Curl error (60): SSL peer certificate or SSH remote key was not ok for https://mirrors.dgplug.org/qubes/repo/… [SSL certificate problem: certificate has expired]
When I try the url “https://mirrors.dgplug.org” in Firefox I get: Warning: Potential Security Risk Ahead
It seems that the certificate for the mirror has really expired.
The package is dowloaded, but I think it’s a risk to use it. I don’t like risks, so I use Qubes.
What can I do. Is there another mirror for secure template downloads or I have to wait until they renew the SSL certificate for the mirror.
I thought that maybe other repos used different mirrors. So I tried to use the repo qubes-templates-itl-testing with --enablerepo to install debian-11 and debian-11-minimal, but I got the same result with both of them, because the root mirror is the same: https://mirrors.dgplug.org. And the same result I got when I tried to install qubes-template-fedora-32-minimal.
So I think that currently it’s no possible to install securely any template.
I’ve seen ALOT of these recently. I think most companies get their certs/re-provision this quarter.
(Apache does automatic provisioning but there was some polotik with let’s encrypt within the last year - so it’s either that the auto-provision didn’t go through or Let’s Encrypt has changed the provision and it’s another error).
I solved my problem by editing the file /etc/yum.repos.d/qubes-templates.repo.
I wanted to install debian-11-minimal, so I modified the [qubes-templates-itl-testing] section, changing fastestmirror = 1 for fastestmirror = 0. I suppose the mirror with the expired certificate issue was the fastest and disabling fastestmirror other mirror has the highest priority.