Help thread for DST Root CA X3 expiration (September 2021)

ventura57 · December 8, 2021, 7:19pm

Someone could explain to me how this still works !!! Below is the fullchain of my certificate in reverse order issued yesterday, Dec. 7th.

The "DST Root CA X3" is expired but still in use to renew certificates !!!

I understand "ISRG Root X1" is not expired but the issuer is expired. What am I missing here ?

Certificate 1 (top)

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
40:01:77:21:37:d4:e9:42:b8:ee:76:aa:3c:64:0a:b7
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
Validity
Not Before: Jan 20 19:14:03 2021 GMT
Not After : Sep 30 18:14:03 2024 GMT
Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1

Certificate 2

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
91:2b:08:4a:cf:0c:18:a7:53:f6:d6:2e:25:a7:5f:5a
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
Validity
Not Before: Sep 4 00:00:00 2020 GMT
Not After : Sep 15 16:00:00 2025 GMT
Subject: C = US, O = Let's Encrypt, CN = R3

Certificate 3 (my certificate signed by lets encrypt)

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
04:fd:94:55:b2:59:85:92:40:26:24:15:bf:60:42:16:b1:5d
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = R3
Validity
Not Before: Dec 7 16:16:34 2021 GMT
Not After : Mar 7 16:16:33 2022 GMT
Subject: CN =

ventura57 · December 8, 2021, 7:52pm

Someone could explain to me how this still works !!! Below is the fullchain of my certificate in reverse order issued yesterday, Dec. 7th.

The "DST Root CA X3" is expired but still in use to renew certificates !!!

I understand "ISRG Root X1" is not expired but the issuer is expired. What am I missing here ?

Certificate 1 (top)

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
40:01:77:21:37:d4:e9:42:b8:ee:76:aa:3c:64:0a:b7
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
Validity
Not Before: Jan 20 19:14:03 2021 GMT
Not After : Sep 30 18:14:03 2024 GMT
Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1

Certificate 2

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
91:2b:08:4a:cf:0c:18:a7:53:f6:d6:2e:25:a7:5f:5a
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
Validity
Not Before: Sep 4 00:00:00 2020 GMT
Not After : Sep 15 16:00:00 2025 GMT
Subject: C = US, O = Let's Encrypt, CN = R3

Certificate 3 (my certificate signed by lets encrypt)

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
04:fd:94:55:b2:59:85:92:40:26:24:15:bf:60:42:16:b1:5d
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = R3
Validity
Not Before: Dec 7 16:16:34 2021 GMT
Not After : Mar 7 16:16:33 2022 GMT
Subject: CN =

ventura57 · December 8, 2021, 8:06pm

Shouldn't "ISRG Root X1" be self signed ???
In my browser I have "R3" and "ISRG Root X1" but the last is self signed.

I am beginning to panic.

Osiris · December 8, 2021, 8:12pm

Don't. This is intentional. Please read:

ventura57 · December 8, 2021, 8:59pm

Thank you Osiris.
Before receive your message I was checking every certificate renewed using the command:

openssl s_client -connect the_url:443

and the fact all check was OK. You article explain everything.

Again, thank your very much.

apr · December 9, 2021, 7:29pm

When i use the longer chain, my APIs get errors in curl requests like the following:
cURL error 60: SSL certificate problem: certificate has expired

If i choose the shorter one, i don't get support for older android versions.

Is there a way to get old androids and curl to work?

rg305 · December 9, 2021, 7:35pm

Yes; One way is to switch to another (free and ACME friendly) CA.

apr · December 9, 2021, 7:51pm

No way to get it to work with letsencrypt?
I cant go to other CA cuz i have lots of domains. The other CAs free plans are too limited.

I really need to choose between my APIs working or support for older android versions?

Osiris · December 9, 2021, 8:17pm

curl should be able to work with the longer chain, depending on software versions used.

apr · December 9, 2021, 8:29pm

Ok thats good.

Which softwares / versions we're talking? Can you point me a way to check that?

