Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

cURL error 60: SSL certificate problem: certificate has expired

Tags:

curl

ssl

We running 2 application on amazon ec2 (backend.abc.com & frontend.abc.com). For that application, we used a paid SSL Certificate. That certificate expiration date at 2021 June. But today, we got an error -

cURL error 60: SSL certificate problem: certificate has expired (see http://curl.haxx.se/libcurl/c/libcurl-errors.html) 

We check certificate expiration date, but there was no problem (2021 June). Then we follow this thread - curl: (60) SSL certificate problem: unable to get local issuer certificate (@Dahomz answer)

After that, when we curl abc.com by - curl -v --url https://backend.abc.com --cacert /etc/ssl/ssl.cert/cacert.pem, It working fine. Response like -

* Rebuilt URL to: https://backend.abc.com/ *   Trying 127.0.0.1... * Connected to backend.abc.com (127.0.0.1) port 443 (#0) * found 139 certificates in /etc/ssl/ssl.cert/cacert.pem * found 600 certificates in /etc/ssl/certs * ALPN, offering http/1.1 * SSL connection using TLS1.2 / ******_RSA_***_***_GCM_***** *    server certificate verification OK *    server certificate status verification SKIPPED *    common name: *.abc.com (matched) *    server certificate expiration date OK *    server certificate activation date OK *    certificate public key: RSA *    certificate version: #3 *    subject: OU=Domain Control Validated,OU=PositiveSSL Wildcard,CN=*.abc.xyz *    start date: Mon, 04 May 2019 00:00:00 GMT *    expire date: Wed, 07 June 2021 23:59:59 GMT *    issuer: C=GB,ST=Greater Manchester,L=Salford,O=Sectigo Limited,CN=Sectigo RSA Domain Validation Secure Server CA *    compression: NULL * ALPN, server accepted to use http/1.1 

But when we hit from frontend.abc.com to backend.abc.com by curl, it throws this error -

* Rebuilt URL to: https://backend.abc.com/ *   Trying 127.0.0.1... * Connected to backend.abc.com (127.0.0.1) port 443 (#0) * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: *   CAfile: /etc/ssl/ssl.cert/cacert.pem   CApath: /etc/ssl/certs * SSL connection using TLSv1.2 / *****-RSA-*****-GCM-****** * ALPN, server accepted to use http/1.1 * Server certificate: *    subject: OU=Domain Control Validated; OU=PositiveSSL Wildcard; CN=*.abc.com *    start date: Mar  4 00:00:00 2019 GMT *    expire date: Apr  7 23:59:59 2021 GMT *    issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA *    SSL certificate verify result: certificate has expired (10), continuing anyway. 

My curl code -

$ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "https://backend.abc.com"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_VERBOSE, 1); curl_setopt($ch, CURLOPT_STDERR, fopen(public_path("c.log"), 'w')); curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE); $output = curl_exec($ch); $error = curl_error($ch); $info = curl_getinfo($ch); curl_close($ch); 
like image 320
Hasan Hafiz Pasha Avatar asked May 30 '20 19:05

Hasan Hafiz Pasha


People also ask

How do I fix Curl 60 SSL certificate problem certificate has expired?

The only solution to this problem is to get your host to update the root certificate on your server. So, you need to contact your server host and ask them to insert a new cacert.

How do you fix Curl Error 60?

How to solve this problem: download and extract cacert. pem following the instructions at https://curl.se/docs/caextract.html. save it on your filesystem somewhere (for example, XAMPP users might use C:\xampp\php\extras\ssl\cacert.

What is a Curl Error 60?

Error “curl: (60) SSL certificate problem: unable to get local issuer certificate” can be seen when the SSL certificate on the server is not verified or properly configured.


2 Answers

To fix the problem, remove the expired root certificate from your domain certificate.

  1. Go to https://whatsmychaincert.com
  2. Test Your Server
  3. If they confirm you you have an expired root certificate, download and use the .crt without this certificate.
like image 97
Manu Avatar answered Sep 29 '22 10:09

Manu


If you're having this issue with "curl" (or similar) on a Ubuntu 16 system, here's how we fixed it:

On the Ubuntu 16 system hosting the curl / app that fails:

  • nano /etc/ca-certificates.conf
  • Remove the line (or comment) specifying AddTrust_External_Root.crt
  • apt update && apt install ca-certificates
  • update-ca-certificates -f -v
  • Try curl again with the URL that was failing before - hopefully it works now :)
like image 27
mrmuggles Avatar answered Sep 29 '22 10:09

mrmuggles