Can't renew: requests. exceptions.SSLError: HTTPSConnectionPool (host=' acme-v02.api. letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError (SSLCert VerificationError (1, '[SSL: CERTIFICATE_ VERIFY_FAILED]

Seeing the amount of reports on this, I might be beating a dead horse, but since none of the solutions solved the problem, I'll make another thread.
I want to point out that this problem exists exclusively on my mail server, no problems at all on every other server, and I run a mix of Debian and Ubuntu servers, plus 1 CentOS server.
The mail server runs on Debian 11.

My domain is: (confidential)

I ran this command: certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ใ€‡ใ€‡.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Failed to renew certificate ใ€‡ใ€‡ with error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1123)')))

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/ใ€‡ใ€‡/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

My web server is (include version): nginx version:

nginx -v
nginx version: nginx/1.18.0

The operating system my web server runs on is (include version):

cat /etc/debian_version
11.1

My hosting provider, if applicable, is: ConoHa

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot --version
certbot 1.12.0

certbot-auto --version
zsh: command not found: certbot-auto

openssl version
OpenSSL 1.1.1k  25 Mar 2021

Other information:

dig acme-v02.api.letsencrypt.org

; <<>> DiG 9.16.22-Debian <<>> acme-v02.api.letsencrypt.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25224
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;acme-v02.api.letsencrypt.org.	IN	A

;; ANSWER SECTION:
acme-v02.api.letsencrypt.org. 384 IN	CNAME	prod.api.letsencrypt.org.
prod.api.letsencrypt.org. 257	IN	CNAME	ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com. 257 IN A 172.65.32.248

;; Query time: 4 msec
;; SERVER: 180.222.191.15#53(180.222.191.15)
;; WHEN: Thu Dec 02 14:03:38 JST 2021
;; MSG SIZE  rcvd: 155
curl -v https://acme-v02.api.letsencrypt.org/
*   Trying 172.65.32.248:443...
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, certificate expired (557):
* SSL certificate problem: certificate has expired
* Closing connection 0
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

What's the output of:

dpkg-query -l ca-certificates
1 Like

I got this:

่ฆๆœ›=(U)ไธๆ˜Ž/(I)ใ‚คใƒณใ‚นใƒˆใƒผใƒซ/(R)ๅ‰Š้™ค/(P)ๅฎŒๅ…จๅ‰Š้™ค/(H)ไฟๆŒ
| ็Šถๆ…‹=(N)็„ก/(I)ใ‚คใƒณใ‚นใƒˆใƒผใƒซๆธˆ/(C)่จญๅฎš/(U)ๅฑ•้–‹/(F)่จญๅฎšๅคฑๆ•—/(H)ๅŠใ‚คใƒณใ‚นใƒˆใƒผใƒซ/(W)ใƒˆใƒชใ‚ฌๅพ…ใก/(T)ใƒˆใƒชใ‚ฌไฟ็•™
|/ ใ‚จใƒฉใƒผ?=(็ฉบๆฌ„)็„ก/(R)่ฆๅ†ใ‚คใƒณใ‚นใƒˆใƒผใƒซ (็Šถๆ…‹,ใ‚จใƒฉใƒผใฎๅคงๆ–‡ๅญ—=็•ฐๅธธ)
||/ ๅๅ‰            ใƒใƒผใ‚ธใƒงใƒณ   ใ‚ขใƒผใ‚ญใƒ†ใ‚ฏใƒ ่ชฌๆ˜Ž
+++-===============-============-============-=================================
ii  ca-certificates 20210119     all          Common CA certificates

Some translation:
่ฆๆœ› = demand
ไธๆ˜Ž = unknown = U
ใ‚คใƒณใ‚นใƒˆใƒผใƒซ = install = I
ๅ‰Š้™ค = delete = R
ๅฎŒๅ…จๅ‰Š้™ค = completely purge = P
ไฟๆŒ = preserve = H

็Šถๆ…‹ = status
็„ก = no = N
ใ‚คใƒณใ‚นใƒˆใƒผใƒซๆธˆ = installation completed = I
่จญๅฎš = settings = C
ๅฑ•้–‹ = unfold = U
่จญๅฎšๅคฑๆ•— = settings failed = F
ๅŠใ‚คใƒณใ‚นใƒˆใƒผใƒซ = half installation = H
ใƒˆใƒชใ‚ฌๅพ…ใก = wait for trigger = W
ใƒˆใƒชใ‚ฌไฟ็•™ = trigger reservation = T

ใ‚จใƒฉใƒผ๏ผŸ = error?
(็ฉบๆฌ„)็„ก = (blank) no
่ฆๅ†ใ‚คใƒณใ‚นใƒˆใƒผใƒซ = demand reinstall (not a correct localization though) = R
็Šถๆ…‹,ใ‚จใƒฉใƒผใฎๅคงๆ–‡ๅญ—๏ผ็•ฐๅธธ = status, capital letters of the error = abnormal

ๅๅ‰ = name
ใƒใƒผใ‚ธใƒงใƒณ = version
ใ‚ขใƒผใ‚ญใƒ†ใ‚ฏใƒ = architecti
่ชฌๆ˜Ž = explanation

Update:
Identical output on the other servers where certbot does work.

Bizarre. Does forcibly regenerating the ca-certificates file help at all?

update-ca-certificates --fresh
1 Like
update-ca-certificates --fresh
Clearing symlinks in /etc/ssl/certs...
done.
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping iRedMail.crt,it does not contain exactly one certificate or CRL
129 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

The same error came up when trying to renew again though.

Please show the output of:
ls -ltr /etc/ssl/certs/

1 Like

It's long though.

