert.org/
curl https://www.tbs-certificats.com/issuerdata/DigiCert_Global_Root_G2.crt > /usr/share/ca-certificates/cacert.org/cacert.org.crt
update-ca-certificates --fresh
Sidenote: That's not being downloaded from an alternate location as its official location is giving DNS issues at the time of writing.
If that still doesn't work then you might want to check the contents of the /etc/ca-certificates.conf
file. It should contain en entry cacert.org/cacert.org.crt
(somewhere at the top) which references said file.