Some success. The original /etc/ssl/certs hash for isrgrootx1.pem was 8d33f237.0. Earlier I computed the hash to be 4042bcee.0 (odd why it would be different, whatever) but this was before we looked at curl and this did not fix the acme. Now
So now we know that /etc/ssl/certs is set up correctly (why this never mattered until recently is unclear) and fixes curl but sadly acme-client still fails as before.
Success! I do not understand at all how this has been working the last three years. The key was the hash link name was incorrect (out of date?). Using strace with -f to trace child processes I saw that acme-client uses /usr/local/ssl/certs, not /etc/ssl/certs. /usr/local/ssl/certs has
and now acme-client is happy. All of this is slowly coming back to me. I think since I build acme-client from source, it defaulted to looking for certificates in the /usr/local/ssl directory tree instead of /etc/ssl/certs. I suspect that if I rebuild acme-client there is a configure option in there to specify certificate location. I also built curl from source a long time ago and I suspected it defaulted to openssl which defaults to /etc/ssl.
The final mystery to me is why the different hashes for the same file. When openssl calculates the hash value does it get something from some CA site out there? If so and that is what the R10/R11 change affected, then this all makes sense.
I will write this up and put it in my SSL file folder (yes, real paper, I am that old).
THANK YOU THANK YOU MikeMcQ, petercooperjr, mcpherrinm, linkp, rg305 for sticking with me on this!!!! BTW linkp thank you for the ancient SUSE docs. I had given up on trying to upgrade the SUSE11 because I did not have the SP4 which is needed to jump to 12. The document page you pointed to shows how to leap. Fortunately this is a VM machine so I can simply checkpoint it before attempting. Once I am there I have the 12 SP files.
The manual page is there but I never found a more recent download. I think I used his acme-client because others needed supporting programs that I either could not get rpms for SUSE11 or build on SUSE11 due to old gcc/libc etc.
And from the README.md there
`
Attention: acme-client has moved permanently into OpenBSD. It is not maintained here any more.
If you're using this repository---which is intended for OpenBSD anyway---you're using old code.
Please use the local version instead!
If you'd like to contribute to acme-client, please submit patches to the OpenBSD tree.