ls -ltr /etc/ssl/certs/
ๅˆ่จˆ 588
-rw-r--r-- 1 root root   1054  3ๆœˆ  6  2019  ssl-cert-snakeoil.pem
lrwxrwxrwx 1 root root     21  3ๆœˆ  6  2019  79aae987 -> ssl-cert-snakeoil.pem
-rw-r--r-- 1 root root   1456  3ๆœˆ  6  2019  iRedMail.crt.bak
-rw-r--r-- 1 root root   3558  5ๆœˆ 13  2019  iRedMail.crt
lrwxrwxrwx 1 root root     21  9ๆœˆ 12  2019  79aae987.0 -> ssl-cert-snakeoil.pem
lrwxrwxrwx 1 root root     48 12ๆœˆ  2 15:18  ACCVRAIZ1.pem -> /usr/share/ca-certificates/mozilla/ACCVRAIZ1.crt
lrwxrwxrwx 1 root root     69 12ๆœˆ  2 15:18  Actalis_Authentication_Root_CA.pem -> /usr/share/ca-certificates/mozilla/Actalis_Authentication_Root_CA.crt
lrwxrwxrwx 1 root root     61 12ๆœˆ  2 15:18  AffirmTrust_Commercial.pem -> /usr/share/ca-certificates/mozilla/AffirmTrust_Commercial.crt
lrwxrwxrwx 1 root root     61 12ๆœˆ  2 15:18  AffirmTrust_Networking.pem -> /usr/share/ca-certificates/mozilla/AffirmTrust_Networking.crt
lrwxrwxrwx 1 root root     58 12ๆœˆ  2 15:18  AffirmTrust_Premium.pem -> /usr/share/ca-certificates/mozilla/AffirmTrust_Premium.crt
lrwxrwxrwx 1 root root     62 12ๆœˆ  2 15:18  AffirmTrust_Premium_ECC.pem -> /usr/share/ca-certificates/mozilla/AffirmTrust_Premium_ECC.crt
lrwxrwxrwx 1 root root     60 12ๆœˆ  2 15:18  Atos_TrustedRoot_2011.pem -> /usr/share/ca-certificates/mozilla/Atos_TrustedRoot_2011.crt
lrwxrwxrwx 1 root root     96 12ๆœˆ  2 15:18  Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem -> /usr/share/ca-certificates/mozilla/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt
lrwxrwxrwx 1 root root     64 12ๆœˆ  2 15:18  Baltimore_CyberTrust_Root.pem -> /usr/share/ca-certificates/mozilla/Baltimore_CyberTrust_Root.crt
lrwxrwxrwx 1 root root     62 12ๆœˆ  2 15:18  Buypass_Class_2_Root_CA.pem -> /usr/share/ca-certificates/mozilla/Buypass_Class_2_Root_CA.crt
lrwxrwxrwx 1 root root     62 12ๆœˆ  2 15:18  Buypass_Class_3_Root_CA.pem -> /usr/share/ca-certificates/mozilla/Buypass_Class_3_Root_CA.crt
lrwxrwxrwx 1 root root     55 12ๆœˆ  2 15:18  CA_Disig_Root_R2.pem -> /usr/share/ca-certificates/mozilla/CA_Disig_Root_R2.crt
lrwxrwxrwx 1 root root     47 12ๆœˆ  2 15:18  Certigna.pem -> /usr/share/ca-certificates/mozilla/Certigna.crt
lrwxrwxrwx 1 root root     55 12ๆœˆ  2 15:18  certSIGN_ROOT_CA.pem -> /usr/share/ca-certificates/mozilla/certSIGN_ROOT_CA.crt
lrwxrwxrwx 1 root root     66 12ๆœˆ  2 15:18  Certum_Trusted_Network_CA_2.pem -> /usr/share/ca-certificates/mozilla/Certum_Trusted_Network_CA_2.crt
lrwxrwxrwx 1 root root     64 12ๆœˆ  2 15:18  Certum_Trusted_Network_CA.pem -> /usr/share/ca-certificates/mozilla/Certum_Trusted_Network_CA.crt
lrwxrwxrwx 1 root root     51 12ๆœˆ  2 15:18  CFCA_EV_ROOT.pem -> /usr/share/ca-certificates/mozilla/CFCA_EV_ROOT.crt
lrwxrwxrwx 1 root root     71 12ๆœˆ  2 15:18  Chambers_of_Commerce_Root_-_2008.pem -> /usr/share/ca-certificates/mozilla/Chambers_of_Commerce_Root_-_2008.crt
lrwxrwxrwx 1 root root     63 12ๆœˆ  2 15:18  Comodo_AAA_Services_root.pem -> /usr/share/ca-certificates/mozilla/Comodo_AAA_Services_root.crt
lrwxrwxrwx 1 root root     69 12ๆœˆ  2 15:18  COMODO_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/COMODO_Certification_Authority.crt
lrwxrwxrwx 1 root root     73 12ๆœˆ  2 15:18  COMODO_ECC_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/COMODO_ECC_Certification_Authority.crt
lrwxrwxrwx 1 root root     73 12ๆœˆ  2 15:18  COMODO_RSA_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/COMODO_RSA_Certification_Authority.crt
lrwxrwxrwx 1 root root     61 12ๆœˆ  2 15:18  Cybertrust_Global_Root.pem -> /usr/share/ca-certificates/mozilla/Cybertrust_Global_Root.crt
lrwxrwxrwx 1 root root     66 12ๆœˆ  2 15:18  DigiCert_Assured_ID_Root_CA.pem -> /usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_CA.crt
lrwxrwxrwx 1 root root     66 12ๆœˆ  2 15:18  DigiCert_Assured_ID_Root_G2.pem -> /usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_G2.crt
lrwxrwxrwx 1 root root     66 12ๆœˆ  2 15:18  DigiCert_Assured_ID_Root_G3.pem -> /usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_G3.crt
lrwxrwxrwx 1 root root     62 12ๆœˆ  2 15:18  DigiCert_Global_Root_CA.pem -> /usr/share/ca-certificates/mozilla/DigiCert_Global_Root_CA.crt
lrwxrwxrwx 1 root root     62 12ๆœˆ  2 15:18  DigiCert_Global_Root_G2.pem -> /usr/share/ca-certificates/mozilla/DigiCert_Global_Root_G2.crt
lrwxrwxrwx 1 root root     62 12ๆœˆ  2 15:18  DigiCert_Global_Root_G3.pem -> /usr/share/ca-certificates/mozilla/DigiCert_Global_Root_G3.crt
lrwxrwxrwx 1 root root     73 12ๆœˆ  2 15:18  DigiCert_High_Assurance_EV_Root_CA.pem -> /usr/share/ca-certificates/mozilla/DigiCert_High_Assurance_EV_Root_CA.crt
lrwxrwxrwx 1 root root     63 12ๆœˆ  2 15:18  DigiCert_Trusted_Root_G4.pem -> /usr/share/ca-certificates/mozilla/DigiCert_Trusted_Root_G4.crt
lrwxrwxrwx 1 root root     53 12ๆœˆ  2 15:18  DST_Root_CA_X3.pem -> /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
lrwxrwxrwx 1 root root     69 12ๆœˆ  2 15:18  D-TRUST_Root_Class_3_CA_2_2009.pem -> /usr/share/ca-certificates/mozilla/D-TRUST_Root_Class_3_CA_2_2009.crt
lrwxrwxrwx 1 root root     72 12ๆœˆ  2 15:18  D-TRUST_Root_Class_3_CA_2_EV_2009.pem -> /usr/share/ca-certificates/mozilla/D-TRUST_Root_Class_3_CA_2_EV_2009.crt
