Error in updater - Trust Failure - SSL error

I made a complete new installation on my RasPi 4.
But now, if I want to check for new updates, I revieve ‘Error in updater’ in protocol stack.

Did any type of certificates updates I found in varios threats, but nothing works.
OS: Raspberry Pi OS lite (bullseye (based on debian 11)
Mono: 6.12.0.122

Log output see below.
If more dumps are needed i can provide it.

btw, email notofication using STARTTLS dont’t work too. Maybe same problem?

Thanks.
Manfred

System.Net.WebException: Error: TrustFailure (Authentication failed, see inner exception.) —> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. —> Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
at /build/mono-6.12.0.122/external/boringssl/ssl/handshake_client.c:1132
at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00048] in <9c6e2cb7ddd8473fa420642ddcf7ce48>:0
at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status, System.Boolean renegotiate) [0x000da] in <9c6e2cb7ddd8473fa420642ddcf7ce48>:0
at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus,bool)
at Mono.Net.Security.AsyncHandshakeRequest.Run (Mono.Net.Security.AsyncOperationStatus status) [0x00006] in <9c6e2cb7ddd8473fa420642ddcf7ce48>:0
at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x000fc] in <9c6e2cb7ddd8473fa420642ddcf7ce48>:0
— End of inner exception stack trace —
at Mono.Net.Security.MobileAuthenticatedStream.ProcessAuthentication (System.Boolean runSynchronously, Mono.Net.Security.MonoSslAuthenticationOptions options, System.Threading.CancellationToken cancellationToken) [0x00262] in <9c6e2cb7ddd8473fa420642ddcf7ce48>:0
at Mono.Net.Security.MonoTlsStream.CreateStream (System.Net.WebConnectionTunnel tunnel, System.Threading.CancellationToken cancellationToken) [0x0016a] in <9c6e2cb7ddd8473fa420642ddcf7ce48>:0
at System.Net.WebConnection.CreateStream (System.Net.WebOperation operation, System.Boolean reused, System.Threading.CancellationToken cancellationToken) [0x001ba] in <9c6e2cb7ddd8473fa420642ddcf7ce48>:0
— End of inner exception stack trace —
at System.Net.WebConnection.CreateStream (System.Net.WebOperation operation, System.Boolean reused, System.Threading.CancellationToken cancellationToken) [0x0021a] in <9c6e2cb7ddd8473fa420642ddcf7ce48>:0
at System.Net.WebConnection.InitConnection (System.Net.WebOperation operation, System.Threading.CancellationToken cancellationToken) [0x00141] in <9c6e2cb7ddd8473fa420642ddcf7ce48>:0
at System.Net.WebOperation.Run () [0x0009a] in <9c6e2cb7ddd8473fa420642ddcf7ce48>:0
at System.Net.WebCompletionSource1[T].WaitForCompletion () [0x00094] in <9c6e2cb7ddd8473fa420642ddcf7ce48>:0 at System.Net.HttpWebRequest.RunWithTimeoutWorker[T] (System.Threading.Tasks.Task1[TResult] workerTask, System.Int32 timeout, System.Action abort, System.Func`1[TResult] aborted, System.Threading.CancellationTokenSource cts) [0x000f8] in <9c6e2cb7ddd8473fa420642ddcf7ce48>:0
at System.Net.HttpWebRequest.GetResponse () [0x00016] in <9c6e2cb7ddd8473fa420642ddcf7ce48>:0
at System.Net.WebClient.GetWebResponse (System.Net.WebRequest request) [0x00000] in <9c6e2cb7ddd8473fa420642ddcf7ce48>:0
at System.Net.WebClient.DownloadBits (System.Net.WebRequest request, System.IO.Stream writeStream) [0x000e6] in <9c6e2cb7ddd8473fa420642ddcf7ce48>:0
at System.Net.WebClient.DownloadFile (System.Uri address, System.String fileName) [0x00088] in <9c6e2cb7ddd8473fa420642ddcf7ce48>:0
at System.Net.WebClient.DownloadFile (System.String address, System.String fileName) [0x00008] in <9c6e2cb7ddd8473fa420642ddcf7ce48>:0
at (wrapper remoting-invoke-with-check) System.Net.WebClient.DownloadFile(string,string)
at Duplicati.Library.AutoUpdater.UpdaterManager.CheckForUpdate (Duplicati.Library.AutoUpdater.ReleaseType channel) [0x000ee] in <8d4cb1693e00483189d3952c3f0ed20f>:0

