Open in app

Sign in

Write

Sign in

Server Certificate Verification Failed. CRLfile: none

Brajesh Sachan
Reverberations
Published in
2 min readOct 4, 2021

Let’s Encrypt’s — a free, automated, and open certificate authority, root certificate “DST Root CA X3” expired on Sep 30, 2021.

It doesn’t matter for most practical purposes, as Let’s Encrypt has already migrated their certificates to “ISRG Root X1”. It chains with ISRG Root X1 cert on new systems, and ISRG Root X1 cross-signed with DST Root CA X3 on older systems. However, DST Root CA X3 expiry impacts embedded systems and servers which rely on old trusted certificates bundled with the operating system. e.g. suppose you have a crontab entry to run a scheduled job

lynx --dump --accept-all-cookies https://<job> 2>&1 >> log.txt

lynx or curl rely on the default certificate keystore to trust the secure URL, which will start failing after Sep 30, 2021 if certs have not been updated, and get an error similar to:

server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

or

curl: (60) The certificate issuer's certificate has expired. Check your system date and time.

Observe the “last modified” date to check if the bundled certificates need to be updated:

$ locate cacerts | xargs ls -l-r--r--r-- 1 root    root    161905 Dec 20  2019 /etc/pki/ca-trust/extracted/java/cacertslrwxrwxrwx 1 root    root        40 Dec 20  2019 /etc/pki/java/cacerts -> /etc/pki/ca-trust/extracted/java/cacertslrwxrwxrwx 1 root    root        41 Nov 26  2019 /usr/lib/jvm/java-1.8.0-openjdk-1.8.0/jre/lib/security/cacerts -> ../../../../../../../etc/pki/java/cacerts

You may run the following commands to update the default keystore

  1. CentOS
sudo yum install ca-certificatessudo update-ca-trust extract

2. Debian

sudo apt-get install --reinstall ca-certificates

The “last modified” date should be changed to today’s date after the update:

$ locate cacerts | xargs ls -l-r--r--r-- 1 root    root    145288 Oct  1 08:49 /etc/pki/ca-trust/extracted/java/cacertslrwxrwxrwx 1 root    root        40 Oct  1 08:48 /etc/pki/java/cacerts -> /etc/pki/ca-trust/extracted/java/cacertslrwxrwxrwx 1 root    root        41 Nov 26  2019 /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.232.b09-0.el7_7.x86_64/jre/lib/security/cacerts -> ../../../../../../../etc/pki/java/cacerts
Lets Encrypt
Cacert
Centos
Keystore
Debian

--

--

Brajesh Sachan
Reverberations

Written by Brajesh Sachan

17 Followers
Editor for

engineer, entrepreneur

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams