stackoom
  简体   繁体   中英

Curl says SSL certificate is expired when it is not

 原文  2021-10-10 17:09:55       php/ ssl/ curl/ certificate/ lets-encrypt

Question

When using curl on my server to access my other servers, I get this response:

curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Using curl from my local machine or opening the same URL in the browser displays the certificate as valid. The problem seems to be due to letsencrypt shutting down support for an older root certificate . But I am just not able to update the trusted root certificates of the server.
I tried update-ca-certificates -f -v and manually downloading the updated root certificates via wget https://curl.se/ca/cacert.pem -O /etc/ssl/certs/cacert.pem but nothing works. Any ideas?

2 answers

solution1
 0  2021-10-12 12:06:26

As the information is not enough, I cannot confirm the cause, but you may try the following steps to remove the old Let'sEncrypt CA:

  1. Check DST Root is in /etc/pki/tls/certs/ca-bundle.crt, and ISRG Root X1 is in ISRG Root X1.
  2. Copy the "# DST Root CA X3" section into /etc/pki/ca-trust/source/blacklist directory as pem file
  3. run update-ca-trust
  4. Check DST Root is no longer in /etc/pki/tls/certs/ca-bundle.crt, and ISRG Root X1 is in ISRG Root X1.

solution2
 0  2022-04-19 05:32:20

This may be late. But recently I faced this issue

In my case, the system time was set to 2012 for somereason!!

I just fixed it by synchronizing the time:

timedatectl set-ntp true

Suddenly, curl works. In fact I wasn't trying curl itself, I was trying to install composer on centos 7 when this error appeared, but now everything is great.

Stupid error took me a whole day to fix!

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question CURLOPT_SSL_VERIFYHOST returns SSL certificate problem: certificate has expired when certificate is issued by Lets Encrypt Download failed. cURL error 60: SSL certificate problem: certificate has expired SSL Certificate with PHP CURL ssl certificate in curl SSL certificate error in cURL curl SSL certificate error php curl - allow calls with expired certificate PHP cURL and SSL certificate error Drupal Curl SSL Certificate Error cURL SSL Certificate error “Bad Certificate”
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM