Can't dietpi-update or even apt update

Toscho · 5 February 2021 08:39

I can’t update my Pi3 running dietpi 6.33.3.

Running dietpi-update results in

 INFO ] DietPi-Update | Checking mirror: https://raw.githubusercontent.com/MichaIng/DietPi/master/dietpi/server_version-6
curl: (60) SSL certificate problem: unable to get local issuer certificate

and

[ INFO ] DietPi-Update | Checking mirror: https://dietpi.com/downloads/dietpi-update_mirror/master/server_version-6
curl: (60) SSL certificate problem: unable to get local issuer certificate

If I run apt update, I get:

Err:4 https://archive.raspberrypi.org/debian buster Release 
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 176.126.240.167 443]

If I ping archive.raspberrypi.org from my laptop, it yields the IP 46.235.227.39 instead of 176.126.240.167 .

So what can I do here?

Joulinar · 5 February 2021 12:28

Hi,

are you behind a proxy or firewall that could block SSL handling?

Btw: archive.raspberrypi.org is a DNS pointing to a larger group of servers. means it’s ok to have different IP’s listed

https://mxtoolbox.com/SuperTool.aspx?action=a%3aarchive.raspberrypi.org&run=toolpage

Toscho · 6 February 2021 08:11

No, there is no Firewall blocking SSL Handling. The raspi itself is offering SSL for https, imaps and smtps.

OK, so the different IPs mean nothing. Then it looks as though some package is damaged, which is difficult to repair as apt itself is not working properly.

Toscho · 6 February 2021 08:31

OK, so I found the issue. Somehow the installed ca-certificates were damaged. Apt told me to install ca-certificates, which was already installed. Dumb as I am, I first trusted this message. Now I reinstalled the package and everythings works normal.

Joulinar · 6 February 2021 13:40

indeed having a damaged ca-certificates package is a good reason for not being able to verify certificates.