lrwxrwxrwx 1 root root     45 12ๆœˆ  2 15:18  EC-ACC.pem -> /usr/share/ca-certificates/mozilla/EC-ACC.crt
lrwxrwxrwx 1 root root     80 12ๆœˆ  2 15:18  Entrust.net_Premium_2048_Secure_Server_CA.pem -> /usr/share/ca-certificates/mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt
lrwxrwxrwx 1 root root     75 12ๆœˆ  2 15:18  Entrust_Root_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/Entrust_Root_Certification_Authority.crt
lrwxrwxrwx 1 root root     81 12ๆœˆ  2 15:18  Entrust_Root_Certification_Authority_-_EC1.pem -> /usr/share/ca-certificates/mozilla/Entrust_Root_Certification_Authority_-_EC1.crt
lrwxrwxrwx 1 root root     80 12ๆœˆ  2 15:18  Entrust_Root_Certification_Authority_-_G2.pem -> /usr/share/ca-certificates/mozilla/Entrust_Root_Certification_Authority_-_G2.crt
lrwxrwxrwx 1 root root     72 12ๆœˆ  2 15:18  ePKI_Root_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/ePKI_Root_Certification_Authority.crt
lrwxrwxrwx 1 root root     70 12ๆœˆ  2 15:18  E-Tugra_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/E-Tugra_Certification_Authority.crt
lrwxrwxrwx 1 root root     69 12ๆœˆ  2 15:18  Global_Chambersign_Root_-_2008.pem -> /usr/share/ca-certificates/mozilla/Global_Chambersign_Root_-_2008.crt
lrwxrwxrwx 1 root root     66 12ๆœˆ  2 15:18  GlobalSign_ECC_Root_CA_-_R4.pem -> /usr/share/ca-certificates/mozilla/GlobalSign_ECC_Root_CA_-_R4.crt
lrwxrwxrwx 1 root root     66 12ๆœˆ  2 15:18  GlobalSign_ECC_Root_CA_-_R5.pem -> /usr/share/ca-certificates/mozilla/GlobalSign_ECC_Root_CA_-_R5.crt
lrwxrwxrwx 1 root root     57 12ๆœˆ  2 15:18  GlobalSign_Root_CA.pem -> /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA.crt
lrwxrwxrwx 1 root root     62 12ๆœˆ  2 15:18  GlobalSign_Root_CA_-_R2.pem -> /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R2.crt
lrwxrwxrwx 1 root root     62 12ๆœˆ  2 15:18  GlobalSign_Root_CA_-_R3.pem -> /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R3.crt
lrwxrwxrwx 1 root root     58 12ๆœˆ  2 15:18  Go_Daddy_Class_2_CA.pem -> /usr/share/ca-certificates/mozilla/Go_Daddy_Class_2_CA.crt
lrwxrwxrwx 1 root root     79 12ๆœˆ  2 15:18  Go_Daddy_Root_Certificate_Authority_-_G2.pem -> /usr/share/ca-certificates/mozilla/Go_Daddy_Root_Certificate_Authority_-_G2.crt
lrwxrwxrwx 1 root root     98 12ๆœˆ  2 15:18  Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.pem -> /usr/share/ca-certificates/mozilla/Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.crt
lrwxrwxrwx 1 root root     94 12ๆœˆ  2 15:18  Hellenic_Academic_and_Research_Institutions_RootCA_2011.pem -> /usr/share/ca-certificates/mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt
lrwxrwxrwx 1 root root     94 12ๆœˆ  2 15:18  Hellenic_Academic_and_Research_Institutions_RootCA_2015.pem -> /usr/share/ca-certificates/mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt
lrwxrwxrwx 1 root root     62 12ๆœˆ  2 15:18  Hongkong_Post_Root_CA_1.pem -> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_1.crt
lrwxrwxrwx 1 root root     69 12ๆœˆ  2 15:18  IdenTrust_Commercial_Root_CA_1.pem -> /usr/share/ca-certificates/mozilla/IdenTrust_Commercial_Root_CA_1.crt
lrwxrwxrwx 1 root root     72 12ๆœˆ  2 15:18  IdenTrust_Public_Sector_Root_CA_1.pem -> /usr/share/ca-certificates/mozilla/IdenTrust_Public_Sector_Root_CA_1.crt
lrwxrwxrwx 1 root root     51 12ๆœˆ  2 15:18  ISRG_Root_X1.pem -> /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt
lrwxrwxrwx 1 root root     49 12ๆœˆ  2 15:18  Izenpe.com.pem -> /usr/share/ca-certificates/mozilla/Izenpe.com.crt
lrwxrwxrwx 1 root root     69 12ๆœˆ  2 15:18  Microsec_e-Szigno_Root_CA_2009.pem -> /usr/share/ca-certificates/mozilla/Microsec_e-Szigno_Root_CA_2009.crt
lrwxrwxrwx 1 root root     83 12ๆœˆ  2 15:18 'NetLock_Arany_=Class_Gold=_Fล‘tanรบsรญtvรกny.pem' -> '/usr/share/ca-certificates/mozilla/NetLock_Arany_=Class_Gold=_Fล‘tanรบsรญtvรกny.crt'
lrwxrwxrwx 1 root root     78 12ๆœˆ  2 15:18  Network_Solutions_Certificate_Authority.pem -> /usr/share/ca-certificates/mozilla/Network_Solutions_Certificate_Authority.crt
lrwxrwxrwx 1 root root     70 12ๆœˆ  2 15:18  OISTE_WISeKey_Global_Root_GB_CA.pem -> /usr/share/ca-certificates/mozilla/OISTE_WISeKey_Global_Root_GB_CA.crt
lrwxrwxrwx 1 root root     60 12ๆœˆ  2 15:18  QuoVadis_Root_CA_1_G3.pem -> /usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_1_G3.crt
lrwxrwxrwx 1 root root     57 12ๆœˆ  2 15:18  QuoVadis_Root_CA_2.pem -> /usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_2.crt
lrwxrwxrwx 1 root root     60 12ๆœˆ  2 15:18  QuoVadis_Root_CA_2_G3.pem -> /usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_2_G3.crt
lrwxrwxrwx 1 root root     57 12ๆœˆ  2 15:18  QuoVadis_Root_CA_3.pem -> /usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_3.crt
lrwxrwxrwx 1 root root     60 12ๆœˆ  2 15:18  QuoVadis_Root_CA_3_G3.pem -> /usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_3_G3.crt
lrwxrwxrwx 1 root root     55 12ๆœˆ  2 15:18  QuoVadis_Root_CA.pem -> /usr/share/ca-certificates/mozilla/QuoVadis_Root_CA.crt
lrwxrwxrwx 1 root root     55 12ๆœˆ  2 15:18  Secure_Global_CA.pem -> /usr/share/ca-certificates/mozilla/Secure_Global_CA.crt
lrwxrwxrwx 1 root root     58 12ๆœˆ  2 15:18  SecureSign_RootCA11.pem -> /usr/share/ca-certificates/mozilla/SecureSign_RootCA11.crt
