archive.raspberrypi.org alternate HTTPS certificate expired

[vszakats]

I understand archive.raspberrypi.org should support HTTPS. But since today, there is a weird error about expired certificate when trying to access https://archive.raspberrypi.org/ via certain tools, e.g. apt and wget. curl (and e.g. Firefox or Safari on macOS) does work fine. I experience this under the 64-bit OS release, but I can't say if it's specific to the OS or not (UPDATE: likely, it is not).

wget output

wget -d https://archive.raspberrypi.org/
DEBUG output created by Wget 1.20.1 on linux-gnu.

Reading HSTS entries from /home/pi/.wget-hsts
URI encoding = ‘UTF-8’
Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8)
--2020-05-30 17:13:31--  https://archive.raspberrypi.org/
Certificates loaded: 128
Resolving archive.raspberrypi.org (archive.raspberrypi.org)... 2a00:1098:80:56::1:1, 2a00:1098:84:1e0::3, 2a00:1098:84:1e0::2, ...
Caching archive.raspberrypi.org => 2a00:1098:80:56::1:1 2a00:1098:84:1e0::3 2a00:1098:84:1e0::2 2a00:1098:80:56::3:1 2a00:1098:88:26::2:1 2a00:1098:82:47::2:1 2a00:1098:84:1e0::1 2a00:1098:88:26::1 2a00:1098:88:26::1:1 2a00:1098:82:47::1:1 2a00:1098:82:47::1 2a00:1098:80:56::2:1 93.93.135.118 93.93.135.117 176.126.240.84 93.93.130.212 46.235.230.122 46.235.231.111 46.235.227.39 46.235.231.151 46.235.231.145 176.126.240.167 176.126.240.86 93.93.135.141
Connecting to archive.raspberrypi.org (archive.raspberrypi.org)|2a00:1098:80:56::1:1|:443... connected.
Created socket 3.
Releasing 0x00000055877ed9a0 (new refcount 1).
ERROR: The certificate of ‘archive.raspberrypi.org’ is not trusted.
ERROR: The certificate of ‘archive.raspberrypi.org’ has expired.

apt output

$ sudo apt update
[...]
Ign:4 https://archive.raspberrypi.org/debian buster InRelease                                                         
Err:6 https://archive.raspberrypi.org/debian buster Release                                                           
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 2a00:1098:80:56::1:1 443]
Reading package lists... Done
E: The repository 'https://archive.raspberrypi.org/debian buster Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

curl output

$ curl -v https://archive.raspberrypi.org/
*   Trying 2a00:1098:88:26::2:1...
* TCP_NODELAY set
* Expire in 149988 ms for 3 (transfer 0x55919edbd0)
* Expire in 200 ms for 4 (transfer 0x55919edbd0)
* Connected to archive.raspberrypi.org (2a00:1098:88:26::2:1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: OU=Domain Control Validated; OU=PositiveSSL Wildcard; CN=*.raspberrypi.org
*  start date: Jul 15 00:00:00 2019 GMT
*  expire date: Jul 14 23:59:59 2020 GMT
*  subjectAltName: host "archive.raspberrypi.org" matched cert's "*.raspberrypi.org"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55919edbd0)
> GET / HTTP/2
> Host: archive.raspberrypi.org
> User-Agent: curl/7.64.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200 
< date: Sat, 30 May 2020 16:22:09 GMT
< server: Apache
< vary: Accept-Encoding
< content-length: 865
< content-type: text/html;charset=UTF-8
< 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /</title>
 </head>
 <body>
<h1>Index of /</h1>
  <table>
   <tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
   <tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="debian/">debian/</a></td><td align="right">2015-07-06 15:40  </td><td align="right">  - </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="html/">html/</a></td><td align="right">2018-10-16 06:37  </td><td align="right">  - </td><td>&nbsp;</td></tr>
   <tr><th colspan="5"><hr></th></tr>
</table>
</body></html>
* Connection #0 to host archive.raspberrypi.org left intact

Oh. Apparently an alternate certificate expired 5 hours ago:
https://dev.ssllabs.com/ssltest/analyze.html?d=archive.raspberrypi.org&s=2a00%3a1098%3a82%3a47%3a0%3a0%3a0%3a1&latest

[XECDesign]

Duplicate of RPi-Distro/repo#175