2

Since Sep 30 14:01:15 2021 GMT any software using openssl <=1.0 (like curl, php etc.) can't connect to hosts with Let’s Encrypt certificates

* SSL certificate problem: certificate has expired
ndd
  • 139
  • 5
  • 1
    should probably limit duplication around this one-time (hopefully!) event: https://serverfault.com/questions/1079199/client-on-debian-9-erroneously-reports-expired-certificate-for-letsencrypt-issue – anx Oct 01 '21 at 12:31

1 Answers1

3

DST Root CA X3 root certificate expired on Sep 30 14:01:15 2021 GMT. It was used as one of certification paths for Let’s Encrypt certificates. Any software using openssl <=1.0 (like curl, php etc.) will cause expired root to fail connection instead of trying other roots in local ca store (a bug)

As of 30 september 2021 available ca stores still contains expired DST Root CA X3 root certificate so updating it won't fix problem. You can either update your cURL (which might be quite challenging in some situations) or edit local ca store (f.e. /etc/pki/tls/certs/ca-bundle.crt) and manually remove certificate after line "DST Root CA X3"

Update: On 1 october 2021 new version of curl ca store available at https://curl.se/docs/caextract.html has been updated and does not contain expired DST Root CA X3 certificate

ndd
  • 139
  • 5