lrwxrwxrwx 1 root root     53 12ๆœˆ  2 15:18  SecureTrust_CA.pem -> /usr/share/ca-certificates/mozilla/SecureTrust_CA.crt
lrwxrwxrwx 1 root root     69 12ๆœˆ  2 15:18  Security_Communication_RootCA2.pem -> /usr/share/ca-certificates/mozilla/Security_Communication_RootCA2.crt
lrwxrwxrwx 1 root root     69 12ๆœˆ  2 15:18  Security_Communication_Root_CA.pem -> /usr/share/ca-certificates/mozilla/Security_Communication_Root_CA.crt
lrwxrwxrwx 1 root root     61 12ๆœˆ  2 15:18  Sonera_Class_2_Root_CA.pem -> /usr/share/ca-certificates/mozilla/Sonera_Class_2_Root_CA.crt
lrwxrwxrwx 1 root root     71 12ๆœˆ  2 15:18  Staat_der_Nederlanden_EV_Root_CA.pem -> /usr/share/ca-certificates/mozilla/Staat_der_Nederlanden_EV_Root_CA.crt
lrwxrwxrwx 1 root root     73 12ๆœˆ  2 15:18  Staat_der_Nederlanden_Root_CA_-_G3.pem -> /usr/share/ca-certificates/mozilla/Staat_der_Nederlanden_Root_CA_-_G3.crt
lrwxrwxrwx 1 root root     59 12ๆœˆ  2 15:18  Starfield_Class_2_CA.pem -> /usr/share/ca-certificates/mozilla/Starfield_Class_2_CA.crt
lrwxrwxrwx 1 root root     80 12ๆœˆ  2 15:18  Starfield_Root_Certificate_Authority_-_G2.pem -> /usr/share/ca-certificates/mozilla/Starfield_Root_Certificate_Authority_-_G2.crt
lrwxrwxrwx 1 root root     89 12ๆœˆ  2 15:18  Starfield_Services_Root_Certificate_Authority_-_G2.pem -> /usr/share/ca-certificates/mozilla/Starfield_Services_Root_Certificate_Authority_-_G2.crt
lrwxrwxrwx 1 root root     61 12ๆœˆ  2 15:18  SwissSign_Gold_CA_-_G2.pem -> /usr/share/ca-certificates/mozilla/SwissSign_Gold_CA_-_G2.crt
lrwxrwxrwx 1 root root     63 12ๆœˆ  2 15:18  SwissSign_Silver_CA_-_G2.pem -> /usr/share/ca-certificates/mozilla/SwissSign_Silver_CA_-_G2.crt
lrwxrwxrwx 1 root root     54 12ๆœˆ  2 15:18  SZAFIR_ROOT_CA2.pem -> /usr/share/ca-certificates/mozilla/SZAFIR_ROOT_CA2.crt
lrwxrwxrwx 1 root root     61 12ๆœˆ  2 15:18  TeliaSonera_Root_CA_v1.pem -> /usr/share/ca-certificates/mozilla/TeliaSonera_Root_CA_v1.crt
lrwxrwxrwx 1 root root     58 12ๆœˆ  2 15:18  Trustis_FPS_Root_CA.pem -> /usr/share/ca-certificates/mozilla/Trustis_FPS_Root_CA.crt
lrwxrwxrwx 1 root root     67 12ๆœˆ  2 15:18  T-TeleSec_GlobalRoot_Class_2.pem -> /usr/share/ca-certificates/mozilla/T-TeleSec_GlobalRoot_Class_2.crt
lrwxrwxrwx 1 root root     67 12ๆœˆ  2 15:18  T-TeleSec_GlobalRoot_Class_3.pem -> /usr/share/ca-certificates/mozilla/T-TeleSec_GlobalRoot_Class_3.crt
lrwxrwxrwx 1 root root     58 12ๆœˆ  2 15:18  TWCA_Global_Root_CA.pem -> /usr/share/ca-certificates/mozilla/TWCA_Global_Root_CA.crt
lrwxrwxrwx 1 root root     72 12ๆœˆ  2 15:18  TWCA_Root_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/TWCA_Root_Certification_Authority.crt
lrwxrwxrwx 1 root root     76 12ๆœˆ  2 15:18  USERTrust_ECC_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/USERTrust_ECC_Certification_Authority.crt
lrwxrwxrwx 1 root root     76 12ๆœˆ  2 15:18  USERTrust_RSA_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/USERTrust_RSA_Certification_Authority.crt
lrwxrwxrwx 1 root root     59 12ๆœˆ  2 15:18  XRamp_Global_CA_Root.pem -> /usr/share/ca-certificates/mozilla/XRamp_Global_CA_Root.crt
lrwxrwxrwx 1 root root     55 12ๆœˆ  2 15:18  AC_RAIZ_FNMT-RCM.pem -> /usr/share/ca-certificates/mozilla/AC_RAIZ_FNMT-RCM.crt
lrwxrwxrwx 1 root root     55 12ๆœˆ  2 15:18  Amazon_Root_CA_1.pem -> /usr/share/ca-certificates/mozilla/Amazon_Root_CA_1.crt
lrwxrwxrwx 1 root root     55 12ๆœˆ  2 15:18  Amazon_Root_CA_2.pem -> /usr/share/ca-certificates/mozilla/Amazon_Root_CA_2.crt
lrwxrwxrwx 1 root root     55 12ๆœˆ  2 15:18  Amazon_Root_CA_3.pem -> /usr/share/ca-certificates/mozilla/Amazon_Root_CA_3.crt
lrwxrwxrwx 1 root root     55 12ๆœˆ  2 15:18  Amazon_Root_CA_4.pem -> /usr/share/ca-certificates/mozilla/Amazon_Root_CA_4.crt
lrwxrwxrwx 1 root root     61 12ๆœˆ  2 15:18  GDCA_TrustAUTH_R5_ROOT.pem -> /usr/share/ca-certificates/mozilla/GDCA_TrustAUTH_R5_ROOT.crt
lrwxrwxrwx 1 root root     82 12ๆœˆ  2 15:18  SSL.com_EV_Root_Certification_Authority_ECC.pem -> /usr/share/ca-certificates/mozilla/SSL.com_EV_Root_Certification_Authority_ECC.crt
lrwxrwxrwx 1 root root     85 12ๆœˆ  2 15:18  SSL.com_EV_Root_Certification_Authority_RSA_R2.pem -> /usr/share/ca-certificates/mozilla/SSL.com_EV_Root_Certification_Authority_RSA_R2.crt
lrwxrwxrwx 1 root root     79 12ๆœˆ  2 15:18  SSL.com_Root_Certification_Authority_ECC.pem -> /usr/share/ca-certificates/mozilla/SSL.com_Root_Certification_Authority_ECC.crt
lrwxrwxrwx 1 root root     79 12ๆœˆ  2 15:18  SSL.com_Root_Certification_Authority_RSA.pem -> /usr/share/ca-certificates/mozilla/SSL.com_Root_Certification_Authority_RSA.crt
lrwxrwxrwx 1 root root     53 12ๆœˆ  2 15:18  TrustCor_ECA-1.pem -> /usr/share/ca-certificates/mozilla/TrustCor_ECA-1.crt
lrwxrwxrwx 1 root root     61 12ๆœˆ  2 15:18  TrustCor_RootCert_CA-1.pem -> /usr/share/ca-certificates/mozilla/TrustCor_RootCert_CA-1.crt
lrwxrwxrwx 1 root root     61 12ๆœˆ  2 15:18  TrustCor_RootCert_CA-2.pem -> /usr/share/ca-certificates/mozilla/TrustCor_RootCert_CA-2.crt
lrwxrwxrwx 1 root root     84 12ๆœˆ  2 15:18  TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.pem -> /usr/share/ca-certificates/mozilla/TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.crt
