Debian Wheezy outdated root certificates

Solution 1:

You can try and refresh your certificate links in /etc/ssl/certs with

update-ca-certificates --fresh

which redoes all the symlinks in /etc/ssl/certs. If that does not help, lets see if your packages are up-to-date

Make sure you have the security repos in your /etc/apt/sources.list looking like this (add contriband non-free as you wish)

deb http://security.debian.org/debian-security/ wheezy/updates main
deb http://deb.debian.org/debian/ wheezy-updates main

or in your case

deb http://ftp.nl.debian.org/debian-security/ wheezy/updates main
deb http://ftp.nl.debian.org/debian/ wheezy-updates main

then try

apt-get update && apt-get upgrade -y

verify it via

apt-cache policy ca-certificates

and compare installed with candidate while this is the latest version.

If you don't see the latest version, your repository might be outdated.


Off Topic

Debian has stated this about what LTS actually means to them, since 6.0.

Also, LTS is not done by the Debian security Team, that handles stable release security patches but by a "separate group of volunteers and companies interested". Also, they seem to pick-and-choose the packages, quote "The amount of packages which are properly supported depends directly on the level of support that we get"

As I understand it, for Wheezy, this means that since Jessie was release on April 25th 2016, you can actually expect timely security updates and patches until April 25th 2016 - especially since Stretch was released on June 17th of 2017.

But you can always contact them and ask for help with LTS here.

Solution 2:

I ran into the same problem on server still running Squeeze. I got it fixed by manually adding the required root certificate into the /usr/share/ca-certificates/cacert.org/cacert.org.crt file:

su -
mkdir -p /usr/share/ca-certificates/cacert.org/
curl https://www.tbs-certificats.com/issuerdata/DigiCert_Global_Root_G2.crt > /usr/share/ca-certificates/cacert.org/cacert.org.crt
update-ca-certificates --fresh

Sidenote: That's not being downloaded from an alternate location as its official location is giving DNS issues at the time of writing.

If that still doesn't work then you might want to check the contents of the /etc/ca-certificates.conf file. It should contain en entry cacert.org/cacert.org.crt (somewhere at the top) which references said file.