SOLVED cURL Let's Encrypt ISRG Root X1 certificate issue

[dirklammert]

Anybody knows why this difference happens:

-bash-4.2# curl -I -v https://valid-isrgrootx1.letsencrypt.org/
* About to connect() to valid-isrgrootx1.letsencrypt.org port 443 (#0)
*   Trying 52.9.173.94...
* Connected to valid-isrgrootx1.letsencrypt.org (52.9.173.94) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=valid-isrgrootx1.letsencrypt.org
*       start date: Aug 04 15:00:08 2021 GMT
*       expire date: Nov 02 15:00:06 2021 GMT
*       common name: valid-isrgrootx1.letsencrypt.org
*       issuer: CN=R3,O=Let's Encrypt,C=US
> HEAD / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: valid-isrgrootx1.letsencrypt.org
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx
Server: nginx
< Date: Fri, 01 Oct 2021 10:00:04 GMT
Date: Fri, 01 Oct 2021 10:00:04 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 4067
Content-Length: 4067
< Last-Modified: Mon, 09 Aug 2021 23:45:57 GMT
Last-Modified: Mon, 09 Aug 2021 23:45:57 GMT
< Connection: keep-alive
Connection: keep-alive
< Vary: Accept-Encoding
Vary: Accept-Encoding
< ETag: "6111be35-fe3"
ETag: "6111be35-fe3"
< Strict-Transport-Security: max-age=604800
Strict-Transport-Security: max-age=604800
< X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; mode=block
< Accept-Ranges: bytes
Accept-Ranges: bytes

<
* Connection #0 to host valid-isrgrootx1.letsencrypt.org left intact

vs.:

-bash-4.2# /opt/cpanel/libcurl/bin/curl -I -v https://valid-isrgrootx1.letsencrypt.org/
*   Trying 52.9.173.94:443...
* Connected to valid-isrgrootx1.letsencrypt.org (52.9.173.94) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, certificate expired (557):
* SSL certificate problem: certificate has expired
* Closing connection 0
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

I did update the root certificates already:

-bash-4.2# curl https://curl.se/ca/cacert.pem -o /etc/pki/ca-trust/source/anchors/curl-cacert-updated.pem && update-ca-trust

How to resolve the issue with the cPanel compiled version of cURL?

 

[cPRex]

Hey there! There isn't an issue with the cPanel version of Curl, so there's likely another explanation. Could you let us know the operating system and default PHP version setup on the system?

 

[dirklammert]

CentOS 7, PHP8

 

[cPRex]

Thanks for that - I'm not able to reproduce, so I'm wondering if there is an issue with OpenSSL or some other problem on that particular machine. Could you open a ticket with our team so we can take a look? If you are able to do that, please post the ticket number here so I can follow along and make sure this thread gets updated.

 

[dirklammert]

Thanks for having a look. Ticket was created: #94368921

 

[cPRex]

Thanks for that - I'm following along with that on my end now.

 

[dirklammert]

Fixed after removing a custom uploaded certificate and running update-ca-trust afterwards

 

[eva2000]

curl site cacert.pem was only recently updated https://twitter.com/bagder/status/1443685495360393217 - prior to the update it still contained expired DST Root CA X3 certificate. The update removed it.

 

[cPRex]

I'm glad we were able to help get that resolved!