I believe this is caused by debootstrap - it only uses packages from the release pocket (and this is frozen from the time Ubuntu 20.04 LTS was originally released). This is a known issue https://askubuntu.com/questions/744684/latest-security-updates-with- debootstrap but I am not sure if there is much you can do to get debian- installer to say use multistrap instead of debootstrap.
** Package changed: ca-certificates (Ubuntu) => debian-installer (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1973654 Title: Using debian-installer on a server with a Let's Encrypt cert dies Status in debian-installer package in Ubuntu: New Bug description: While using debian-installer to install Ubuntu Focal, I get the following error: May 16 22:02:41 base-installer: Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 129.59.59.10 443] There was an issue in 2021, where the "DST_Root_CA_X3.crt" certificate used by Let's Encrypt expired. https://letsencrypt.org/docs/dst-root-ca-x3-expiration- september-2021/ The problem is that the certificate is still included in the "ca- certificates_20190110ubuntu1_all.deb" that debian-installer fetches during install. May 16 22:02:17 debootstrap: Preparing to unpack .../ca-certificates_20190110ubuntu1_all.deb ... May 16 22:02:17 debootstrap: Unpacking ca-certificates (20190110ubuntu1) ... May 16 22:02:31 debootstrap: Setting up ca-certificates (20190110ubuntu1) ... May 16 22:02:40 debootstrap: Processing triggers for ca-certificates (20190110ubuntu1) ... May 16 22:02:40 debootstrap: Running hooks in /etc/ca-certificates/update.d... Because the certificate is expired, debian-installer dies with: May 16 22:02:41 base-installer: Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 129.59.59.10 443] te is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 129.59.59.10 443] Can Ubuntu update the ca-certificate .deb pulled during install to one that does not have DST_Root_CA_X3.crt? Thanks. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/debian-installer/+bug/1973654/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp