Debian Testing: Curl: (60) SSL certificate problem: unable to get local issuer certificate https://valid-isrgrootx1.letsencrypt.org/

termaine · October 2, 2021, 3:05am

Hi

Curl and Lynx and bunch of other apps on my Debian Testing cant seem to be able to access
letsencrypt.org sites and some other LE certificate sites. I tried disabling the DST certs

!mozilla/DST_ACES_CA_X6.crt
!mozilla/DST_Root_CA_X3.crt

Then I did update-ca-certificates but that did not help. What else can I try?

curl https://valid-isrgrootx1.letsencrypt.org/
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Phil · October 2, 2021, 4:04am

Does your trust store have ISRG Root X1 in it?

Are you able to use wget instead of curl, import the root certiticate, then run update-ca-certificates?

wget https://letsencrypt.org/certs/isrgrootx1.der

Are you able to use Firefox to access https://letsencrypt.org? If so you could try the "Convert from your local Firefox installation" method here: curl - Extract CA Certs from Mozilla

termaine · October 2, 2021, 5:10am

Hi,

This is a server, it does not have desktop running.

 wget https://letsencrypt.org/certs/isrgrootx1.der
--2021-10-02 00:10:13--  https://letsencrypt.org/certs/isrgrootx1.der
Resolving letsencrypt.org (letsencrypt.org)... 
67.207.81.229, 161.35.60.200, 2604:a880:400:d0::1b6b:7001, ...
Connecting to letsencrypt.org (letsencrypt.org)|67.207.81.229|:443... connected.
ERROR: The certificate of ‘letsencrypt.org’ is not trusted.
ERROR: The certificate of ‘letsencrypt.org’ doesn't have a known issuer.

rg305 · October 2, 2021, 9:40am

Which version of OpenSSL is that server using?

termaine · October 2, 2021, 4:56pm

uname -ra
Linux 5.9.0-5-amd64 #1 SMP Debian 5.9.15-1 (2020-12-17) x86_64 GNU/Linux

openssl version
OpenSSL 1.1.1l  24 Aug 2021

rg305 · October 2, 2021, 11:12pm

Well OpenSSL is new enough...
It must have something to do with ca-certificates
I'm not sure how things get Debianed, but if it apts...
First:
sudo apt update
sudo apt-get update
[yeah both]
Then update your ca-certs.

system · November 1, 2021, 11:12pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.