They say openssl must be over 1.1. When i run openssl version i get:

OpenSSL 1.1.0h 27 Mar 2018

lsb_realease prints out:

No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 16.04.7 LTS
Release:	16.04
Codename:	xenial

Anything else i need to check?

rg305 · December 9, 2021, 8:47pm

Please show:
apt list | grep installed | grep cert

You should see:

ca-certificates/xenial-updates,xenial-updates,xenial-security,xenial-security,now 20210119~16.04.1 all [installed]

apr · December 9, 2021, 8:49pm

ca-certificates/xenial-updates,xenial-security,now 20210119~16.04.1 all [installed]
python-pkg-resources/xenial,now 33.1.1-1+certbot~xenial+1 all [installed,automatic]
python3-acme/xenial,now 0.31.0-2+ubuntu16.04.6+certbot+2 all [installed,auto-removable]
python3-asn1crypto/xenial,now 0.22.0-2+ubuntu16.04.1+certbot+1 all [installed,automatic]
python3-augeas/xenial,now 0.5.0-1+ubuntu16.04.1+certbot+1 all [installed,auto-removable]
python3-certbot/xenial,now 0.31.0-2~deb10u1+ubuntu16.04.1+certbot+3 all [installed,auto-removable]
python3-certifi/xenial,now 2017.4.17-2+ubuntu16.04.1+certbot+1 all [installed,auto-removable]
python3-cffi-backend/xenial,now 1.10.0-0.1+ubuntu16.04.1+certbot+1 amd64 [installed]
python3-chardet/xenial,now 3.0.4-1+ubuntu16.04.1+certbot+2 all [installed]
python3-configargparse/xenial,now 0.11.0-1+certbot~xenial+1 all [installed,auto-removable]
python3-configobj/xenial,now 5.0.6-2+ubuntu16.04.1+certbot+1 all [installed]
python3-cryptography/xenial,now 1.9-1+ubuntu16.04.1+certbot+2 amd64 [installed]
python3-future/xenial,now 0.15.2-4+ubuntu16.04.1+certbot+3 all [installed,auto-removable]
python3-idna/xenial,now 2.5-1+ubuntu16.04.1+certbot+1 all [installed]
python3-ndg-httpsclient/xenial,now 0.4.2-1+certbot~xenial+1 all [installed,auto-removable]
python3-openssl/xenial,now 17.3.0-1~0+ubuntu16.04.1+certbot+1 all [installed,automatic]
python3-parsedatetime/xenial,now 2.4-3+ubuntu16.04.1+certbot+3 all [installed,auto-removable]
python3-pkg-resources/xenial,now 33.1.1-1+certbot~xenial+1 all [installed]
python3-pyasn1/xenial,now 0.1.9-2+certbot~xenial+1 all [installed]
python3-requests/xenial,now 2.18.1-1+ubuntu16.04.1+certbot+1 all [installed,auto-removable]
python3-requests-toolbelt/xenial,now 0.8.0-1+ubuntu16.04.1+certbot+1 all [installed,auto-removable]
python3-rfc3339/xenial,now 1.0-4+certbot~xenial+1 all [installed,auto-removable]
python3-six/xenial,now 1.11.0-1+ubuntu16.04.1+certbot+1 all [installed]
python3-urllib3/xenial,now 1.21.1-1+ubuntu16.04.1+certbot+1 all [installed]
python3-zope.component/xenial,now 4.3.0-1+ubuntu16.04.1+certbot+3 all [installed,auto-removable]
python3-zope.hookable/xenial,now 4.0.4-4+ubuntu16.04.1+certbot+1 amd64 [installed,auto-removable]
python3-zope.interface/xenial,now 4.3.2-1+ubuntu16.04.1+certbot+1 amd64 [installed,auto-removable]
ssl-cert/xenial,now 1.0.37 all [installed,automatic]

rg305 · December 9, 2021, 8:51pm

Well, that looks right.

rg305 · December 9, 2021, 8:56pm

Please show the outputs of:
ls -l /etc/ssl/certs/* | grep -Ei 'R3|DST|ISRG'
and
apt update
and
apt install curl

apr · December 9, 2021, 9:54pm

lrwxrwxrwx 1 root root     27 Out  1 22:15 /etc/ssl/certs/062cdee6.0 -> GlobalSign_Root_CA_-_R3.pem
lrwxrwxrwx 1 root root     15 Out  1 22:15 /etc/ssl/certs/0a775a30.0 -> GTS_Root_R3.pem
lrwxrwxrwx 1 root root     27 Out  1 22:15 /etc/ssl/certs/1e8e7201.0 -> GlobalSign_Root_CA_-_R3.pem
lrwxrwxrwx 1 root root     16 Out  1 22:15 /etc/ssl/certs/4042bcee.0 -> ISRG_Root_X1.pem
lrwxrwxrwx 1 root root     16 Out  1 22:15 /etc/ssl/certs/6187b673.0 -> ISRG_Root_X1.pem
lrwxrwxrwx 1 root root     15 Out  1 22:15 /etc/ssl/certs/6b03dec0.0 -> GTS_Root_R3.pem
lrwxrwxrwx 1 root root     62 Out  1 20:30 /etc/ssl/certs/GlobalSign_Root_CA_-_R3.pem -> /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R3.crt
lrwxrwxrwx 1 root root     50 Out  1 20:30 /etc/ssl/certs/GTS_Root_R3.pem -> /usr/share/ca-certificates/mozilla/GTS_Root_R3.crt
lrwxrwxrwx 1 root root     51 Out  1 20:30 /etc/ssl/certs/ISRG_Root_X1.pem -> /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt

