Debian unattended upgrade doesn't install a package

Question

I'm checkin unattended-upgrades on Debian Buster. By default both "Label=Debian" and "Label=Debian-Security" is allowed. There's a package ca-certificates that has an update but won't be installed for some reason.

apt-get upgrade allows me to install ca-certificates.

Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  ca-certificates
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 158 kB of archives.
After this operation, 3,072 B disk space will be freed.
Do you want to continue? [Y/n] n

But when i run unattended-upgrades it doesn't install it.

Initial whitelist:
Starting unattended upgrades script
Allowed origins are: origin=Debian,codename=buster,label=Debian, origin=Debian,codename=buster,label=Debian-Security
Using (^linux-image-[0-9]+\.[0-9\.]+-.*|^linux-headers-[0-9]+\.[0-9\.]+-.*|^linux-image-extra-[0-9]+\.[0-9\.]+-.*|^linux-modules-[0-9]+\.[0-9\.]+-.*|^linux-modules-extra-[0-9]+\.[0-9\.]+-.*|^linux-signed-image-[0-9]+\.[0-9\.]+-.*|^linux-image-unsigned-[0-9]+\.[0-9\.]+-.*|^kfreebsd-image-[0-9]+\.[0-9\.]+-.*|^kfreebsd-headers-[0-9]+\.[0-9\.]+-.*|^gnumach-image-[0-9]+\.[0-9\.]+-.*|^.*-modules-[0-9]+\.[0-9\.]+-.*|^.*-kernel-[0-9]+\.[0-9\.]+-.*|^linux-backports-modules-.*-[0-9]+\.[0-9\.]+-.*|^linux-modules-.*-[0-9]+\.[0-9\.]+-.*|^linux-tools-[0-9]+\.[0-9\.]+-.*|^linux-cloud-tools-[0-9]+\.[0-9\.]+-.*|^linux-buildinfo-[0-9]+\.[0-9\.]+-.*|^linux-source-[0-9]+\.[0-9\.]+-.*) regexp to find kernel packages
Using (^linux-image-4\.19\.0\-8\-amd64$|^linux-headers-4\.19\.0\-8\-amd64$|^linux-image-extra-4\.19\.0\-8\-amd64$|^linux-modules-4\.19\.0\-8\-amd64$|^linux-modules-extra-4\.19\.0\-8\-amd64$|^linux-signed-image-4\.19\.0\-8\-amd64$|^linux-image-unsigned-4\.19\.0\-8\-amd64$|^kfreebsd-image-4\.19\.0\-8\-amd64$|^kfreebsd-headers-4\.19\.0\-8\-amd64$|^gnumach-image-4\.19\.0\-8\-amd64$|^.*-modules-4\.19\.0\-8\-amd64$|^.*-kernel-4\.19\.0\-8\-amd64$|^linux-backports-modules-.*-4\.19\.0\-8\-amd64$|^linux-modules-.*-4\.19\.0\-8\-amd64$|^linux-tools-4\.19\.0\-8\-amd64$|^linux-cloud-tools-4\.19\.0\-8\-amd64$|^linux-buildinfo-4\.19\.0\-8\-amd64$|^linux-source-4\.19\.0\-8\-amd64$) regexp to find running kernel packages
Checking: ca-certificates ([<Origin component:'main' archive:'stable-updates' origin:'Debian' label:'Debian' site:'deb.debian.org' isTrusted:True>])
adjusting candidate version: ca-certificates=20190110
pkgs that look like they should be upgraded:
Fetched 0 B in 0s (0 B/s)
fetch.run() result: 0
blacklist: []
whitelist: []
No packages found that can be upgraded unattended and no pending auto-removals

apt-cache policy ca-certificates shows new version:

  Installed: 20190110
  Candidate: 20200601~deb10u1
  Version table:
     20200601~deb10u1 500
        500 http://deb.debian.org/debian buster-updates/main amd64 Packages
 *** 20190110 500
        500 http://deb.debian.org/debian buster/main amd64 Packages
        100 /var/lib/dpkg/status

So why it's not installed than?

Answer 1

The 'Allowed origins are' line specifies that Debian and Debian-Security are allowed to be upgraded from.

In the output of apt-cache policy ca-certificates you can see that ca-certificates comes from a different source, buster-updates.

To alter this you can uncomment the "origin=Debian,codename=${distro_codename}-updates"; line in /etc/apt/apt.conf.d/50unattended-upgrades or override the Unattended-Upgrade::Origins-Pattern config in a later file.