Maren S. Leizaola wrote:
Hello,
Even if I force wget to accept your expired certificate I
can't get apt-get update to work when pointing to your servers. It has been
like this for a few days now.
For
www.knot-dns.cz:443, I get the following certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1930293056481435 (0x6db975ff1a89b)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing,
CN=StartCom Class 2 Primary Intermediate Server CA
Validity
Not Before: Mar 6 08:10:36 2015 GMT
Not After : Mar 6 08:13:13 2017 GMT
Subject: C=CZ, ST=Hlavni mesto Praha, L=Praha - Vinohrady, O=CZ.NIC, z.s.p.o.,
CN=www.knot-dns.cz/emailAddress=hostmaster(a)knot-dns.cz
For deb.knot-dns.cz:443, I get the following certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:e3:ba:a1:3f:f7:83:b7:e5:94:f4:97:db:42:e6:11:e4:7d
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Validity
Not Before: Jul 2 03:26:00 2016 GMT
Not After : Sep 30 03:26:00 2016 GMT
Subject: CN=deb.knot-dns.cz
Neither certificate is currently expired.
Hit
http://ftp.debian.org wheezy-updates/main
Translation-en/DiffIndex
Err
http://deb.knot-dns.cz wheezy/main amd64 Packages
301 Moved Permanently [IP: 217.31.192.140 80]
Ign
http://deb.knot-dns.cz wheezy/main Translation-en
W: Failed to fetch
http://deb.knot-dns.cz/knot/dists/wheezy/main/binary-amd64/Packages 301
Moved Permanently [IP: 217.31.192.140 80]
E: Some index files failed to download. They have been ignored, or old ones
used instead.
Could someone have a look at this please?
The deb.knot-dns.cz:80 server performs a permanent HTTP redirect to the
equivalent HTTPS URL:
* Connected to deb.knot-dns.cz (2001:1488:ac15:ff90::140) port 80 (#0)
GET /knot/dists/wheezy/main/binary-amd64/Packages
HTTP/1.1
Host: deb.knot-dns.cz
User-Agent: curl/7.47.0
Accept: */*
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.6.2
< Date: Mon, 04 Jul 2016 17:47:13 GMT
< Content-Type: text/html
< Content-Length: 184
< Connection: keep-alive
< Location:
https://deb.knot-dns.cz/knot/dists/wheezy/main/binary-amd64/Packages
The default HTTP(no s) transport for apt apparently can't follow a
redirect to an HTTPS location, at least in wheezy. Most likely the
apt-transport-https and ca-certificates packages need to be installed,
and the URL in the apt sources file changed from 'http' to 'https'.
However, if you browse to
https://deb.knot-dns.cz/knot/dists/, there are
only “jessie” and “stretch“ distribution directories listed. According
to the Debian project, security support for “wheezy“ (aka “oldstable“)
has ended several months ago:
https://www.debian.org/News/2016/20160425
--
Robert Edmonds
edmonds(a)debian.org