Hit:1 http://mirrors.digitalocean.com/ubuntu xenial InRelease
Get:2 http://security.ubuntu.com/ubuntu xenial-security InRelease [109 kB]                    
Hit:3 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial InRelease                                   
Get:4 http://mirrors.digitalocean.com/ubuntu xenial-updates InRelease [109 kB]                                                      
Hit:5 http://ppa.launchpad.net/ondrej/apache2/ubuntu xenial InRelease                                                                          
Get:6 http://mirrors.digitalocean.com/ubuntu xenial-backports InRelease [107 kB]                                                    
Hit:7 https://repos.insights.digitalocean.com/apt/do-agent main InRelease                                                                      
Hit:8 http://ppa.launchpad.net/ondrej/php/ubuntu xenial InRelease
Get:9 https://deb.nodesource.com/node_9.x xenial InRelease [4.622 B]
Get:10 http://mirrors.digitalocean.com/ubuntu xenial-updates/main Sources [537 kB]
Get:11 http://mirrors.digitalocean.com/ubuntu xenial-updates/main amd64 Packages [2.049 kB]
Fetched 2.916 kB in 1s (1.928 kB/s)                                                  
Reading package lists... Done
Building dependency tree       
Reading state information... Done
152 packages can be upgraded. Run 'apt list --upgradable' to see them.

E: dpkg was interrupted, you must manually run 'sudo dpkg --configure -a' to correct the problem.

rg305 · December 9, 2021, 9:58pm

Wow!

Let's have a look at that:
apt list --upgradable

apr · December 9, 2021, 10:09pm

Well, thats quite a big list.

I'm aware theres a lot of things to update, but i'm afraid to break something when i do it, since i was not responsible for this droplet initial setup.

Heres the list:

