'Curl says SSL certificate is expired when it is not

When using curl on my server to access my other servers, I get this response:

curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Using curl from my local machine or opening the same URL in the browser displays the certificate as valid. The problem seems to be due to letsencrypt shutting down support for an older root certificate. But I am just not able to update the trusted root certificates of the server.
I tried update-ca-certificates -f -v and manually downloading the updated root certificates via wget https://curl.se/ca/cacert.pem -O /etc/ssl/certs/cacert.pem but nothing works. Any ideas?

phpsslcurlcertificatelets-encrypt


Solution 1:[1]

As the information is not enough, I cannot confirm the cause, but you may try the following steps to remove the old Let'sEncrypt CA:

  1. Check DST Root is in /etc/pki/tls/certs/ca-bundle.crt, and ISRG Root X1 is in ISRG Root X1.
  2. Copy the "# DST Root CA X3" section into /etc/pki/ca-trust/source/blacklist directory as pem file
  3. run update-ca-trust
  4. Check DST Root is no longer in /etc/pki/tls/certs/ca-bundle.crt, and ISRG Root X1 is in ISRG Root X1.

Solution 2:[2]

This may be late. But recently I faced this issue

In my case, the system time was set to 2012 for somereason!!

I just fixed it by synchronizing the time:

timedatectl set-ntp true

Suddenly, curl works. In fact I wasn't trying curl itself, I was trying to install composer on centos 7 when this error appeared, but now everything is great.

Stupid error took me a whole day to fix!

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 LingYan Meng
Solution 2 Dohab

Related Questions