SSL certificate error when I download a template

Hi everyone

I’d like to use minimal templates with Qubes, but when I try to install debian-10-minimal, with the command:

sudo qubes-dom0-update qubes-template-debian10-minimal

I get an error saying:

Curl error (60): SSL peer certificate or SSH remote key was not ok for… [SSL certificate problem: certificate has expired]

When I try the url “” in Firefox I get: Warning: Potential Security Risk Ahead

It seems that the certificate for the mirror has really expired.

The package is dowloaded, but I think it’s a risk to use it. I don’t like risks, so I use Qubes.

What can I do. Is there another mirror for secure template downloads or I have to wait until they renew the SSL certificate for the mirror.

Thanks in advance

I’ve tried other things.

I thought that maybe other repos used different mirrors. So I tried to use the repo qubes-templates-itl-testing with --enablerepo to install debian-11 and debian-11-minimal, but I got the same result with both of them, because the root mirror is the same: And the same result I got when I tried to install qubes-template-fedora-32-minimal.

So I think that currently it’s no possible to install securely any template.

Cert displays for me as:
Let’s Encrypt

As FF states for me: expired (within year)

I’ve seen ALOT of these recently. I think most companies get their certs/re-provision this quarter.
(Apache does automatic provisioning but there was some polotik with let’s encrypt within the last year - so it’s either that the auto-provision didn’t go through or Let’s Encrypt has changed the provision and it’s another error).


I solved my problem by editing the file /etc/yum.repos.d/qubes-templates.repo.

I wanted to install debian-11-minimal, so I modified the [qubes-templates-itl-testing] section, changing fastestmirror = 1 for fastestmirror = 0. I suppose the mirror with the expired certificate issue was the fastest and disabling fastestmirror other mirror has the highest priority.