apt/xenial-updates 1.2.35 amd64 [upgradable from: 1.2.32ubuntu0.2]
apt-transport-https/xenial-updates 1.2.35 amd64 [upgradable from: 1.2.32ubuntu0.2]
apt-utils/xenial-updates 1.2.35 amd64 [upgradable from: 1.2.32ubuntu0.2]
bind9-host/xenial-updates,xenial-security 1:9.10.3.dfsg.P4-8ubuntu1.19 amd64 [upgradable from: 1:9.10.3.dfsg.P4-8ubuntu1.17]
bsdutils/xenial-updates 1:2.27.1-6ubuntu3.10 amd64 [upgradable from: 1:2.27.1-6ubuntu3.4]
btrfs-tools/xenial-updates 4.4-1ubuntu1.1 amd64 [upgradable from: 4.4-1ubuntu1]
cloud-guest-utils/xenial-updates 0.27-0ubuntu25.2 all [upgradable from: 0.27-0ubuntu25.1]
cloud-initramfs-copymods/xenial-updates 0.27ubuntu1.6 all [upgradable from: 0.27ubuntu1.5]
cloud-initramfs-dyn-netconf/xenial-updates 0.27ubuntu1.6 all [upgradable from: 0.27ubuntu1.5]
console-setup/xenial-updates 1.108ubuntu15.5 all [upgradable from: 1.108ubuntu15.3]
console-setup-linux/xenial-updates 1.108ubuntu15.5 all [upgradable from: 1.108ubuntu15.3]
curl/xenial-updates,xenial-security 7.47.0-1ubuntu2.19 amd64 [upgradable from: 7.47.0-1ubuntu2.18]
debconf/xenial-updates 1.5.58ubuntu2 all [upgradable from: 1.5.58ubuntu1]
debconf-i18n/xenial-updates 1.5.58ubuntu2 all [upgradable from: 1.5.58ubuntu1]
distro-info-data/xenial-updates,xenial-security 0.28ubuntu0.18 all [upgradable from: 0.28ubuntu0.16]
dmidecode/xenial-updates 3.0-2ubuntu0.2 amd64 [upgradable from: 3.0-2ubuntu0.1]
dnsmasq-base/xenial-updates,xenial-security 2.75-1ubuntu0.16.04.10 amd64 [upgradable from: 2.75-1ubuntu0.16.04.7]
dnsutils/xenial-updates,xenial-security 1:9.10.3.dfsg.P4-8ubuntu1.19 amd64 [upgradable from: 1:9.10.3.dfsg.P4-8ubuntu1.17]
do-agent/main 3.12.0 amd64 [upgradable from: 3.9.0]
dpkg/xenial-updates 1.18.4ubuntu1.7 amd64 [upgradable from: 1.18.4ubuntu1.4]
dpkg-dev/xenial-updates 1.18.4ubuntu1.7 all [upgradable from: 1.18.4ubuntu1.4]
friendly-recovery/xenial-updates 0.2.31ubuntu2.1 all [upgradable from: 0.2.31ubuntu1]
git/xenial-updates,xenial-security 1:2.7.4-0ubuntu1.10 amd64 [upgradable from: 1:2.7.4-0ubuntu1.9]
git-man/xenial-updates,xenial-security 1:2.7.4-0ubuntu1.10 all [upgradable from: 1:2.7.4-0ubuntu1.9]
grub-common/xenial-updates 2.02~beta2-36ubuntu3.32 amd64 [upgradable from: 2.02~beta2-36ubuntu3.27]
grub-efi-amd64/xenial-updates 2.04-1ubuntu44.1.2 amd64 [upgradable from: 2.02~beta2-36ubuntu3.27]
grub-efi-amd64-bin/xenial-updates 2.04-1ubuntu44.1.2 amd64 [upgradable from: 2.02~beta2-36ubuntu3.27]
grub-efi-amd64-signed/xenial-updates 1.167~16.04.6+2.04-1ubuntu44.1.2 amd64 [upgradable from: 1.66.27+2.02~beta2-36ubuntu3.27]
grub-legacy-ec2/xenial-updates 21.1-19-gbad84ad4-0ubuntu1~16.04.2 all [upgradable from: 18.2-4-g05926e48-0ubuntu1~16.04.2]
grub-pc-bin/xenial-updates 2.02~beta2-36ubuntu3.32 amd64 [upgradable from: 2.02~beta2-36ubuntu3.27]
grub2-common/xenial-updates 2.02~beta2-36ubuntu3.32 amd64 [upgradable from: 2.02~beta2-36ubuntu3.27]
guile-2.0-libs/xenial-updates 2.0.11+1-10ubuntu0.1 amd64 [upgradable from: 2.0.11+1-10]
ifupdown/xenial-updates 0.8.10ubuntu1.4 amd64 [upgradable from: 0.8.10ubuntu1.3]
initramfs-tools/xenial-updates 0.122ubuntu8.17 all [upgradable from: 0.122ubuntu8.14]
