Problem with E1 (ISRG Root X2), PHP CURL

Hi there,

I'm stuck for a few days to solve this issue and ended here.

The problem is, all of my domain with SSL E1 (ISRG Root X2) can't be accessed with PHP curl() from client server (other server), it give 403 error or empty string.
But the client curl() can access my sub domain with SSL R3 (ISRG Root X1), working well and no issues as I know.

It use same server, just different SSL CN, the SSL is generated automatically by webpanel HestiaCP, so I do nothing about it, just let the webpanel do it automatically.

Is there any way to solve it? or how to switch all domain SSL to R3 ?

My domain is: (E1, the problem), (R3)

I ran this command:

It produced this output:

My web server is (include version): LAMP with HestiaCp

The operating system my web server runs on is (include version): Ubuntu 18

My hosting provider, if applicable, is: Vultr

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): HestiaCP or VestaCP

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.6.0

Do you have ISRG Root X1 in your trust store?

You should install it. And X2 for good measure.


sudo apt update
sudo apt upgrade


Indeed, both roots should be there.


I already install it with the help of chatgpt, maybe it give me a wrong instructions, any guide ling related to root certificate installation? specially for lets encrypt

Thanks for the link, but IDK how to do with it

1 Like

Thanks for the reply, Still not solve my issue

1 Like
sudo apt update
sudo apt upgrade ca-certificates

and don't use chatgpt for this.


You may have to run dpkg-reconfigure ca-certificates and look through the list to make sure the X2 certificate is checked.

I'm unsure of the cause but out of about 8 systems, I had one where X1 was checked but not X2. And another where literally nothing was checked... that one took quite a while to fix....

also update-ca-certificates but it should run automatically when you exit the dpkg-reconfigure ca-certificates


Thanks for the reply, strangely, both root x1 and root x2 is exist and checked. but the SSL in php curl() still invalid

1 Like

show us the output of

openssl version


These responses indicate that this is not an SSL issue. You need to figure out why your server is denying access or sending no content.

Since you are using Cloudflare, you may want to check the firewall logs in your Cloudflare dashboard. You may also want to visit the Cloudflare Community.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.