Curl: (60) SSL certificate problem: certificate has expired

Hey,
I would like to ask you for help.
Yesterday everythink worked ok. Today it is not working.

From today, when I make command: curl url (where url is any domain with Let's encrypt certificate)
I am getting this error:
curl: (60) SSL certificate problem: certificate has expired
More details here: curl - SSL CA Certificates

I read that it is not serving intermediate certificates. But how to fix it please?
I am using headless Debian.
P.S. I really have no idea why it is not working from today. I did not make any manual change on Debian. It just happens from today.

Many thanks in advance.

2 Likes

@lelelele Welcome to the community

You can read this topic for why you are seeing this problem now:

Not all sites or clients that use Lets Encrypt certs are affected. The ones affected are mostly poorly configured or older versions. Servers have the option of sending various certs and chains.

Better advice could be given if you provide a specific example of a curl that is failing.

But, a very rough guess is that your headless Debian does not trust the ISRG Root X1 certificate. You could try updating your CA certificate store. I am sorry but I am not familiar enough with Debian to describe that.

2 Likes

Hi @lelelele welcome to the LE community forum :slight_smile:

The document @MikeMcQ provided does a good job of explaining things.
But it mentions that OpenSSL 1.1 or greater is required.
Well... there has been a recent update to that; And now some older versions of OpenSSL can be patched to also work as well. For that, see: Old Let’s Encrypt Root Certificate Expiration and OpenSSL 1.0.2 - OpenSSL Blog
and also read through this post that includes some more technical details (like that one):
Production Chain Changes - API Announcements - Let's Encrypt Community Support (letsencrypt.org)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.