I am having this same issue also. This is hand in hand with the same error when trying to run my backup job. I am running on an Asustor NAS. I was going to try and uninstall and reinstall Mono as I understand it has something to do with this, but obviously it tries then wants to uninstall Duplicati

Any help would be appreciated as the only option at the minute is to select accept-any-ssl-certificate.

I have tried running sudo /usr/local/AppCentral/mono/bin/cert-syn
c /etc/ssl/certs/ca-certificates.crt
which works but the update nor the backup works. It has been like this since 30th November

This is the error from running the backup job

{“ClassName”:“System.Net.WebException”,“Message”:“Error: TrustFailure (Authentication failed, see inner exception.)”,“Data”:null,“InnerException”:{“ClassName”:“System.Security.Authentication.AuthenticationException”,“Message”:“Authentication failed, see inner exception.”,“Data”:null,“InnerException”:{“Message”:“Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED\n at /asustor/trunk_2021_01_12/x64_g3/x64_g3/objs/mono-6.12.0.107/external/boringssl/ssl/handshake_client.c:1132”,“Data”:{},“InnerException”:null,“StackTrace”:" at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00048] in <652d36f38550428c85c9b233c47d70a6>:0 \n at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status, System.Boolean renegotiate) [0x000da] in <652d36f38550428c85c9b233c47d70a6>:0 \n at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus,bool)\n at Mono.Net.Security.AsyncHandshakeRequest.Run (Mono.Net.Security.AsyncOperationStatus status) [0x00006] in <652d36f38550428c85c9b233c47d70a6>:0 \n at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x000fc] in <652d36f38550428c85c9b233c47d70a6>:0 “,“HelpLink”:null,“Source”:“System”,“HResult”:-2146233088},“HelpURL”:null,“StackTraceString”:” at Mono.Net.Security.MobileAuthenticatedStream.ProcessAuthentication (System.Boolean runSynchronously, Mono.Net.Security.MonoSslAuthenticationOptions options, System.Threading.CancellationToken cancellationToken) [0x00262] in <652d36f38550428c85c9b233c47d70a6>:0 \n at Mono.Net.Security.MonoTlsStream.CreateStream (System.Net.WebConnectionTunnel tunnel, System.Threading.CancellationToken cancellationToken) [0x0016a] in <652d36f38550428c85c9b233c47d70a6>:0 \n at System.Net.WebConnection.CreateStream (System.Net.WebOperation operation, System.Boolean reused, System.Threading.CancellationToken cancellationToken) [0x001ba] in <652d36f38550428c85c9b233c47d70a6>:0 “,“RemoteStackTraceString”:null,“RemoteStackIndex”:0,“ExceptionMethod”:null,“HResult”:-2146233087,“Source”:“mscorlib”},“HelpURL”:null,“StackTraceString”:” at System.Net.WebConnection.CreateStream (System.Net.WebOperation operation, System.Boolean reused, System.Threading.CancellationToken cancellationToken) [0x0021a] in <652d36f38550428c85c9b233c47d70a6>:0 \n at System.Net.WebConnection.InitConnection (System.Net.WebOperation operation, System.Threading.CancellationToken cancellationToken) [0x00141] in <652d36f38550428c85c9b233c47d70a6>:0 \n at System.Net.WebOperation.Run () [0x0009a] in <652d36f38550428c85c9b233c47d70a6>:0 \n at System.Net.WebCompletionSource1[T].WaitForCompletion () [0x00094] in <652d36f38550428c85c9b233c47d70a6>:0 \n at System.Net.HttpWebRequest.RunWithTimeoutWorker[T] (System.Threading.Tasks.Task1[TResult] workerTask, System.Int32 timeout, System.Action abort, System.Func`1[TResult] aborted, System.Threading.CancellationTokenSource cts) [0x000f8] in <652d36f38550428c85c9b233c47d70a6>:0 \n at Duplicati.Library.Utility.AsyncHttpRequest+AsyncWrapper.GetResponseOrStream () [0x0004d] in <2a3ee711c7c04f6c957360f2cf183a7f>:0 \n at Duplicati.Library.Utility.AsyncHttpRequest.GetResponse () [0x00044] in <2a3ee711c7c04f6c957360f2cf183a7f>:0 \n at Duplicati.Library.Backend.Backblaze.B2AuthHelper.get_Config () [0x0013d] in :0 \n at Duplicati.Library.Backend.Backblaze.B2AuthHelper.get_APIUrl () [0x00000] in :0 \n at Duplicati.Library.Backend.Backblaze.B2.List () [0x00011] in :0 \n at Duplicati.Library.Main.BackendManager.DoList (Duplicati.Library.Main.BackendManager+FileEntryItem item) [0x00011] in :0 \n at Duplicati.Library.Main.BackendManager.ThreadRun () [0x00108] in :0 ",“RemoteStackTraceString”:null,“RemoteStackIndex”:0,“ExceptionMethod”:null,“HResult”:-2146233079,“Source”:“Duplicati.Library.Utility”}