lrwxrwxrwx 1 root root     62 12ๆœˆ  2 15:18  GlobalSign_Root_CA_-_R6.pem -> /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R6.crt
lrwxrwxrwx 1 root root     70 12ๆœˆ  2 15:18  OISTE_WISeKey_Global_Root_GC_CA.pem -> /usr/share/ca-certificates/mozilla/OISTE_WISeKey_Global_Root_GC_CA.crt
lrwxrwxrwx 1 root root     55 12ๆœˆ  2 15:18  Certigna_Root_CA.pem -> /usr/share/ca-certificates/mozilla/Certigna_Root_CA.crt
lrwxrwxrwx 1 root root     80 12ๆœˆ  2 15:18  Entrust_Root_Certification_Authority_-_G4.pem -> /usr/share/ca-certificates/mozilla/Entrust_Root_Certification_Authority_-_G4.crt
lrwxrwxrwx 1 root root     50 12ๆœˆ  2 15:18  GTS_Root_R1.pem -> /usr/share/ca-certificates/mozilla/GTS_Root_R1.crt
lrwxrwxrwx 1 root root     50 12ๆœˆ  2 15:18  GTS_Root_R2.pem -> /usr/share/ca-certificates/mozilla/GTS_Root_R2.crt
lrwxrwxrwx 1 root root     50 12ๆœˆ  2 15:18  GTS_Root_R3.pem -> /usr/share/ca-certificates/mozilla/GTS_Root_R3.crt
lrwxrwxrwx 1 root root     50 12ๆœˆ  2 15:18  GTS_Root_R4.pem -> /usr/share/ca-certificates/mozilla/GTS_Root_R4.crt
lrwxrwxrwx 1 root root     62 12ๆœˆ  2 15:18  Hongkong_Post_Root_CA_3.pem -> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_3.crt
lrwxrwxrwx 1 root root     67 12ๆœˆ  2 15:18  UCA_Extended_Validation_Root.pem -> /usr/share/ca-certificates/mozilla/UCA_Extended_Validation_Root.crt
lrwxrwxrwx 1 root root     57 12ๆœˆ  2 15:18  UCA_Global_G2_Root.pem -> /usr/share/ca-certificates/mozilla/UCA_Global_G2_Root.crt
lrwxrwxrwx 1 root root     62 12ๆœˆ  2 15:18  emSign_ECC_Root_CA_-_C3.pem -> /usr/share/ca-certificates/mozilla/emSign_ECC_Root_CA_-_C3.crt
lrwxrwxrwx 1 root root     62 12ๆœˆ  2 15:18  emSign_ECC_Root_CA_-_G3.pem -> /usr/share/ca-certificates/mozilla/emSign_ECC_Root_CA_-_G3.crt
lrwxrwxrwx 1 root root     58 12ๆœˆ  2 15:18  emSign_Root_CA_-_C1.pem -> /usr/share/ca-certificates/mozilla/emSign_Root_CA_-_C1.crt
lrwxrwxrwx 1 root root     58 12ๆœˆ  2 15:18  emSign_Root_CA_-_G1.pem -> /usr/share/ca-certificates/mozilla/emSign_Root_CA_-_G1.crt
lrwxrwxrwx 1 root root     65 12ๆœˆ  2 15:18  lets-encrypt-r3-cross-signed.pem -> /usr/share/ca-certificates/extra/lets-encrypt-r3-cross-signed.crt
lrwxrwxrwx 1 root root     74 12ๆœˆ  2 15:18  VeriSignClass3ExtendedValidationSSLCA.pem -> /usr/share/ca-certificates/extra/VeriSignClass3ExtendedValidationSSLCA.crt
lrwxrwxrwx 1 root root     84 12ๆœˆ  2 15:18  Microsoft_ECC_Root_Certificate_Authority_2017.pem -> /usr/share/ca-certificates/mozilla/Microsoft_ECC_Root_Certificate_Authority_2017.crt
lrwxrwxrwx 1 root root     84 12ๆœˆ  2 15:18  Microsoft_RSA_Root_Certificate_Authority_2017.pem -> /usr/share/ca-certificates/mozilla/Microsoft_RSA_Root_Certificate_Authority_2017.crt
lrwxrwxrwx 1 root root     80 12ๆœˆ  2 15:18  NAVER_Global_Root_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/NAVER_Global_Root_Certification_Authority.crt
lrwxrwxrwx 1 root root     79 12ๆœˆ  2 15:18  Trustwave_Global_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/Trustwave_Global_Certification_Authority.crt
lrwxrwxrwx 1 root root     88 12ๆœˆ  2 15:18  Trustwave_Global_ECC_P256_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/Trustwave_Global_ECC_P256_Certification_Authority.crt
lrwxrwxrwx 1 root root     88 12ๆœˆ  2 15:18  Trustwave_Global_ECC_P384_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/Trustwave_Global_ECC_P384_Certification_Authority.crt
lrwxrwxrwx 1 root root     58 12ๆœˆ  2 15:18  certSIGN_Root_CA_G2.pem -> /usr/share/ca-certificates/mozilla/certSIGN_Root_CA_G2.crt
lrwxrwxrwx 1 root root     60 12ๆœˆ  2 15:18  e-Szigno_Root_CA_2017.pem -> /usr/share/ca-certificates/mozilla/e-Szigno_Root_CA_2017.crt
-rw-r--r-- 1 root root 201312 12ๆœˆ  2 15:18  ca-certificates.crt
lrwxrwxrwx 1 root root     49 12ๆœˆ  2 15:18  ff34af3f.0 -> TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.pem
lrwxrwxrwx 1 root root     19 12ๆœˆ  2 15:18  fe8a2cd8.0 -> SZAFIR_ROOT_CA2.pem
lrwxrwxrwx 1 root root     41 12ๆœˆ  2 15:18  fc5a8f99.0 -> USERTrust_RSA_Certification_Authority.pem
lrwxrwxrwx 1 root root     20 12ๆœˆ  2 15:18  f51bb24c.0 -> Certigna_Root_CA.pem
lrwxrwxrwx 1 root root     18 12ๆœˆ  2 15:18  f39fc864.0 -> SecureTrust_CA.pem
lrwxrwxrwx 1 root root     24 12ๆœˆ  2 15:18  f387163d.0 -> Starfield_Class_2_CA.pem
lrwxrwxrwx 1 root root     34 12ๆœˆ  2 15:18  f3377b1b.0 -> Security_Communication_Root_CA.pem
lrwxrwxrwx 1 root root     41 12ๆœˆ  2 15:18  f30dd6ad.0 -> USERTrust_ECC_Certification_Authority.pem
lrwxrwxrwx 1 root root     44 12ๆœˆ  2 15:18  f249de83.0 -> Trustwave_Global_Certification_Authority.pem
lrwxrwxrwx 1 root root     47 12ๆœˆ  2 15:18  f0c70a8d.0 -> SSL.com_EV_Root_Certification_Authority_ECC.pem
lrwxrwxrwx 1 root root     23 12ๆœˆ  2 15:18  f081611a.0 -> Go_Daddy_Class_2_CA.pem
lrwxrwxrwx 1 root root     34 12ๆœˆ  2 15:18  ef954a4e.0 -> IdenTrust_Commercial_Root_CA_1.pem
lrwxrwxrwx 1 root root     38 12ๆœˆ  2 15:18  eed8c118.0 -> COMODO_ECC_Certification_Authority.pem
lrwxrwxrwx 1 root root     28 12ๆœˆ  2 15:18  ee64a828.0 -> Comodo_AAA_Services_root.pem
lrwxrwxrwx 1 root root     27 12ๆœˆ  2 15:18  e8de2f56.0 -> Buypass_Class_3_Root_CA.pem
