Troubleshooting “Unacceptable TLS certificate” Error in Linux

When it comes to SSL/TLS certificates, you may come across a variety of issues, some related to the browser or a problem in a website’s back-end.

One such error is “Unacceptable TLS certificate” in Linux.

Unfortunately, there’s no “one-solves-it-all’ answer to this. However, there are some potential solutions that you can try, and here, I plan to highlight those for you.

When do you encounter this TLS Certificate issue?

unacceptable tls certificate

In my case, I noticed the issue when adding the Flathub repository via the terminal, a step that lets you access the massive collection of Flatpaks when setting up Flatpak.

However, you can also expect to encounter this error when installing a Flatpak app or using a Flatpak ref file from a third-party repository via the terminal.

Some users noticed this issue when using their organization’s recommended VPN service for work on Linux.

So, how do you fix it? Why is this a problem?

Well, technically, it’s either of two things:

  • Your system does not accept the certificate (and tells that it’s invalid).
  • The certificate does not match the domain the user connects to.

If it’s the second, you will have to reach out to the website’s administrator and fix it from their end.

But if it’s the first, you have a couple of ways to deal with it.

1. Fix “Unacceptable TLS certificate” when using Flatpak or adding GNOME Online Accounts

If you are trying to add Flathub remote or a new Flatpak application and notice the error in the terminal, you can simply type in:

sudo apt install --reinstall ca-certificates

This should re-install the trusted CA certificates, in case there has been an issue with the list in some way.

tls certificate troubleshoot

In my case, when trying to add the Flathub repository, I encountered the error, which was resolved by typing the above command in the terminal.

So, I think that any Flatpak-related issues with TLS certificates can be fixed using this method.

If you do not use any Ubuntu-based distros, let me share another experience of mine:

I encountered this error on Manjaro Linux:

manjaro tls certificate error

While you can re-install ca-certificates on Manjaro Linux using the following command:

sudo pacman -S ca-certificates

Unfortunately, that may not work in most cases. But, when I enabled “Automatic Date & Time” under the Date and Time settings, the error was resolved, and I was able to install the Flatpak required.

manjaro date time

2. Fix “Unacceptable TLS certificate” when using Work VPN

If you are using your organization’s VPN to access materials related to work, you might have to add the certificate to the list of trusted CAs in your Linux distro.

Do note that you need the VPN service or your organization’s administrator to share the .CRT version of the root certificate to get started.

Next, you will need to navigate your way to /usr/local/share/ca-certificates directory.

You can create a directory under it and use any name to identify your organization’s certificate. And, then add the .CRT file to that directory.

For instance, its usr/local/share/ca-certificates/organization/xyz.crt

Do note that you need root privileges to add certificates or make a directory under the ca-certificates directory.

Once you have added the necessary certificate, all you have to do is update the certificate support list by typing in:

sudo update-ca-certificates

And, the certificate should be treated valid by your system whenever you try to connect to your company’s VPN.

Wrapping Up

An unacceptable TLS certificate is not a common error, but you can find it in various use cases, such as connecting to GNOME Online accounts.

If the error cannot be resolved by two of these methods, it is possible that the domain/service you are connecting to has a configuration error. In that case, you will have to contact them to fix the issue.

Have you faced this error anytime? How did you fix it? Are you aware of other solutions to this problem (potentially, something that’s easy to follow)? Let me know your thoughts in the comments below.

Similar Posts

  • I had the same problem for a long time and finally fixed it today. In my case I use duckduckgo as default search engine, so it blocked the site and it threw the error unacceptable tls whenever I run flatpak remote-add –if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo .
    Be sure to add flathub.org and flatpak.org in the list for unprotected sites. Restart your machine and restart the process everything should be working fine.

    • I also use duckduckgo and I’m getting the same error. I tried to change my search engine to Google, but it’s doing the same thing. How do I add flathub.org and flatpak.org in the list for unprotected sites?

    • I got it. It’s duckduckgo’s Privacy Essentials, not the search engine. But, it didn’t fix it. Sigh!

  • This is what I did and It resolved the problem for me:
    sudo dpkg-reconfigure ca-certificate
    On entering please deselect “DST Root CA X3” by pressing down, then use the space bar to remove the check. Save by pressing enter and accept the defaults
    Then run the commands as usual
    sudo flatpak remote-add –if-not-exists flathubhttps://flathub.org/repo/flathub.flatpakrepo
    then
    sudo flatpak install flathub io.mrarm.mcpelauncher

    Please see:
    https://serverfault.com/questions/1079199/client-on-debian-9-erroneously-reports-expired-certificate-for-letsencrypt-issue

  • I found a solution that worked for me on CentOS 7.

    https://www.howtouselinux .com/post/install-a-ca-certificate-on-linux

    Using update-ca-trust to install a CA certificate
    Copy the CA certificate to the directory /etc/pki/ca-trust/source/anchors/:

    # cp rapidSSL-ca.crt /etc/pki/ca-trust/source/anchors/

    Extract a CA certificate to the list of trusted CA’s:

    # update-ca-trust

    Verify the SSL certificate:

    # openssl verify server.crt
    server.crt : OK