and the error running the update

System.Net.WebException: Error: TrustFailure (Authentication failed, see inner exception.) —> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. —> Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
at /asustor/trunk_2021_01_12/x64_g3/x64_g3/objs/mono-6.12.0.107/external/boringssl/ssl/handshake_client.c:1132
at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00048] in <652d36f38550428c85c9b233c47d70a6>:0
at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status, System.Boolean renegotiate) [0x000da] in <652d36f38550428c85c9b233c47d70a6>:0
at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus,bool)
at Mono.Net.Security.AsyncHandshakeRequest.Run (Mono.Net.Security.AsyncOperationStatus status) [0x00006] in <652d36f38550428c85c9b233c47d70a6>:0
at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x000fc] in <652d36f38550428c85c9b233c47d70a6>:0
— End of inner exception stack trace —
at Mono.Net.Security.MobileAuthenticatedStream.ProcessAuthentication (System.Boolean runSynchronously, Mono.Net.Security.MonoSslAuthenticationOptions options, System.Threading.CancellationToken cancellationToken) [0x00262] in <652d36f38550428c85c9b233c47d70a6>:0
at Mono.Net.Security.MonoTlsStream.CreateStream (System.Net.WebConnectionTunnel tunnel, System.Threading.CancellationToken cancellationToken) [0x0016a] in <652d36f38550428c85c9b233c47d70a6>:0
at System.Net.WebConnection.CreateStream (System.Net.WebOperation operation, System.Boolean reused, System.Threading.CancellationToken cancellationToken) [0x001ba] in <652d36f38550428c85c9b233c47d70a6>:0
— End of inner exception stack trace —
at System.Net.WebConnection.CreateStream (System.Net.WebOperation operation, System.Boolean reused, System.Threading.CancellationToken cancellationToken) [0x0021a] in <652d36f38550428c85c9b233c47d70a6>:0
at System.Net.WebConnection.InitConnection (System.Net.WebOperation operation, System.Threading.CancellationToken cancellationToken) [0x00141] in <652d36f38550428c85c9b233c47d70a6>:0
at System.Net.WebOperation.Run () [0x0009a] in <652d36f38550428c85c9b233c47d70a6>:0
at System.Net.WebCompletionSource1[T].WaitForCompletion () [0x00094] in <652d36f38550428c85c9b233c47d70a6>:0 at System.Net.HttpWebRequest.RunWithTimeoutWorker[T] (System.Threading.Tasks.Task1[TResult] workerTask, System.Int32 timeout, System.Action abort, System.Func`1[TResult] aborted, System.Threading.CancellationTokenSource cts) [0x000f8] in <652d36f38550428c85c9b233c47d70a6>:0
at System.Net.HttpWebRequest.GetResponse () [0x00016] in <652d36f38550428c85c9b233c47d70a6>:0
at System.Net.WebClient.GetWebResponse (System.Net.WebRequest request) [0x00000] in <652d36f38550428c85c9b233c47d70a6>:0
at System.Net.WebClient.DownloadBits (System.Net.WebRequest request, System.IO.Stream writeStream) [0x000e6] in <652d36f38550428c85c9b233c47d70a6>:0
at System.Net.WebClient.DownloadFile (System.Uri address, System.String fileName) [0x00088] in <652d36f38550428c85c9b233c47d70a6>:0
at System.Net.WebClient.DownloadFile (System.String address, System.String fileName) [0x00008] in <652d36f38550428c85c9b233c47d70a6>:0
at (wrapper remoting-invoke-with-check) System.Net.WebClient.DownloadFile(string,string)
at Duplicati.Library.AutoUpdater.UpdaterManager.CheckForUpdate (Duplicati.Library.AutoUpdater.ReleaseType channel) [0x000ee] in <8d4cb1693e00483189d3952c3f0ed20f>:0