lrwxrwxrwx 1 root root     25 12ๆœˆ  2 15:18  e868b802.0 -> e-Szigno_Root_CA_2017.pem
lrwxrwxrwx 1 root root     35 12ๆœˆ  2 15:18  e73d606e.0 -> OISTE_WISeKey_Global_Root_GB_CA.pem
lrwxrwxrwx 1 root root     25 12ๆœˆ  2 15:18  e36a6752.0 -> Atos_TrustedRoot_2011.pem
lrwxrwxrwx 1 root root     25 12ๆœˆ  2 15:18  e18bfb83.0 -> QuoVadis_Root_CA_3_G3.pem
lrwxrwxrwx 1 root root     12 12ๆœˆ  2 15:18  e113c810.0 -> Certigna.pem
lrwxrwxrwx 1 root root     20 12ๆœˆ  2 15:18  de6d66f3.0 -> Amazon_Root_CA_4.pem
lrwxrwxrwx 1 root root     27 12ๆœˆ  2 15:18  dd8e9d41.0 -> DigiCert_Global_Root_G3.pem
lrwxrwxrwx 1 root root     27 12ๆœˆ  2 15:18  dc4d6a89.0 -> GlobalSign_Root_CA_-_R6.pem
lrwxrwxrwx 1 root root     53 12ๆœˆ  2 15:18  d887a5bb.0 -> Trustwave_Global_ECC_P384_Certification_Authority.pem
lrwxrwxrwx 1 root root     23 12ๆœˆ  2 15:18  d853d49e.0 -> Trustis_FPS_Root_CA.pem
lrwxrwxrwx 1 root root     22 12ๆœˆ  2 15:18  d7e8dc79.0 -> QuoVadis_Root_CA_2.pem
lrwxrwxrwx 1 root root     38 12ๆœˆ  2 15:18  d6325660.0 -> COMODO_RSA_Certification_Authority.pem
lrwxrwxrwx 1 root root     37 12ๆœˆ  2 15:18  d4dae3dd.0 -> D-TRUST_Root_Class_3_CA_2_EV_2009.pem
lrwxrwxrwx 1 root root     20 12ๆœˆ  2 15:18  ce5e74ef.0 -> Amazon_Root_CA_1.pem
lrwxrwxrwx 1 root root     20 12ๆœˆ  2 15:18  cd8c0d63.0 -> AC_RAIZ_FNMT-RCM.pem
lrwxrwxrwx 1 root root     34 12ๆœˆ  2 15:18  cd58d51e.0 -> Security_Communication_RootCA2.pem
lrwxrwxrwx 1 root root     14 12ๆœˆ  2 15:18  cc450945.0 -> Izenpe.com.pem
lrwxrwxrwx 1 root root     44 12ๆœˆ  2 15:18  cbf06781.0 -> Go_Daddy_Root_Certificate_Authority_-_G2.pem
lrwxrwxrwx 1 root root     37 12ๆœˆ  2 15:18  ca6e4ad9.0 -> ePKI_Root_Certification_Authority.pem
lrwxrwxrwx 1 root root     36 12ๆœˆ  2 15:18  c47d9980.0 -> Chambers_of_Commerce_Root_-_2008.pem
lrwxrwxrwx 1 root root     34 12ๆœˆ  2 15:18  c28a8a30.0 -> D-TRUST_Root_Class_3_CA_2_2009.pem
lrwxrwxrwx 1 root root     22 12ๆœˆ  2 15:18  c01eb047.0 -> UCA_Global_G2_Root.pem
lrwxrwxrwx 1 root root     49 12ๆœˆ  2 15:18  bf53fb88.0 -> Microsoft_RSA_Root_Certificate_Authority_2017.pem
lrwxrwxrwx 1 root root     37 12ๆœˆ  2 15:18  b7a5b843.0 -> TWCA_Root_Certification_Authority.pem
lrwxrwxrwx 1 root root     23 12ๆœˆ  2 15:18  b727005e.0 -> AffirmTrust_Premium.pem
lrwxrwxrwx 1 root root     20 12ๆœˆ  2 15:18  b66938e9.0 -> Secure_Global_CA.pem
lrwxrwxrwx 1 root root     31 12ๆœˆ  2 15:18  b1159c4c.0 -> DigiCert_Assured_ID_Root_CA.pem
lrwxrwxrwx 1 root root     31 12ๆœˆ  2 15:18  b0e59380.0 -> GlobalSign_ECC_Root_CA_-_R4.pem
lrwxrwxrwx 1 root root     45 12ๆœˆ  2 15:18  aee5f10d.0 -> Entrust.net_Premium_2048_Secure_Server_CA.pem
lrwxrwxrwx 1 root root     13 12ๆœˆ  2 15:18  a94d09e5.0 -> ACCVRAIZ1.pem
lrwxrwxrwx 1 root root     15 12ๆœˆ  2 15:18  a3418fda.0 -> GTS_Root_R4.pem
lrwxrwxrwx 1 root root     31 12ๆœˆ  2 15:18  9d04f354.0 -> DigiCert_Assured_ID_Root_G2.pem
lrwxrwxrwx 1 root root     27 12ๆœˆ  2 15:18  9c8dfbd4.0 -> AffirmTrust_Premium_ECC.pem
lrwxrwxrwx 1 root root     26 12ๆœˆ  2 15:18  9c2e7d30.0 -> Sonera_Class_2_Root_CA.pem
lrwxrwxrwx 1 root root     53 12ๆœˆ  2 15:18  9b5697b0.0 -> Trustwave_Global_ECC_P256_Certification_Authority.pem
lrwxrwxrwx 1 root root     48 12ๆœˆ  2 15:18  988a38cb.0 -> 'NetLock_Arany_=Class_Gold=_Fล‘tanรบsรญtvรกny.pem'
lrwxrwxrwx 1 root root     26 12ๆœˆ  2 15:18  93bc0acc.0 -> AffirmTrust_Networking.pem
lrwxrwxrwx 1 root root     34 12ๆœˆ  2 15:18  930ac5d2.0 -> Actalis_Authentication_Root_CA.pem
lrwxrwxrwx 1 root root     49 12ๆœˆ  2 15:18  8d89cda1.0 -> Microsoft_ECC_Root_Certificate_Authority_2017.pem
lrwxrwxrwx 1 root root     20 12ๆœˆ  2 15:18  8d86cdd1.0 -> certSIGN_ROOT_CA.pem
lrwxrwxrwx 1 root root     32 12ๆœˆ  2 15:18  8d33f237.0 -> lets-encrypt-r3-cross-signed.pem
lrwxrwxrwx 1 root root     20 12ๆœˆ  2 15:18  8cb5ee0f.0 -> Amazon_Root_CA_3.pem
lrwxrwxrwx 1 root root     34 12ๆœˆ  2 15:18  8160b96c.0 -> Microsec_e-Szigno_Root_CA_2009.pem
lrwxrwxrwx 1 root root     31 12ๆœˆ  2 15:18  7f3d5d1d.0 -> DigiCert_Assured_ID_Root_G3.pem
lrwxrwxrwx 1 root root     18 12ๆœˆ  2 15:18  7aaf71c0.0 -> TrustCor_ECA-1.pem
lrwxrwxrwx 1 root root     35 12ๆœˆ  2 15:18  773e07ad.0 -> OISTE_WISeKey_Global_Root_GC_CA.pem
lrwxrwxrwx 1 root root     63 12ๆœˆ  2 15:18  7719f463.0 -> Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.pem
lrwxrwxrwx 1 root root     22 12ๆœˆ  2 15:18  76faf6c0.0 -> QuoVadis_Root_CA_3.pem
lrwxrwxrwx 1 root root     26 12ๆœˆ  2 15:18  76cb8f92.0 -> Cybertrust_Global_Root.pem
lrwxrwxrwx 1 root root     28 12ๆœˆ  2 15:18  75d1b2ed.0 -> DigiCert_Trusted_Root_G4.pem
lrwxrwxrwx 1 root root     25 12ๆœˆ  2 15:18  749e9e03.0 -> QuoVadis_Root_CA_1_G3.pem
lrwxrwxrwx 1 root root     24 12ๆœˆ  2 15:18  706f604c.0 -> XRamp_Global_CA_Root.pem
lrwxrwxrwx 1 root root     44 12ๆœˆ  2 15:18  6fa5da56.0 -> SSL.com_Root_Certification_Authority_RSA.pem
lrwxrwxrwx 1 root root     41 12ๆœˆ  2 15:18  6e7f22c1.0 -> VeriSignClass3ExtendedValidationSSLCA.pem
lrwxrwxrwx 1 root root     20 12ๆœˆ  2 15:18  6d41d539.0 -> Amazon_Root_CA_2.pem
lrwxrwxrwx 1 root root     40 12ๆœˆ  2 15:18  6b99d060.0 -> Entrust_Root_Certification_Authority.pem
lrwxrwxrwx 1 root root     27 12ๆœˆ  2 15:18  68dd7389.0 -> Hongkong_Post_Root_CA_3.pem
