SOLVED cURL Let's Encrypt ISRG Root X1 certificate issue

dirklammert

Member
Mar 7, 2019
18
6
3
NL
cPanel Access Level
Root Administrator
Anybody knows why this difference happens:

Bash:
-bash-4.2# curl -I -v https://valid-isrgrootx1.letsencrypt.org/
* About to connect() to valid-isrgrootx1.letsencrypt.org port 443 (#0)
*   Trying 52.9.173.94...
* Connected to valid-isrgrootx1.letsencrypt.org (52.9.173.94) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=valid-isrgrootx1.letsencrypt.org
*       start date: Aug 04 15:00:08 2021 GMT
*       expire date: Nov 02 15:00:06 2021 GMT
*       common name: valid-isrgrootx1.letsencrypt.org
*       issuer: CN=R3,O=Let's Encrypt,C=US
> HEAD / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: valid-isrgrootx1.letsencrypt.org
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx
Server: nginx
< Date: Fri, 01 Oct 2021 10:00:04 GMT
Date: Fri, 01 Oct 2021 10:00:04 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 4067
Content-Length: 4067
< Last-Modified: Mon, 09 Aug 2021 23:45:57 GMT
Last-Modified: Mon, 09 Aug 2021 23:45:57 GMT
< Connection: keep-alive
Connection: keep-alive
< Vary: Accept-Encoding
Vary: Accept-Encoding
< ETag: "6111be35-fe3"
ETag: "6111be35-fe3"
< Strict-Transport-Security: max-age=604800
Strict-Transport-Security: max-age=604800
< X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; mode=block
< Accept-Ranges: bytes
Accept-Ranges: bytes

<
* Connection #0 to host valid-isrgrootx1.letsencrypt.org left intact
vs.:

Bash:
-bash-4.2# /opt/cpanel/libcurl/bin/curl -I -v https://valid-isrgrootx1.letsencrypt.org/
*   Trying 52.9.173.94:443...
* Connected to valid-isrgrootx1.letsencrypt.org (52.9.173.94) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, certificate expired (557):
* SSL certificate problem: certificate has expired
* Closing connection 0
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
I did update the root certificates already:

Bash:
-bash-4.2# curl https://curl.se/ca/cacert.pem -o /etc/pki/ca-trust/source/anchors/curl-cacert-updated.pem && update-ca-trust
How to resolve the issue with the cPanel compiled version of cURL?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,491
1,008
313
cPanel Access Level
Root Administrator
Thanks for that - I'm not able to reproduce, so I'm wondering if there is an issue with OpenSSL or some other problem on that particular machine. Could you open a ticket with our team so we can take a look? If you are able to do that, please post the ticket number here so I can follow along and make sure this thread gets updated.