Debian repository seems broken: HTTPS cert on updates.signald.org sometimes fails
When I run aptitude update, I get the following error:
Err https://updates.signald.org unstable InRelease
Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification. [IP: 205.185.216.42 443]
W: Failed to fetch https://updates.signald.org/dists/unstable/InRelease: Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification. [IP: 205.185.216.42 443]
W: Some index files failed to download. They have been ignored, or old ones used instead.Observation: Opening that URL in firefox works, and returns a nice gzipped file
Observation: Running wget https://updates.signald.org/dists/unstable/InRelease fails, with a very similar complaint about the certificate.
Wild guess: The certificate is incomplete, and an intermediate certificate is missing. This intermediate certificate is popular enough that firefox (and presumably other browsers) include it in the program, in order to tolerate the error. However, wget and apt (and similar programs) cannot afford to keep around a bunch of intermediate certificates. I guess this, because I have encountered the same type of error on many other websites.
In particular, observe that this tool reports that the certificate order is incorrect: https://www.ssllabs.com/ssltest/analyze.html?d=updates.signald.org&s=205.185.216.42&latest
Wild guess: So maybe the intermediate isn't actually missing, but wget and apt just don't see the intermediate certificate because it's in the wrong place, or something like that.