initramfs-tools-bin/xenial-updates 0.122ubuntu8.17 amd64 [upgradable from: 0.122ubuntu8.14]
initramfs-tools-core/xenial-updates 0.122ubuntu8.17 all [upgradable from: 0.122ubuntu8.14]
iproute2/xenial-updates 4.3.0-1ubuntu3.16.04.5 amd64 [upgradable from: 4.3.0-1ubuntu3.16.04.3]
keyboard-configuration/xenial-updates 1.108ubuntu15.5 all [upgradable from: 1.108ubuntu15.3]
kmod/xenial-updates 22-1ubuntu5.2 amd64 [upgradable from: 22-1ubuntu5]
libapt-inst2.0/xenial-updates 1.2.35 amd64 [upgradable from: 1.2.32ubuntu0.2]
libapt-pkg5.0/xenial-updates 1.2.35 amd64 [upgradable from: 1.2.32ubuntu0.2]
libbind9-140/xenial-updates,xenial-security 1:9.10.3.dfsg.P4-8ubuntu1.19 amd64 [upgradable from: 1:9.10.3.dfsg.P4-8ubuntu1.17]
libblkid1/xenial-updates 2.27.1-6ubuntu3.10 amd64 [upgradable from: 2.27.1-6ubuntu3.4]
libc-bin/xenial-updates,xenial-security 2.23-0ubuntu11.3 amd64 [upgradable from: 2.23-0ubuntu11.2]
libc-dev-bin/xenial-updates,xenial-security 2.23-0ubuntu11.3 amd64 [upgradable from: 2.23-0ubuntu11.2]
libc6/xenial-updates,xenial-security 2.23-0ubuntu11.3 amd64 [upgradable from: 2.23-0ubuntu11.2]
libc6-dev/xenial-updates,xenial-security 2.23-0ubuntu11.3 amd64 [upgradable from: 2.23-0ubuntu11.2]
libcurl3/xenial-updates,xenial-security 7.47.0-1ubuntu2.19 amd64 [upgradable from: 7.47.0-1ubuntu2.18]
libcurl3-gnutls/xenial-updates,xenial-security 7.47.0-1ubuntu2.19 amd64 [upgradable from: 7.47.0-1ubuntu2.18]
libdns-export162/xenial-updates,xenial-security 1:9.10.3.dfsg.P4-8ubuntu1.19 amd64 [upgradable from: 1:9.10.3.dfsg.P4-8ubuntu1.17]
libdns162/xenial-updates,xenial-security 1:9.10.3.dfsg.P4-8ubuntu1.19 amd64 [upgradable from: 1:9.10.3.dfsg.P4-8ubuntu1.17]
libdpkg-perl/xenial-updates 1.18.4ubuntu1.7 all [upgradable from: 1.18.4ubuntu1.4]
libdrm-common/xenial-updates 2.4.91-2~16.04.1 all [upgradable from: 2.4.83-1~16.04.1]
libdrm2/xenial-updates 2.4.91-2~16.04.1 amd64 [upgradable from: 2.4.83-1~16.04.1]
libfdisk1/xenial-updates 2.27.1-6ubuntu3.10 amd64 [upgradable from: 2.27.1-6ubuntu3.4]
libglib2.0-0/xenial-updates,xenial-security 2.48.2-0ubuntu4.8 amd64 [upgradable from: 2.48.2-0ubuntu4.6]
libglib2.0-data/xenial-updates,xenial-security 2.48.2-0ubuntu4.8 all [upgradable from: 2.48.2-0ubuntu4.6]
libhogweed4/xenial-updates,xenial-security 3.2-1ubuntu0.16.04.2 amd64 [upgradable from: 3.2-1ubuntu0.16.04.1]
libisc-export160/xenial-updates,xenial-security 1:9.10.3.dfsg.P4-8ubuntu1.19 amd64 [upgradable from: 1:9.10.3.dfsg.P4-8ubuntu1.17]
libisc160/xenial-updates,xenial-security 1:9.10.3.dfsg.P4-8ubuntu1.19 amd64 [upgradable from: 1:9.10.3.dfsg.P4-8ubuntu1.17]
libisccc140/xenial-updates,xenial-security 1:9.10.3.dfsg.P4-8ubuntu1.19 amd64 [upgradable from: 1:9.10.3.dfsg.P4-8ubuntu1.17]
libisccfg140/xenial-updates,xenial-security 1:9.10.3.dfsg.P4-8ubuntu1.19 amd64 [upgradable from: 1:9.10.3.dfsg.P4-8ubuntu1.17]
libjs-sphinxdoc/xenial-updates 1.3.6-2ubuntu1.2 all [upgradable from: 1.3.6-2ubuntu1.1]
libjs-underscore/xenial-updates,xenial-security 1.7.0~dfsg-1ubuntu1.1 all [upgradable from: 1.7.0~dfsg-1ubuntu1]
libkmod2/xenial-updates 22-1ubuntu5.2 amd64 [upgradable from: 22-1ubuntu5]
