cURL fail on letsencrypt certs

When performing a CURL using below code,

$ch = curl_init();

// set url 
curl_setopt($ch, CURLOPT_URL, "https://letsencrypt.org/");

//return the transfer as a string 
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$errorFile = dirname(__FILE__) . '/curl_error.txt';
$out       = fopen($errorFile, "w");
curl_setopt($ch, CURLOPT_VERBOSE, true);
curl_setopt($ch, CURLOPT_STDERR, $out);

// $output contains the output string 
$output = curl_exec($ch);

curl_close($ch);
fclose($out);

The response will be:

*   Trying 2406:da18:880:3801::c8:443...
* TCP_NODELAY set
* Connected to letsencrypt.org (2406:da18:880:3801::c8) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /Applications/MAMP/Library/OpenSSL/cert.pem
  CApath: none
* SSL certificate problem: certificate has expired
* Closing connection 0

This does not happen on Amazon or Cloudflare issued certificates.

As you can easily replicate it even happens on letsencrypt own website.

How can we resolve this?

Hi @smileBeda, and welcome to the LE community forum

What is that file?
Why are you trying to validate the certificate at https://letsencrypt.org/ using that script?

The script needs some "context".
How does one "run" that script?
It could be,,,
Pascal, Perl, Php, Python ...
[and thats just some of the P's]

Sounds a bit like this issue, where the CA bundle is just wrong or out of date: MAMP - Naguel

You should check what version of MAMP you have installed as well.

It's possible that the certificate bundle (/Applications/MAMP/Library/OpenSSL/cert.pem) hasn't been updated in a long time, and doesn't get automatically updated.

It's also possible that the version of MAMP you have has a too-old version of OpenSSL.

I am not trying that, it is just what the response is.
I am doing the code shared in a local MAMP PHP8 environment.
Nothing else is added to the code I shared in the opening comment, so I wouldn't know why this is done (and why it works with Amazon issued certs, or CF issued certs, but not LE issued certs).
The code I use is always the same, the response not.

That is the "context" it needed.

Why - even if this would be the case - would only LE certs be affected?
(checking now about MAMP updates but I am 99% sure it is up to date)

Yes, that is a PHP 8 MAMP install - precisely it is 8.0.8 as the only supported by MAMP.
But, it happens also on PHP 7

The date of the cert.pem file.
Just recently Ubuntu updated ca-certificates.
These things happen quite often.
What is the date on that file?

Created 13 September 2021 at 17:08
But, that is just the file info. How could I check the actual cert date?
And again, I am kind of confused as of why this would only affect LE?
Isn't it using the same when certs are issued by CF or Amazon?
(Sorry, I am not that versed with these things, so it could be obvious )

I don't know that you can check that date.
You could check the contents.
Try grepping it for:
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZ

Because the root certs for those other sites are in your file - the LE root cert must not be in there.

This returns ./certs/cacert.pem:MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAwTzELMAkGA1UE
(thus, no result of that string in the actual cert.pem)

Assuming that file is the issue - any way to recreate it?
I would just delete it and re-run MAMP/cURL?

The root cert that Let's Encrypt uses by default expired at the end of Sept 2021.

[But updated systems are aware of the new ISRG Root X1 root cert, which the intermediate certificates in the chain link to in preference to the expired chain.]

Two ways:

• get the updated version [recommended]
• update it yourself [not recommended]
  You can find the LE root certs at:
  Chain of Trust - Let's Encrypt (letsencrypt.org)

OK so I would assume that cert is old (being it added before end of sept 2021)

Remains how to renew it. Going to try what @rg305 suggested below

You don't, the new chain links to ISRG Root X1 automatically if your CA certificates bundle is up to date.

It seems MAMP uses its' own "bundle".

Perhaps copying ca-certificates.crt to that file/location can resolve the issue...
hmm...???

The thing is, one really does not want to deal with these things, using MAMP
(and does not have to, usually)

Like, for years I just used this... and now I would have to renew these myself?
That part I do not understand

Perhaps this is something I need to report to MAMP?
(which is like throwing the issue into a deep, dark black hole lol)

On the other hand, I understand this issue affects only my local, and would not appear online. Which is already quite a good feeling.