I too was having the same issue, albeit on an Arch Linux system. What finally allowed to fix it are the explanations given here: SSL certificate errors · KSP-CKAN/CKAN Wiki · GitHub
More precisely, banning the DST X3 Root Ca and then forcing to update system store and mono store did the trick for me.
Here are the commands I used:

sudo trust extract --format=pem-bundle --filter='pkcs11:id=%C4%A7%B1%A4%7B%2C%71%FA%DB%E1%4B%90%75%FF%C4%15%60%85%89%10;type=cert' /etc/ca-certificates/trust-source/blocklist/untrusted_authority.pem
sudo update-ca-trust
sudo cert-sync /etc/ssl/certs/ca-certificates.crt

The first one bans the expired root CA and the two others update the required certificate stores. In particular, the last one showed this in its output:

Certificate removed: O=Digital Signature Trust Co., CN=DST Root CA X3

Once I got this, my backup started working again with a Backblaze B2 remote.

1 Like

Seems likely, however you would need to run the SSLLABS tester or openssl s_client to say for sure.

The Updater and Backblaze problems are probably from same expired Let’s Encrypt certificate issue:

DST Root CA X3 Expiration (September 2021)

however Backblaze now uses a certificate Valid from Tue, 30 Nov 2021 02:22:14 UTC which might be
causing recent problems. updates.duplicati.com has I think been using Let’s Encrypt certificate awhile.

So when your failure began is an indirect way of knowing which change affected you. A direct check is

A System.Net.WebException: Error: TrustFailure error occurs

and is somewhat experimental, but runs the mono certmgr tool to find out exactly what mono is using.

is what you don’t want, but the exact way of removing it depends on your OS. I have little idea what an ASUSSTOR NAS has inside. Some such systems run Debian, and there’s pretty good info on its use.

If your system is up-to-date, it might already have the required ISRG Root X1, but it’s worth checking.

Extending Android Device Compatibility for Let’s Encrypt Certificates broke mono and older OpenSSL.

OpenSSL Client Compatibility Changes for Let’s Encrypt Certificates

One Debian certificate deletion change that has worked for many people is referenced from this post:

TrustFailure error when using Backblaze B2

Unfortunately the exact procedure is OS-dependent, but the intent is the same. Need to fix certificates.

