Since Sep 30 14:01:15 2021 GMT any software using openssl <=1.0 (like curl, php etc.) can't connect to hosts with Let’s Encrypt certificates

curl lets-encrypt libcurl

DST Root CA X3 root certificate expired on Sep 30 14:01:15 2021 GMT. It was used as one of certification paths for Let’s Encrypt certificates. Any software using openssl <=1.0 (like curl, php etc.) will cause expired root to fail connection instead of trying other roots in local ca store (a bug)

As of 30 september 2021 available ca stores still contains expired DST Root CA X3 root certificate so updating it won't fix problem. You can either update your cURL (which might be quite challenging in some situations) or edit local ca store (f.e. /etc/pki/tls/certs/ca-bundle.crt) and manually remove certificate after line "DST Root CA X3"

Update: On 1 october 2021 new version of curl ca store available at https://curl.se/docs/caextract.html has been updated and does not contain expired DST Root CA X3 certificate

Related

How to change the default certificate chain in Kubernetes Ingress
PHP scripts suddenly load very slow on Apache
Check OCSP on Linux with GET method
User agents not trusting web server due to Let's Encrypt DST Root CA X3 root certificate expiration
firewalld is not working in CentOS 8: no rule at all is created in iptables
Does ActiveDirectory support Kerberos user principle instances?
File is too big for /dev/null
EMC VNX iSCSI setup - unsure about SP/port assignment
Setting up a user without a password
How to change assigned letter for Ephemeral drives automatically?
Cannot edit VM or access it via SSH. error:Supplied fingerprint does not match current metadata fingerprint
Can a server have "too much" RAM? Is there an optimal level of RAM, or is more always better?