cURL Let's Encrypt ISRG Root X1 certificate issue

Anybody knows why this difference happens: [CODE=bash]-bash-4.2# curl -I -v https://valid-isrgrootx1.letsencrypt.org/ * About to connect() to valid-isrgrootx1.letsencrypt.org port 443 (#0) * Trying 52.9.173.94... * Connected to valid-isrgrootx1.letsencrypt.org (52.9.173.94) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * Server certificate: * subject: CN=valid-isrgrootx1.letsencrypt.org * start date: Aug 04 15:00:08 2021 GMT * expire date: Nov 02 15:00:06 2021 GMT * common name: valid-isrgrootx1.letsencrypt.org * issuer: CN=R3,O=Let's Encrypt,C=US > HEAD / HTTP/1.1 > User-Agent: curl/7.29.0 > Host: valid-isrgrootx1.letsencrypt.org > Accept: */* > < HTTP/1.1 200 OK HTTP/1.1 200 OK < Server: nginx Server: nginx < Date: Fri, 01 Oct 2021 10:00:04 GMT Date: Fri, 01 Oct 2021 10:00:04 GMT < Content-Type: text/html Content-Type: text/html < Content-Length: 4067 Content-Length: 4067 < Last-Modified: Mon, 09 Aug 2021 23:45:57 GMT Last-Modified: Mon, 09 Aug 2021 23:45:57 GMT < Connection: keep-alive Connection: keep-alive < Vary: Accept-Encoding Vary: Accept-Encoding < ETag: "6111be35-fe3" ETag: "6111be35-fe3" < Strict-Transport-Security: max-age=604800 Strict-Transport-Security: max-age=604800 < X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; mode=block < Accept-Ranges: bytes Accept-Ranges: bytes < * Connection #0 to host valid-isrgrootx1.letsencrypt.org left intact
vs.: [CODE=bash]-bash-4.2# /opt/cpanel/libcurl/bin/curl -I -v https://valid-isrgrootx1.letsencrypt.org/ * Trying 52.9.173.94:443... * Connected to valid-isrgrootx1.letsencrypt.org (52.9.173.94) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt * CApath: none * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (OUT), TLS alert, certificate expired (557): * SSL certificate problem: certificate has expired * Closing connection 0 curl: (60) SSL certificate problem: certificate has expired More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.
I did update the root certificates already: [CODE=bash]-bash-4.2# curl https://curl.se/ca/cacert.pem -o /etc/pki/ca-trust/source/anchors/curl-cacert-updated.pem && update-ca-trust
How to resolve the issue with the cPanel compiled version of cURL?

cPRex Jurassic Moderator

October 01, 2021 15:30

Hey there! There isn't an issue with the cPanel version of Curl, so there's likely another explanation. Could you let us know the operating system and default PHP version setup on the system?

dirklammert

October 01, 2021 16:07

CentOS 7, PHP8

October 01, 2021 16:24

Thanks for that - I'm not able to reproduce, so I'm wondering if there is an issue with OpenSSL or some other problem on that particular machine. Could you open a ticket with our team so we can take a look? If you are able to do that, please post the ticket number here so I can follow along and make sure this thread gets updated.

October 01, 2021 17:16

Thanks for having a look. Ticket was created: #94368921

October 01, 2021 17:19

Thanks for that - I'm following along with that on my end now.

October 03, 2021 15:30

Fixed after removing a custom uploaded certificate and running update-ca-trust afterwards

eva2000

October 03, 2021 17:18

curl site cacert.pem was only recently updated

October 04, 2021 15:10

I'm glad we were able to help get that resolved!

cURL Let's Encrypt ISRG Root X1 certificate issue

Comments

Didn't find what you were looking for?