Hi.

Thanks so much for this help. I managed to delete the offending certificate with help from this link https://github.com/duplicati/duplicati/issues/4650

On the ASUSTOR NAS using SSH

Open the file ca-certificates.crt

/etc/ssl/certs # vi ca-certificates.crt

The problem was that it does not give you the certificate name before the BEGIN CERTIFICATE so i had to search for the actual certificate using parts of the actual certificate and checking that it matched with the one in the post.

I then deleted this from the file, saved it and then re run

sudo cert-sync /etc/ssl/certs/ca-certificates.crt

This told me that the DST ROOT CA X3 Cert was removed.

# sudo cert-sync /etc/ssl/certs/ca-certificates.crt
Mono Certificate Store Sync - version 6.12.0.107
Populate Mono certificate store from a concatenated list of certificates.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.

Importing into legacy system store:
I already trust 127, your new list has 126
1 previously trusted certificates were removed.
Certificate removed: O=Digital Signature Trust Co., CN=DST Root CA X3
Import process completed.

Importing into BTLS system store:
I already trust 127, your new list has 126
1 previously trusted certificates were removed.
Certificate removed: O=Digital Signature Trust Co., CN=DST Root CA X3
Import process completed.

I restarted Duplicati & Mono in my NAS and then ran my backup job

So far so good, it runs with no error.

The update also now seems to work!

Thank you again so much for your help.

2 Likes

It seems like I have the same issue. I want to update from 2.0.5.1_beta_2020-01-18 > 2.0.6.3_beta_2021-06-17 on Debian 10.11. I am accessing the webinterface without https. I updated all packages on debian and tried the solutions proposed here.

cert-sync /etc/ssl/certs/ca-certificates.crt
Mono Certificate Store Sync - version 6.12.0.122
Populate Mono certificate store from a concatenated list of certificates.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.

Importing into legacy system store:
I already trust 137, your new list has 137
Import process completed.

Importing into BTLS system store:
I already trust 137, your new list has 137
Import process completed.