libldap-2.4-2/xenial-updates,xenial-security 2.4.42+dfsg-2ubuntu3.13 amd64 [upgradable from: 2.4.42+dfsg-2ubuntu3.12]
liblwres141/xenial-updates,xenial-security 1:9.10.3.dfsg.P4-8ubuntu1.19 amd64 [upgradable from: 1:9.10.3.dfsg.P4-8ubuntu1.17]
liblxc1/xenial-updates 2.0.11-0ubuntu1~16.04.3 amd64 [upgradable from: 2.0.8-0ubuntu1~16.04.2]
libmount1/xenial-updates 2.27.1-6ubuntu3.10 amd64 [upgradable from: 2.27.1-6ubuntu3.4]
libnettle6/xenial-updates,xenial-security 3.2-1ubuntu0.16.04.2 amd64 [upgradable from: 3.2-1ubuntu0.16.04.1]
libpam-modules/xenial-updates 1.1.8-3.2ubuntu2.3 amd64 [upgradable from: 1.1.8-3.2ubuntu2.1]
libpam-modules-bin/xenial-updates 1.1.8-3.2ubuntu2.3 amd64 [upgradable from: 1.1.8-3.2ubuntu2.1]
libpam-runtime/xenial-updates 1.1.8-3.2ubuntu2.3 all [upgradable from: 1.1.8-3.2ubuntu2.1]
libpam-systemd/xenial-updates 229-4ubuntu21.31 amd64 [upgradable from: 229-4ubuntu21.27]
libpam0g/xenial-updates 1.1.8-3.2ubuntu2.3 amd64 [upgradable from: 1.1.8-3.2ubuntu2.1]
libpci3/xenial-updates 1:3.3.1-1.1ubuntu1.3 amd64 [upgradable from: 1:3.3.1-1.1ubuntu1.2]
libplymouth4/xenial-updates 0.9.2-3ubuntu13.5 amd64 [upgradable from: 0.9.2-3ubuntu13.4]
libprocps4/xenial-updates 2:3.3.10-4ubuntu2.5 amd64 [upgradable from: 2:3.3.10-4ubuntu2.4]
libpython2.7/xenial-updates,xenial-security 2.7.12-1ubuntu0~16.04.18 amd64 [upgradable from: 2.7.12-1ubuntu0~16.04.13]
libpython2.7-minimal/xenial-updates,xenial-security 2.7.12-1ubuntu0~16.04.18 amd64 [upgradable from: 2.7.12-1ubuntu0~16.04.13]
libpython2.7-stdlib/xenial-updates,xenial-security 2.7.12-1ubuntu0~16.04.18 amd64 [upgradable from: 2.7.12-1ubuntu0~16.04.13]
libpython3.5/xenial-updates,xenial-security 3.5.2-2ubuntu0~16.04.13 amd64 [upgradable from: 3.5.2-2ubuntu0~16.04.12]
libpython3.5-minimal/xenial-updates,xenial-security 3.5.2-2ubuntu0~16.04.13 amd64 [upgradable from: 3.5.2-2ubuntu0~16.04.12]
libpython3.5-stdlib/xenial-updates,xenial-security 3.5.2-2ubuntu0~16.04.13 amd64 [upgradable from: 3.5.2-2ubuntu0~16.04.12]
libseccomp2/xenial-updates 2.5.1-1ubuntu1~16.04.1 amd64 [upgradable from: 2.4.3-1ubuntu3.16.04.3]
libslang2/xenial-updates 2.3.0-2ubuntu1.1 amd64 [upgradable from: 2.3.0-2ubuntu1]
libsmartcols1/xenial-updates 2.27.1-6ubuntu3.10 amd64 [upgradable from: 2.27.1-6ubuntu3.4]
libssl1.0.0/xenial-updates,xenial-security 1.0.2g-1ubuntu4.20 amd64 [upgradable from: 1.0.2g-1ubuntu4.18]
libsystemd0/xenial-updates 229-4ubuntu21.31 amd64 [upgradable from: 229-4ubuntu21.27]
libtiff5/xenial-updates,xenial-security 4.0.6-1ubuntu0.8 amd64 [upgradable from: 4.0.6-1ubuntu0.7]
libudev1/xenial-updates 229-4ubuntu21.31 amd64 [upgradable from: 229-4ubuntu21.27]
libuuid1/xenial-updates 2.27.1-6ubuntu3.10 amd64 [upgradable from: 2.27.1-6ubuntu3.4]
linux-headers-generic/xenial-updates,xenial-security 4.4.0.210.216 amd64 [upgradable from: 4.4.0.201.207]
linux-headers-virtual/xenial-updates,xenial-security 4.4.0.210.216 amd64 [upgradable from: 4.4.0.201.207]
linux-image-virtual/xenial-updates,xenial-security 4.4.0.210.216 amd64 [upgradable from: 4.4.0.201.207]
