cURL error 60: SSL certificate problem: certificate has expired
Solution 1:
To fix the problem, remove the expired root certificate from your domain certificate.
- Go to https://whatsmychaincert.com
- Test Your Server
- If they confirm you you have an expired root certificate, download and use the .crt without this certificate.
Solution 2:
If you're having this issue with "curl" (or similar) on a Ubuntu 16 system, here's how we fixed it:
On the Ubuntu 16 system hosting the curl / app that fails:
- nano /etc/ca-certificates.conf
- Remove the line (or comment) specifying AddTrust_External_Root.crt
- apt update && apt install ca-certificates
- update-ca-certificates -f -v
- Try curl again with the URL that was failing before - hopefully it works now :)
Solution 3:
For ubuntu 14.04
Open your terminal
sudo su
wget https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000rfBO -O SHA-2_Root_USERTrust_RSA_Certification_Authority.crt --no-check-certificate
cp SHA-2_Root_USERTrust_RSA_Certification_Authority.crt /usr/share/ca-certificates/mozilla/
Then
dpkg-reconfigure ca-certificates and uncheck mozilla/AddTrust_External_Root.crt and check mozilla/2_Root_USERTrust_RSA_Certification_Authority.crt
or run sudo update-ca-certificates for uncheck those.
Solution 4:
It seems like your truststore is not updated with the latest trusted root. Understanding that it happened to you beginning yesterday 30th May. I am assuming that you have Sectigo as your CA.
Update your trustore and you should be able to connect.
https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020
Solution 5:
Yesterday I ran into the problem @finesse was reporting above. Since on our system the ca-certificates get updated automatically, I was quite troubled since the certificate was valid
- using curl on the command line
- using a php script with php-cli
but it did not work from the web site.
Solution was simple:
just restart php-fpm :/
Best regards,
Willi