Debian Curl/PHP/wget etc show an certificate error falsely

Problem: curl php wget and others show a cert error like the following since 6. Oct 2021, even though the cert has not expired:

curl: (60) SSL certificate problem: certificate has expired
More details here:

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

The asked server uses a Letsencrypt certificate.

Discussion: Currently Letsencrypt includes two chains for validation of the certificate:

  1. Cert -> R3 -> ISRG Root X1 (in new trust store)
  2. Cert -> R3 -> ISRG Root X1 -> DST Root CA X3 (in old trust stores but expired)

Chain one works for all modern OSes and browsers, but on Debian (at least with 9.0) the cert check fails because it finds the expired CA “X3” in chain 2, and does not use the direct chain with CA “X1”. Debian 9.0 includes both CA certs.

The reason to keep the expired cert in the provided chain is that some old devices need this X3 cert, and accept it despite its expire date. e.g. Android >=2.3.6 and <7.1.1

Solution: Start the following command and deactivate the expired CA cert on the client.

# dpkg-reconfigure ca-certificates

This bug is not limited to Debian because this issue seems to be related to openssl-1.1.0, which you will find in many products. Removing the expired cert might work there as well.