NextDNS daemon suddenly failing on my router (root cert issue). The journey to coming back online.

I installed nextdns via cli on my router and have been running it happily for years. It very suddenly stopped working. After checking the logs, I saw the following:

extdns[3565]: Endpoint failed: https://dns2.nextdns.io#45.90.30.0,2a07:a8c1::: roundtrip: x509: certificate signed by unknown authority (subject=CN=Sectigo Public Server Authentication Root E46,O=Sectigo Limited,C=GB, issuer=CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US)

It seems that the CA root certs were too old -- so connections to the service were blocked. No sweat, the ca-certificates package has no code dependencies, so I downloaded the latest deb from https://packages.debian.org/sid/all/ca-certificates/download and attempted to install.

Next, the ca-certificates package fails to install with the following error:

target dpkg-deb: error: archive 'ca-certificates_20260223_all.deb' contains not understood data member control.tar.xz, giving up dpkg: error processing ca-certificates_20260223_all.deb (--install): subprocess dpkg-deb --control returned error exit status 2

This suggests that the package is compressed with xz and the version of dpkg on the machine doesn't support xz. The next step was to repackage it with gzip on another machine and upload to the router.

Now, attempting to install runs into a dependency issue.

dpkg: dependency problems prevent configuration of ca-certificates:
 ca-certificates depends on openssl (>= 1.1.1); however:
  Version of openssl on system is 1.0.1t-1+deb8u11+t5274262-dev-v1.10.11-4544436.

Attempting to upgrade openssl would've been a nightmare. I decided to repackage it again and this time relax the openssl dependency. One potential concern doing this was  package could contain certs with ciphers or algorithms that the available version of openssl wouldn't understand. The difference in version makes that pretty slim. In case things go horribly wrong, I backed up the existing installation of ca-certificates package. 

BK="$HOME/cacerts-backup-$(date +%Y%m%d-%H%M%S)"
mkdir -p "$BK/dpkg-info"
dpkg-query -W -f='${Package} ${Version} | ${Status}\n' ca-certificates > "$BK/version.txt" 2>&1
cp -a /var/lib/dpkg/info/ca-certificates.* "$BK/dpkg-info/"
sed -n '/^Package: ca-certificates$/,/^$/p' /var/lib/dpkg/status > "$BK/status-stanza.txt"
tar czf "$BK/trust-backup.tgz" \
  /etc/ssl/certs /usr/share/ca-certificates /etc/ca-certificates.conf /etc/ca-certificates \
  2>/dev/null
tar tzf "$BK/trust-backup.tgz" >/dev/null && echo "backup OK -> $BK" || echo "BACKUP BAD - stop"

Then I relaxed the openssl dependency and repacked everything with gzip.

dpkg-deb -R ca-certificates_20260223_all.deb x
sed -i 's/openssl (>= 1.1.1)/openssl/' x/DEBIAN/control
dpkg-deb --build -Zgzip x ca-certificates_20260223_relaxed.deb

Next, I upload and installed the relaxed repacked ca-certificates package and start nextdns. Everything working great now!