Web site certificate has expired only via WGET/CURL

0
votes

My website uses a Let's Encrypt cert that works fine using a web browser. When retrieving a file from my website via wget/curl I receive a warning that the SSL cert has expired. So I have created a simple script to check my SSL cert on my side:

[root]# cat certinfo.sh
 nslookup $1
  (openssl s_client -showcerts -servername $1 -connect $1:443 <<< "Q" | openssl x509 -text | grep -iA2 "Validity")

I then run the script against my site:

[root]# ./certinfo.sh files.mysite.io
Server:         172.31.254.4
Address:        172.31.254.4#53

Non-authoritative answer:
Name:   files.mysite.io
Address: 52.204.19.216

depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
DONE
        Validity
            Not Before: Dec  1 04:00:19 2021 GMT
            Not After : Mar  1 04:00:18 2022 GMT

What exactly is going here? Today (Dec 14 2021) is in the range of the certificate validity as shown above. Yet there is a "notAfter" setting that has expired. I can't find that "notAfter" in my certificate or in the intermediate certificates.

Where is this coming from, and how do I fit it?

1
sslcertificate
It's LetsEncrypt which by default still provides a chain to, as the error message says, DST Root CA X3 -- which expired on Sept. 30. Most clients like browsers can substitute the newer, valid ISRG X1 root, but programs using OpenSSL 1.0.2 fail if both roots (DST and ISRG) are still configured, which depends on your system; whether curl and wget use OpenSSL (and which version) also depends on your system. There were dozens of Qs about this in the week or two after Sept. 30 -- search for the ones appropriate to your system. Use newer OpenSSL, remove DST root, or change the server. - dave_thompson_085

1 Answers

0
votes

Dave is correct, and as it's a server issue, the best option would be changing your certificate on server: https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/