linux-libc-dev/xenial-updates,xenial-security 4.4.0-210.242 amd64 [upgradable from: 4.4.0-201.233]
linux-virtual/xenial-updates,xenial-security 4.4.0.210.216 amd64 [upgradable from: 4.4.0.201.207]
locales/xenial-updates,xenial-security 2.23-0ubuntu11.3 all [upgradable from: 2.23-0ubuntu11.2]
login/xenial-updates 1:4.2-3.1ubuntu5.4 amd64 [upgradable from: 1:4.2-3.1ubuntu5.3]
lshw/xenial-updates 02.17-1.1ubuntu3.6 amd64 [upgradable from: 02.17-1.1ubuntu3.5]
lxc-common/xenial-updates 2.0.11-0ubuntu1~16.04.3 amd64 [upgradable from: 2.0.8-0ubuntu1~16.04.2]
mokutil/xenial-updates,xenial-security 0.3.0+1538710437.fb6250f-0ubuntu2~16.04.1 amd64 [upgradable from: 0.3.0-0ubuntu3]
mount/xenial-updates 2.27.1-6ubuntu3.10 amd64 [upgradable from: 2.27.1-6ubuntu3.4]
multiarch-support/xenial-updates,xenial-security 2.23-0ubuntu11.3 amd64 [upgradable from: 2.23-0ubuntu11.2]
open-iscsi/xenial-updates 2.0.873+git0.3b4b4500-14ubuntu3.7 amd64 [upgradable from: 2.0.873+git0.3b4b4500-14ubuntu3.4]
open-vm-tools/xenial-updates 2:10.2.0-3~ubuntu0.16.04.1 amd64 [upgradable from: 2:10.0.7-3227872-5ubuntu1~16.04.2]
openssh-client/xenial-updates 1:7.2p2-4ubuntu2.10 amd64 [upgradable from: 1:7.2p2-4ubuntu2.8]
openssh-server/xenial-updates 1:7.2p2-4ubuntu2.10 amd64 [upgradable from: 1:7.2p2-4ubuntu2.8]
openssh-sftp-server/xenial-updates 1:7.2p2-4ubuntu2.10 amd64 [upgradable from: 1:7.2p2-4ubuntu2.8]
overlayroot/xenial-updates 0.27ubuntu1.6 all [upgradable from: 0.27ubuntu1.5]
passwd/xenial-updates 1:4.2-3.1ubuntu5.4 amd64 [upgradable from: 1:4.2-3.1ubuntu5.3]
pciutils/xenial-updates 1:3.3.1-1.1ubuntu1.3 amd64 [upgradable from: 1:3.3.1-1.1ubuntu1.2]
plymouth/xenial-updates 0.9.2-3ubuntu13.5 amd64 [upgradable from: 0.9.2-3ubuntu13.4]
plymouth-theme-ubuntu-text/xenial-updates 0.9.2-3ubuntu13.5 amd64 [upgradable from: 0.9.2-3ubuntu13.4]
pollinate/xenial-updates 4.33-0ubuntu1~16.04.1 all [upgradable from: 4.25-0ubuntu1~16.04.1]
postfix/xenial-updates 3.1.0-3ubuntu0.4 amd64 [upgradable from: 3.1.0-3ubuntu0.3]
procps/xenial-updates 2:3.3.10-4ubuntu2.5 amd64 [upgradable from: 2:3.3.10-4ubuntu2.4]
psmisc/xenial-updates 22.21-2.1ubuntu0.1 amd64 [upgradable from: 22.21-2.1build1]
python-apt-common/xenial-updates 1.1.0~beta1ubuntu0.16.04.12 all [upgradable from: 1.1.0~beta1ubuntu0.16.04.11]
python2.7/xenial-updates,xenial-security 2.7.12-1ubuntu0~16.04.18 amd64 [upgradable from: 2.7.12-1ubuntu0~16.04.13]
python2.7-minimal/xenial-updates,xenial-security 2.7.12-1ubuntu0~16.04.18 amd64 [upgradable from: 2.7.12-1ubuntu0~16.04.13]
python3-apt/xenial-updates 1.1.0~beta1ubuntu0.16.04.12 amd64 [upgradable from: 1.1.0~beta1ubuntu0.16.04.11]
python3-distupgrade/xenial-updates 1:16.04.32 all [upgradable from: 1:16.04.25]
python3-josepy/xenial 1.1.0-2+ubuntu16.04.1+certbot+1 all [upgradable from: 1.0.1-1+ubuntu16.04.1+certbot+7]
python3-update-manager/xenial-updates 1:16.04.17 all [upgradable from: 1:16.04.13]
python3.5/xenial-updates,xenial-security 3.5.2-2ubuntu0~16.04.13 amd64 [upgradable from: 3.5.2-2ubuntu0~16.04.12]
python3.5-minimal/xenial-updates,xenial-security 3.5.2-2ubuntu0~16.04.13 amd64 [upgradable from: 3.5.2-2ubuntu0~16.04.12]