lrwxrwxrwx 1 root root     29 12ๆœˆ  2 15:18  653b494a.0 -> Baltimore_CyberTrust_Root.pem
lrwxrwxrwx 1 root root     15 12ๆœˆ  2 15:18  626dceaf.0 -> GTS_Root_R2.pem
lrwxrwxrwx 1 root root     27 12ๆœˆ  2 15:18  607986c7.0 -> DigiCert_Global_Root_G2.pem
lrwxrwxrwx 1 root root     23 12ๆœˆ  2 15:18  5f618aec.0 -> certSIGN_Root_CA_G2.pem
lrwxrwxrwx 1 root root     23 12ๆœˆ  2 15:18  5f15c80c.0 -> TWCA_Global_Root_CA.pem
lrwxrwxrwx 1 root root     45 12ๆœˆ  2 15:18  5e98733a.0 -> Entrust_Root_Certification_Authority_-_G4.pem
lrwxrwxrwx 1 root root     26 12ๆœˆ  2 15:18  5d3033c5.0 -> TrustCor_RootCert_CA-1.pem
lrwxrwxrwx 1 root root     26 12ๆœˆ  2 15:18  5cd81ad7.0 -> TeliaSonera_Root_CA_v1.pem
lrwxrwxrwx 1 root root     22 12ๆœˆ  2 15:18  5ad8a5d6.0 -> GlobalSign_Root_CA.pem
lrwxrwxrwx 1 root root     38 12ๆœˆ  2 15:18  5a4d6896.0 -> Staat_der_Nederlanden_Root_CA_-_G3.pem
lrwxrwxrwx 1 root root     28 12ๆœˆ  2 15:18  57bcb2da.0 -> SwissSign_Silver_CA_-_G2.pem
lrwxrwxrwx 1 root root     27 12ๆœˆ  2 15:18  54657681.0 -> Buypass_Class_2_Root_CA.pem
lrwxrwxrwx 1 root root     32 12ๆœˆ  2 15:18  5443e9e3.0 -> T-TeleSec_GlobalRoot_Class_3.pem
lrwxrwxrwx 1 root root     35 12ๆœˆ  2 15:18  5273a94c.0 -> E-Tugra_Certification_Authority.pem
lrwxrwxrwx 1 root root     26 12ๆœˆ  2 15:18  4f316efb.0 -> SwissSign_Gold_CA_-_G2.pem
lrwxrwxrwx 1 root root     45 12ๆœˆ  2 15:18  4bfab552.0 -> Starfield_Root_Certificate_Authority_-_G2.pem
lrwxrwxrwx 1 root root     27 12ๆœˆ  2 15:18  4b718d9b.0 -> emSign_ECC_Root_CA_-_C3.pem
lrwxrwxrwx 1 root root     27 12ๆœˆ  2 15:18  4a6481c9.0 -> GlobalSign_Root_CA_-_R2.pem
lrwxrwxrwx 1 root root     29 12ๆœˆ  2 15:18  48bec511.0 -> Certum_Trusted_Network_CA.pem
lrwxrwxrwx 1 root root     43 12ๆœˆ  2 15:18  4304c5e5.0 -> Network_Solutions_Certificate_Authority.pem
lrwxrwxrwx 1 root root     23 12ๆœˆ  2 15:18  406c9bb1.0 -> emSign_Root_CA_-_C1.pem
lrwxrwxrwx 1 root root     34 12ๆœˆ  2 15:18  40547a79.0 -> COMODO_Certification_Authority.pem
lrwxrwxrwx 1 root root     16 12ๆœˆ  2 15:18  4042bcee.0 -> ISRG_Root_X1.pem
lrwxrwxrwx 1 root root     31 12ๆœˆ  2 15:18  40193066.0 -> Certum_Trusted_Network_CA_2.pem
lrwxrwxrwx 1 root root     45 12ๆœˆ  2 15:18  3fb36b73.0 -> NAVER_Global_Root_Certification_Authority.pem
lrwxrwxrwx 1 root root     27 12ๆœˆ  2 15:18  3e45d192.0 -> Hongkong_Post_Root_CA_1.pem
lrwxrwxrwx 1 root root     26 12ๆœˆ  2 15:18  3e44d2f7.0 -> TrustCor_RootCert_CA-2.pem
lrwxrwxrwx 1 root root     61 12ๆœˆ  2 15:18  3bde41ac.0 -> Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
lrwxrwxrwx 1 root root     27 12ๆœˆ  2 15:18  3513523f.0 -> DigiCert_Global_Root_CA.pem
lrwxrwxrwx 1 root root     10 12ๆœˆ  2 15:18  349f2832.0 -> EC-ACC.pem
lrwxrwxrwx 1 root root     59 12ๆœˆ  2 15:18  32888f65.0 -> Hellenic_Academic_and_Research_Institutions_RootCA_2015.pem
lrwxrwxrwx 1 root root     18 12ๆœˆ  2 15:18  2e5ac55d.0 -> DST_Root_CA_X3.pem
lrwxrwxrwx 1 root root     26 12ๆœˆ  2 15:18  2b349938.0 -> AffirmTrust_Commercial.pem
lrwxrwxrwx 1 root root     20 12ๆœˆ  2 15:18  2ae6433e.0 -> CA_Disig_Root_R2.pem
lrwxrwxrwx 1 root root     23 12ๆœˆ  2 15:18  2923b3f9.0 -> emSign_Root_CA_-_G1.pem
lrwxrwxrwx 1 root root     38 12ๆœˆ  2 15:18  244b5494.0 -> DigiCert_High_Assurance_EV_Root_CA.pem
lrwxrwxrwx 1 root root     32 12ๆœˆ  2 15:18  1e09d511.0 -> T-TeleSec_GlobalRoot_Class_2.pem
lrwxrwxrwx 1 root root     37 12ๆœˆ  2 15:18  1e08bfd1.0 -> IdenTrust_Public_Sector_Root_CA_1.pem
lrwxrwxrwx 1 root root     31 12ๆœˆ  2 15:18  1d3472b9.0 -> GlobalSign_ECC_Root_CA_-_R5.pem
lrwxrwxrwx 1 root root     23 12ๆœˆ  2 15:18  18856ac4.0 -> SecureSign_RootCA11.pem
lrwxrwxrwx 1 root root     59 12ๆœˆ  2 15:18  1636090b.0 -> Hellenic_Academic_and_Research_Institutions_RootCA_2011.pem
lrwxrwxrwx 1 root root     27 12ๆœˆ  2 15:18  14bc7599.0 -> emSign_ECC_Root_CA_-_G3.pem
lrwxrwxrwx 1 root root     46 12ๆœˆ  2 15:18  106f3e4d.0 -> Entrust_Root_Certification_Authority_-_EC1.pem
lrwxrwxrwx 1 root root     15 12ๆœˆ  2 15:18  1001acf7.0 -> GTS_Root_R1.pem
lrwxrwxrwx 1 root root     26 12ๆœˆ  2 15:18  0f6fa695.0 -> GDCA_TrustAUTH_R5_ROOT.pem
lrwxrwxrwx 1 root root     32 12ๆœˆ  2 15:18  0f5dc4f3.0 -> UCA_Extended_Validation_Root.pem
lrwxrwxrwx 1 root root     34 12ๆœˆ  2 15:18  0c4c9b6c.0 -> Global_Chambersign_Root_-_2008.pem
lrwxrwxrwx 1 root root     44 12ๆœˆ  2 15:18  0bf05006.0 -> SSL.com_Root_Certification_Authority_ECC.pem
lrwxrwxrwx 1 root root     16 12ๆœˆ  2 15:18  0b1b94ef.0 -> CFCA_EV_ROOT.pem
lrwxrwxrwx 1 root root     15 12ๆœˆ  2 15:18  0a775a30.0 -> GTS_Root_R3.pem
lrwxrwxrwx 1 root root     54 12ๆœˆ  2 15:18  09789157.0 -> Starfield_Services_Root_Certificate_Authority_-_G2.pem
lrwxrwxrwx 1 root root     20 12ๆœˆ  2 15:18  080911ac.0 -> QuoVadis_Root_CA.pem
lrwxrwxrwx 1 root root     50 12ๆœˆ  2 15:18  06dc52d5.0 -> SSL.com_EV_Root_Certification_Authority_RSA_R2.pem
lrwxrwxrwx 1 root root     25 12ๆœˆ  2 15:18  064e0aa9.0 -> QuoVadis_Root_CA_2_G3.pem
lrwxrwxrwx 1 root root     27 12ๆœˆ  2 15:18  062cdee6.0 -> GlobalSign_Root_CA_-_R3.pem
lrwxrwxrwx 1 root root     36 12ๆœˆ  2 15:18  03179a64.0 -> Staat_der_Nederlanden_EV_Root_CA.pem
lrwxrwxrwx 1 root root     45 12ๆœˆ  2 15:18  02265526.0 -> Entrust_Root_Certification_Authority_-_G2.pem

