cURL error 60: SSL certificate problem: certificate has expired

Question

We running 2 application on amazon ec2 (backend.abc.com & frontend.abc.com). For that application, we used a paid SSL Certificate. That certificate expiration date at 2021 June. But today, we got an error -

cURL error 60: SSL certificate problem: certificate has expired (see http://curl.haxx.se/libcurl/c/libcurl-errors.html) 

We check certificate expiration date, but there was no problem (2021 June). Then we follow this thread - curl: (60) SSL certificate problem: unable to get local issuer certificate (@Dahomz answer)

After that, when we curl abc.com by - curl -v --url https://backend.abc.com --cacert /etc/ssl/ssl.cert/cacert.pem, It working fine. Response like -

* Rebuilt URL to: https://backend.abc.com/ *   Trying 127.0.0.1... * Connected to backend.abc.com (127.0.0.1) port 443 (#0) * found 139 certificates in /etc/ssl/ssl.cert/cacert.pem * found 600 certificates in /etc/ssl/certs * ALPN, offering http/1.1 * SSL connection using TLS1.2 / ******_RSA_***_***_GCM_***** *    server certificate verification OK *    server certificate status verification SKIPPED *    common name: *.abc.com (matched) *    server certificate expiration date OK *    server certificate activation date OK *    certificate public key: RSA *    certificate version: #3 *    subject: OU=Domain Control Validated,OU=PositiveSSL Wildcard,CN=*.abc.xyz *    start date: Mon, 04 May 2019 00:00:00 GMT *    expire date: Wed, 07 June 2021 23:59:59 GMT *    issuer: C=GB,ST=Greater Manchester,L=Salford,O=Sectigo Limited,CN=Sectigo RSA Domain Validation Secure Server CA *    compression: NULL * ALPN, server accepted to use http/1.1 

But when we hit from frontend.abc.com to backend.abc.com by curl, it throws this error -

* Rebuilt URL to: https://backend.abc.com/ *   Trying 127.0.0.1... * Connected to backend.abc.com (127.0.0.1) port 443 (#0) * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: *   CAfile: /etc/ssl/ssl.cert/cacert.pem   CApath: /etc/ssl/certs * SSL connection using TLSv1.2 / *****-RSA-*****-GCM-****** * ALPN, server accepted to use http/1.1 * Server certificate: *    subject: OU=Domain Control Validated; OU=PositiveSSL Wildcard; CN=*.abc.com *    start date: Mar  4 00:00:00 2019 GMT *    expire date: Apr  7 23:59:59 2021 GMT *    issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA *    SSL certificate verify result: certificate has expired (10), continuing anyway. 

My curl code -

$ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "https://backend.abc.com"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_VERBOSE, 1); curl_setopt($ch, CURLOPT_STDERR, fopen(public_path("c.log"), 'w')); curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE); $output = curl_exec($ch); $error = curl_error($ch); $info = curl_getinfo($ch); curl_close($ch); 

Answer 1

To fix the problem, remove the expired root certificate from your domain certificate.

1. Go to https://whatsmychaincert.com
2. Test Your Server
3. If they confirm you you have an expired root certificate, download and use the .crt without this certificate.

Answer 2

If you're having this issue with "curl" (or similar) on a Ubuntu 16 system, here's how we fixed it:

On the Ubuntu 16 system hosting the curl / app that fails:

• nano /etc/ca-certificates.conf
• Remove the line (or comment) specifying AddTrust_External_Root.crt
• apt update && apt install ca-certificates
• update-ca-certificates -f -v
• Try curl again with the URL that was failing before - hopefully it works now :)