Fix debian 8/9 “curl: (60) SSL certificate problem: certificate has expired”

Fix debian 8/9 “curl: (60) SSL certificate problem: certificate has expired”

example error

curl -I https://www.google.com/
curl: (60) SSL certificate problem: unable to get local issuer certificate
.
.

test with cURL .php script

<?php
// create curl resource
$ch = curl_init();

// set url 
curl_setopt($ch, CURLOPT_URL, "https://www.google.com");

//return the transfer as a string 
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$errorFile = dirname(__FILE__) . '/curl_error.txt';
$out       = fopen($errorFile, "w");
curl_setopt($ch, CURLOPT_VERBOSE, true);
curl_setopt($ch, CURLOPT_STDERR, $out);

// $output contains the output string 
$output = curl_exec($ch);

curl_close($ch);
fclose($out);

echo "<h1>LOG</h1>";
echo "<pre>";
echo htmlspecialchars(file_get_contents($errorFile));
unlink($errorFile);
echo "</pre>";

if apt-get install --reinstall ca-certificates not work, try

wget --no-check-certificate -O - https://raw.githubusercontent.com/xenetis/letsencrypt-expiration/main/letsencrypt-expiration.sh | bash

letsencrypt-expiration.sh

#!/usr/bin/env bash

if [[ $(lsb_release -sc) = "jessie" || $(lsb_release -sc) = "stretch" ]]; then
  apt-get install ca-certificates -y
  sed -i -e 's|mozilla/DST_Root_CA_X3.crt|#mozilla/DST_Root_CA_X3.crt|g' /etc/ca-certificates.conf
  sed -i -e 's|mozilla/ISRG_Root_X1.crt|#mozilla/ISRG_Root_X1.crt|g' /etc/ca-certificates.conf
  wget --no-check-certificate https://letsencrypt.org/certs/lets-encrypt-r3.pem -O /usr/local/share/ca-certificates/lets-encrypt-r3.crt
  wget --no-check-certificate https://letsencrypt.org/certs/isrgrootx1.pem -O /usr/local/share/ca-certificates/isrgrootx1.crt
  update-ca-certificates -f
fi
if [[ $(lsb_release -sc) = "buster" ]]; then
  apt-get update --allow-releaseinfo-change -y
  apt-get install ca-certificates -y
fi

ref : https://serverfault.com/a/1081021

but for me, this fixed https://stackoverflow.com/a/31830614

cd /etc/ssl/certs/
wget --no-check-certificate https://curl.se/ca/cacert.pem
#or wget --no-check-certificate http://curl.se:443/ca/cacert.pem
#test CURL_CA_BUNDLE=/etc/ssl/certs/cacert.pem curl -I https://www.google.com
echo "cacert = /etc/ssl/certs/cacert.pem" > /root/.curlrc
echo "ca_directory = /etc/ssl/certs/" > /root/.wgetrc
vim /etc/php/7.0/fpm/php.ini
#edit curl.cainfo = "/etc/ssl/certs/cacert.pem"
#edit openssl.cafile="/etc/ssl/certs/cacert.pem"
service php7.0-fpm restart
service nginx restart

worked, test again with script .php above or cURL commandline

curl -I https://www.google.com
HTTP/1.1 200 OK
Content-Type: text/html; charset=ISO-8859-1
.
.
SSL_CERT_FILE=/etc/ssl/certs/cacert.pem wget https://www.google.com
SSL_CERT_DIR=/etc/ssl/certs wget https://www.google.com
wget --ca-certificate=/etc/ssl/certs/cacert.pem https://www.google.com

 March 16, 2023

 Blog | # # # # #

qrcode
Facebook Facebook X / Twitter Twitter Telegram Telegram Pinterest Pinterest Email Email

Re-commend-เด็ด ๆ ต่อจาก Fix debian 8/9 “curl: (60) SSL certificate problem: certificate has expired”

  • Magicz?~