While OpenSSL 1.1.1 should work with both ISRG Root X1 and the now expired DST Root CA X3 in your ca-certificates file, for some reason it doesn't seem to work (you have both still in your root certificate store).

Since ca-certificates version 20211004 the DST Root CA X3 is "blacklisted", see the changelog.

Solution could be to manually remove or blacklist the DST Root CA X3 certificate from your root certificate store. I believe this can be done by adding a ! in front of the DST Root CA X3 entry in /etc/ca-certificates.conf and afterwards run update-ca-certificates again.

2 Likes

Gave this a try, but nothing has changed.
All the errors that have been there are still there.
I even tried a reboot of the server, and it didn't help (though at least it cleaned up some RAM and CPU usage).

In your list of root certs you showed this - what is that? I doubt you need it and if it is the old R3 could be a problem

lrwxrwxrwx 1 root root     65 12ๆœˆ  2 15:18  lets-encrypt-r3-cross-signed.pem -> /usr/share/ca-certificates/extra/lets-encrypt-r3-cross-signed.crt

Could show:

trust list | grep R3

will see GTS and GlobalSign

6 Likes

Wow, good catch!
I verified this on other Debian servers, and the mail server seems to be the only one that has it.

As for "trust list | grep R3":

trust list | grep R3
zsh: command not found: trust

But I just commented out both cerificates in the "/usr/share/ca-certificates/extra" folder (and by that I mean commented out in the "/etc/ca-certificates.conf" file), which is a folder that only exists on the mail server and updates the CA certificates as suggested last evening (currently night time), and I successfully renewed my cerificate now!
Thanks!

2 Likes

Something that never should have been added to the root certificate store in the first place :wink:

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.