ERROR: cannot verify curl.se’s certificate, issued by “/C=US/O=Let’s Encrypt/CN=R3”:Issued certificate has expired.

When you wget some url such as:

, you may get this error:

ERROR: cannot verify curl.se’s certificate, issued by “/C=US/O=Let’s Encrypt/CN=R3”:Issued certificate has expired.

This is because the server of this url uses Let’s Encrypt issued certificate, while wget cannot verify this certificate, why? wget uses openssl to verify a certificate. openssl uses root certificates in /etc/pki/tls/certs/ca-bundle.crt to verify a website’s certificate. The website’s certificate chain includes DST Root CA X3(Digital Signature Trust Co.) as the root certificate issuer. Open  /etc/pki/tls/certs/ca-bundle.crt , you can see the root certificate issued by  DST Root CA X3 has expired on Sep 30 14:01:15 2021 GMT, which causes the failure of the verification of the website’s certificate.

How to solve the issued certificate has expired problem?

The simplest solution is to modify the expiration date in the DST Root CA X3 issued certificate. Open /etc/pki/tls/certs/ca-bundle.crt, search the string xMDkzMDE0MDExNVow, and replace it with the string 0MDkzMDE4MTQwM1ow.

xMDkzMDE0MDExNVow is the encoded expiration date Sep 30 14:01:15 2021 GMT, and 0MDkzMDE4MTQwM1ow is the encoded expiration date of Sep 30 14:01:15 2024 GMT. Note that, do not modify the plain text “Not After : Sep 30 14:01:15 2021 GMT” in /etc/pki/tls/certs/ca-bundle.crt as this is not used as part of the certificate. The real certificate is the encoded one. Now wget will succeed without problem despite of the fact that the forged certificate cannot pass signature verification.

Another solution is to upgrade /etc/pki/tls/certs/ca-bundle.crt to latest version.

This is only possible on Centos7. On centos6, installing or upgrading ca-certificates does not help because ca-certificates has already been installed on your system and is the latest version:

This is the highest version for CentOS6. You can download a new version from Centos7(https://vault.centos.org/7.9.2009/updates/Source/SPackages/ca-certificates-2021.2.50-72.el7_9.src.rpm) and do some hack to build a CentOS6 counterpart, but that’s not enough for wget to work. As said before, wget uses openssl while old version of openssl (1.0.1) on CentOS cannot use the new ca-bundle.crt to verify Let’s Encrypt’s certificates. The new version of ca-certificates actually removes the DST Root CA X3  certificate from /etc/pki/tls/certs/ca-bundle.crt so wget will produce the following error:

ERROR: cannot verify curl.se’s certificate, issued by “/C=US/O=Let’s Encrypt/CN=R3”:
  Unable to locally verify the issuer’s authority.

If you were on CentOS7, you would be using openssl1.0.2, which can use another certificate chain in the certificate of the website, whose root certificate is issued by ISRG Root X1, thus can verify the certificate successfully.

To make wget work on CentOS6, you would have to build and install openssl1.0.2 as well.

Reference: https://community.letsencrypt.org/t/rhel-centos-6-openssl-client-compatibility-after-dst-root-ca-x3-expiration/161032/28

 

Posted in tips of hosting