Error in updater

System.Net.WebException: Error: TrustFailure (Authentication failed, see inner exception.) ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
  at /build/mono-6.12.0.122/external/boringssl/ssl/handshake_client.c:1132
  at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00048] in <9c6e2cb7ddd8473fa420642ddcf7ce48>:0 
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status, System.Boolean renegotiate) [0x000da] in <9c6e2cb7ddd8473fa420642ddcf7ce48>:0 
  at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus,bool)
  at Mono.Net.Security.AsyncHandshakeRequest.Run (Mono.Net.Security.AsyncOperationStatus status) [0x00006] in <9c6e2cb7ddd8473fa420642ddcf7ce48>:0 
  at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x000fc] in <9c6e2cb7ddd8473fa420642ddcf7ce48>:0 
   --- End of inner exception stack trace ---
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessAuthentication (System.Boolean runSynchronously, Mono.Net.Security.MonoSslAuthenticationOptions options, System.Threading.CancellationToken cancellationToken) [0x00262] in <9c6e2cb7ddd8473fa420642ddcf7ce48>:0 
  at Mono.Net.Security.MonoTlsStream.CreateStream (System.Net.WebConnectionTunnel tunnel, System.Threading.CancellationToken cancellationToken) [0x0016a] in <9c6e2cb7ddd8473fa420642ddcf7ce48>:0 
  at System.Net.WebConnection.CreateStream (System.Net.WebOperation operation, System.Boolean reused, System.Threading.CancellationToken cancellationToken) [0x001ba] in <9c6e2cb7ddd8473fa420642ddcf7ce48>:0 
   --- End of inner exception stack trace ---
  at System.Net.WebConnection.CreateStream (System.Net.WebOperation operation, System.Boolean reused, System.Threading.CancellationToken cancellationToken) [0x0021a] in <9c6e2cb7ddd8473fa420642ddcf7ce48>:0 
  at System.Net.WebConnection.InitConnection (System.Net.WebOperation operation, System.Threading.CancellationToken cancellationToken) [0x00141] in <9c6e2cb7ddd8473fa420642ddcf7ce48>:0 
  at System.Net.WebOperation.Run () [0x0009a] in <9c6e2cb7ddd8473fa420642ddcf7ce48>:0 
  at System.Net.WebCompletionSource`1[T].WaitForCompletion () [0x00094] in <9c6e2cb7ddd8473fa420642ddcf7ce48>:0 
  at System.Net.HttpWebRequest.RunWithTimeoutWorker[T] (System.Threading.Tasks.Task`1[TResult] workerTask, System.Int32 timeout, System.Action abort, System.Func`1[TResult] aborted, System.Threading.CancellationTokenSource cts) [0x000f8] in <9c6e2cb7ddd8473fa420642ddcf7ce48>:0 
  at System.Net.HttpWebRequest.GetResponse () [0x00016] in <9c6e2cb7ddd8473fa420642ddcf7ce48>:0 
  at System.Net.WebClient.GetWebResponse (System.Net.WebRequest request) [0x00000] in <9c6e2cb7ddd8473fa420642ddcf7ce48>:0 
  at System.Net.WebClient.DownloadBits (System.Net.WebRequest request, System.IO.Stream writeStream) [0x000e6] in <9c6e2cb7ddd8473fa420642ddcf7ce48>:0 
  at System.Net.WebClient.DownloadFile (System.Uri address, System.String fileName) [0x00088] in <9c6e2cb7ddd8473fa420642ddcf7ce48>:0 
  at System.Net.WebClient.DownloadFile (System.String address, System.String fileName) [0x00008] in <9c6e2cb7ddd8473fa420642ddcf7ce48>:0 
  at (wrapper remoting-invoke-with-check) System.Net.WebClient.DownloadFile(string,string)
  at Duplicati.Library.AutoUpdater.UpdaterManager.CheckForUpdate (Duplicati.Library.AutoUpdater.ReleaseType channel) [0x000ee] in <74dd9b2be27c412e929e872fc5457c24>:0 

OK, thatks everybody for supporting within this topic.

I got backup chack working without SSL-Error again (but I do not now if it really works, because I have latest version installed…)

Solution is described by @ seanws78 in post Error in updater - Trust Failure - SSL error - #5 by seanws78
But addidionally, I had to use option --user at cert-cync command too:
sudo cert-sync --user /etc/ssl/certs/ca-certificates.crt

1 Like

You didn’t delete the certificate as your number of the certificates is the same?

For what it’s worth (and this is not my area of expertise), I was testing a more user-friendly path. This is Linux Mint, who I think updated certificates (or at least Ubuntu did – Debian has not, so update won’t fix).

https://tracker.debian.org/pkg/ca-certificates

Technically they updated it, but a different bug is blocking release. Meanwhile, it needs a manual change.

This might be me just picking up the Linux Mint removal without going through my own deselection step:

$ sudo dpkg-reconfigure ca-certificates
[sudo] password for <me>:         
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Processing triggers for ca-certificates (20210119~18.04.2) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

done.
Updating Mono key store
Mono Certificate Store Sync - version 6.12.0.122
Populate Mono certificate store from a concatenated list of certificates.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.

Importing into legacy system store:
I already trust 130, your new list has 128
Import process completed.

Importing into BTLS system store:
I already trust 130, your new list has 128
Import process completed.
Done
done.

There was a character UI I think I could have used to remove DST Root CA X3 (mine was already gone)

How to force older debian to forget about DST Root CA X3 Expiration and use ISRG Root X1 - SSL certificate problem: certificate has expired covers various methods to get certificates as they need to be.

How does one remove a certificate authority’s certificate from a system? covers dpkg-reconfigure better.