curl says a valid certificate is expired

I have a gitlab community edition hosted on a server, and when using curl on this server to fetch this local gitlab website, I get an expired certificate error even if the dates are valid:

curl --insecure -vvI https://gitlab.mysite.com 2>&1 | awk 'BEGIN { cert=0 } /^\* Server certificate:/ { cert=1 } /^\*/ { if (cert) print }'
* Server certificate:
*  subject: CN=gitlab.mysite.com
*  start date: Nov 12 14:36:12 2021 GMT
*  expire date: Feb 10 14:36:11 2022 GMT
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify result: certificate has expired (10), continuing anyway.

But I don't get this expired certificate error when loading the site from a browser, or when using curl on another server. The error only appears when using curl locally, on the server hosting the gitlab ce instance.

This is the result when using curl on another server:

* Server certificate:
*  subject: CN=gitlab.mysite.com
*  start date: Nov 12 14:36:12 2021 GMT
*  expire date: Feb 10 14:36:11 2022 GMT
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.

Is it possible that there is an issue because the curl is resolving to a local website (resolved ip = 127.0.1.1)?


I had those symptoms (works on browser, fails on Curl) on my Ubuntu 16.04 machine, curl 7.47.0.

In my case, the issue was indeed triggered by the Let's Encrypt expired certificate (as mentioned by Bob), but actually created by a bug on OpenSSL handling of multi-path certificate trees.

Ubuntu 16.04

This issue on OpenSSL has been patched on version 1.0.2g-1ubuntu4.20 (latest as of today) of the package for Ubuntu 16.04 (see changelog here).

If you are on Ubuntu 16.04 try updating OpenSSL to latest. If you are on other system check your version of OpenSSL. Versions prior to 1.1.x have the issue and require "patching" (as done for Ubuntu distro mentioned above). If you cannot move to use an OpenSSL version with a fix, then you can resort to disabling the certificate causing the issue. How to disable the certificate will vary depending on your OS/Distribution.

Debian 9.3

(updated answer - once OP identified the OS as Debian 9.3)
It seems that for Debian 9.3 this would be a duplicate question (I don't have enough privileges to mark it as such).
Client on Debian 9 erroneously reports expired certificate for letsencrypt-issued domain
And OP had success applying this answer (which is equivalent to my suggestion above for Ubuntu 16.04):
https://serverfault.com/a/1080278/473319

More information

Following page can provide more background information and pointers to understand better the issue. https://scotthelme.co.uk/lets-encrypt-old-root-expiration/