Server Certificate Verification Failed. CRLfile: none
Let’s Encrypt’s — a free, automated, and open certificate authority, root certificate “DST Root CA X3” expired on Sep 30, 2021.
It doesn’t matter for most practical purposes, as Let’s Encrypt has already migrated their certificates to “ISRG Root X1”. It chains with ISRG Root X1 cert on new systems, and ISRG Root X1 cross-signed with DST Root CA X3 on older systems. However, DST Root CA X3 expiry impacts embedded systems and servers which rely on old trusted certificates bundled with the operating system. e.g. suppose you have a crontab
entry to run a scheduled job
lynx --dump --accept-all-cookies https://<job> 2>&1 >> log.txt
lynx
or curl
rely on the default certificate keystore to trust the secure URL, which will start failing after Sep 30, 2021 if certs have not been updated, and get an error similar to:
server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
or
curl: (60) The certificate issuer's certificate has expired. Check your system date and time.
Observe the “last modified” date to check if the bundled certificates need to be updated:
$ locate cacerts | xargs ls -l-r--r--r-- 1 root root 161905 Dec 20 2019 /etc/pki/ca-trust/extracted/java/cacertslrwxrwxrwx 1 root root 40 Dec 20 2019 /etc/pki/java/cacerts -> /etc/pki/ca-trust/extracted/java/cacertslrwxrwxrwx 1 root root 41 Nov 26 2019 /usr/lib/jvm/java-1.8.0-openjdk-1.8.0/jre/lib/security/cacerts -> ../../../../../../../etc/pki/java/cacerts
You may run the following commands to update the default keystore
- CentOS
sudo yum install ca-certificatessudo update-ca-trust extract
2. Debian
sudo apt-get install --reinstall ca-certificates
The “last modified” date should be changed to today’s date after the update:
$ locate cacerts | xargs ls -l-r--r--r-- 1 root root 145288 Oct 1 08:49 /etc/pki/ca-trust/extracted/java/cacertslrwxrwxrwx 1 root root 40 Oct 1 08:48 /etc/pki/java/cacerts -> /etc/pki/ca-trust/extracted/java/cacertslrwxrwxrwx 1 root root 41 Nov 26 2019 /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.232.b09-0.el7_7.x86_64/jre/lib/security/cacerts -> ../../../../../../../etc/pki/java/cacerts