resolvconf/xenial-updates 1.78ubuntu7 all [upgradable from: 1.78ubuntu6]
rsyslog/xenial-updates 8.16.0-1ubuntu3.1 amd64 [upgradable from: 8.16.0-1ubuntu3]
sbsigntool/xenial-updates,xenial-security 0.6-0ubuntu10.2 amd64 [upgradable from: 0.6-0ubuntu10.1]
screen/xenial-updates,xenial-security 4.3.1-2ubuntu0.1 amd64 [upgradable from: 4.3.1-2build1]
secureboot-db/xenial-updates 1.4~ubuntu0.16.04.1 amd64 [upgradable from: 1.1]
shared-mime-info/xenial-updates 1.5-2ubuntu0.2 amd64 [upgradable from: 1.5-2ubuntu0.1]
shim/xenial-updates 15.4-0ubuntu7 amd64 [upgradable from: 13-0ubuntu2]
shim-signed/xenial-updates 1.33.1~16.04.10+15.4-0ubuntu7 amd64 [upgradable from: 1.33.1~16.04.1+13-0ubuntu2]
sosreport/xenial-updates 3.9.1-1ubuntu0.16.04.2 amd64 [upgradable from: 3.5-1~ubuntu16.04.2]
squashfs-tools/xenial-updates 1:4.3-3ubuntu2.16.04.3 amd64 [upgradable from: 1:4.3-3ubuntu2.16.04.1]
systemd/xenial-updates 229-4ubuntu21.31 amd64 [upgradable from: 229-4ubuntu21.27]
systemd-sysv/xenial-updates 229-4ubuntu21.31 amd64 [upgradable from: 229-4ubuntu21.27]
ubuntu-keyring/xenial-updates 2012.05.19.1 all [upgradable from: 2012.05.19]
ubuntu-minimal/xenial-updates 1.361.6 amd64 [upgradable from: 1.361.1]
ubuntu-release-upgrader-core/xenial-updates 1:16.04.32 all [upgradable from: 1:16.04.25]
ubuntu-standard/xenial-updates 1.361.6 amd64 [upgradable from: 1.361.1]
udev/xenial-updates 229-4ubuntu21.31 amd64 [upgradable from: 229-4ubuntu21.27]
uidmap/xenial-updates 1:4.2-3.1ubuntu5.4 amd64 [upgradable from: 1:4.2-3.1ubuntu5.3]
unattended-upgrades/xenial-updates 1.1ubuntu1.18.04.7~16.04.7 all [upgradable from: 0.90ubuntu0.10]
update-manager-core/xenial-updates 1:16.04.17 all [upgradable from: 1:16.04.13]
update-notifier-common/xenial-updates 3.168.15 all [upgradable from: 3.168.8]
ureadahead/xenial-updates 0.100.0-19.1 amd64 [upgradable from: 0.100.0-19]
util-linux/xenial-updates 2.27.1-6ubuntu3.10 amd64 [upgradable from: 2.27.1-6ubuntu3.4]
uuid-runtime/xenial-updates 2.27.1-6ubuntu3.10 amd64 [upgradable from: 2.27.1-6ubuntu3.4]
vlan/xenial-updates 1.9-3.2ubuntu1.16.04.5 amd64 [upgradable from: 1.9-3.2ubuntu1.16.04.4]

Can you point any evidence responsible for curl not working with the longer chain on that list?
If so, how can i update without breaking everything up? Any tips?

rg305 · December 9, 2021, 10:15pm

I'd update:

curl/xenial-updates,xenial-security 7.47.0-1ubuntu2.19 amd64 [upgradable from: 7.47.0-1ubuntu2.18]
libcurl3/xenial-updates,xenial-security 7.47.0-1ubuntu2.19 amd64 [upgradable from: 7.47.0-1ubuntu2.18]
libcurl3-gnutls/xenial-updates,xenial-security 7.47.0-1ubuntu2.19 amd64 [upgradable from: 7.47.0-1ubuntu2.18]
libssl1.0.0/xenial-updates,xenial-security 1.0.2g-1ubuntu4.20 amd64 [upgradable from: 1.0.2g-1ubuntu4.18]

[if not all of them]

apr · December 9, 2021, 10:19pm

Ok. I'll evaluate the best way to update the critical ones without breaking anything.
I'll let you know if it works after the updates.
Thanks in advance.

HardcoreGames · December 22, 2021, 6:06am

I use ubuntu LTS and I install all updates as a routine and my portfolio of sites are all still working fine