Score:1

Server

Certificate problems since Let's Encrypts CA expired a few days ago

manifestor

2/4/23, 2:42 PM

I'm running a Debian 10 server and I can't connect to other machines using Let's Enccrypt certificates anymore since LE's CA (DST Root CA X3) expired a few days ago:

root#> curl -I https://example.com                                                                                                                                                                                                                                               
curl: (60) SSL certificate problem: certificate has expired

What I've done so far:

I updated the ca-certificates package
I installed libgnutls-openssl27 and libgnutls30
I ran the update-ca-certificates command.

Still, the server is not able to establish a trusted connection to the target host. The LE certificate on the target host is fine, there are no SSL errors when I trigger curl from any other hosts.

How can I solve this problem and establish a trusted SSL connection? Any help would be highly appreciated, thanks in advance!

504

0 + 0

ssl

debian

openssl

ssl-certificate

lets-encrypt

Alexander Tolkachev

2/4/23, 4:28 PM

You should check certificate on remote host, just to clarify issue. You could do it with openssl.

manifestor

2/4/23, 4:45 PM

@AlexanderTolkachev Please read my question, I've done that. Thanks anyway.

Alexander Tolkachev

2/4/23, 5:33 PM

`curl` error related to certificate. there could be some issues with it. You should check certificate state directly from machine where you have problem.

Zoredache

2/4/23, 7:12 PM

@manifestor curl doesn't give you enough detail to find the problem. You need to use something like the openssl binary to get the full certificate chain. Try something like this `</dev/null openssl s_client -connect example.org:443`.

Score:2

Server

Finesse

2/5/23, 7:30 AM

Disable "DST Root CA X3" the certificate on your server. Run:

sudo dpkg-reconfigure ca-certificates

On the first screen that prompts "Trust new certificates from certificate authorities?" choose "yes". On the next screen press the down arrow key on your keyboard until you find mozilla/DST_Root_CA_X3.crt, press the space bar to deselect it (the [*] should turn into [ ]) and press Enter.

0 + 0

Score:0

Server

manifestor

2/6/23, 10:50 AM

The symlink CA certificate of the new Let's Encrypt CA was missing in /etc/ssl/certs and it was commented out in /etc/ca-certificates.conf. I created it by running:

cd /etc/ssl/certs && ln -s /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt ISRG_Root_X1.pem

Everything has been working fine since then. You can run dpkg-reconfigure ca-certificates to activate it as well.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Certificate problems since Let's Encrypts CA expired a few days ago

TH: ปัญหาใบรับรองเนื่องจาก Let's Encrypts CA หมดอายุเมื่อสองสามวันก่อน

RO: Probleme cu certificatele, deoarece Let's Encrypts CA a expirat acum câteva zile

RU: Проблемы с сертификатом, так как срок действия ЦС Let's Encrypts истек несколько дней назад

VI: Sự cố chứng chỉ do Let's Encrypts CA hết hạn cách đây vài ngày

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.