Debian Curl/PHP/wget etc show an certificate error falsely

Problem: curl php wget and others show a cert error like the following since 6. Oct 2021, even though the cert has not expired:

curl: (60) SSL certificate problem: certificate has expired
More details here:

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

The asked server uses a Letsencrypt certificate.

Discussion: Currently Letsencrypt includes two chains for validation of the certificate:

  1. Cert -> R3 -> ISRG Root X1 (in new trust store)
  2. Cert -> R3 -> ISRG Root X1 -> DST Root CA X3 (in old trust stores but expired)

Chain one works for all modern OSes and browsers, but on Debian (at least with 9.0) the cert check fails because it finds the expired CA “X3” in chain 2, and does not use the direct chain with CA “X1”. Debian 9.0 includes both CA certs.

The reason to keep the expired cert in the provided chain is that some old devices need this X3 cert, and accept it despite its expire date. e.g. Android >=2.3.6 and <7.1.1

Solution: Start the following command and deactivate the expired CA cert on the client.

# dpkg-reconfigure ca-certificates

This bug is not limited to Debian because this issue seems to be related to openssl-1.1.0, which you will find in many products. Removing the expired cert might work there as well.

Generate CSR using openssl

Browsers started to warn users about certificates with Sha1 signature. Sha256 is needed now a days.
So it’s time to renew certificates from Thawte, Godaddy, etc

You can generate a new Certificate Signing Request with openssl with this command:

openssl req -nodes -newkey rsa:2048 -keyout servername.key -out servername.csr -sha256

“servername.csr” is an ascii file you can send or paste to your certification authority’s interfaces.

Version: tested with OpenSSL 1.0.1e 11 Feb 2013 on Debian 7

Howto generate an SSL key and self signed cert with openssl

For SSH, HTTPS, TLS SMTP,POPS, IMAPS you need a RSA key pair. Most Linux package installers produce this pairs automatically, but if you like, you can generate them yourself.

The quickest method I found is:

openssl req -x509 -nodes -newkey rsa:2048 -keyout servername.key -out servername.crt -days 1024

This command asks you some questions. The most important one is:

Common Name (e.g. server FQDN or YOUR name)

Enter the hostname of your server here.

You can check the content of key and crt files with these commands:

openssl rsa -in servername.key -text
openssl x509 -in servername.crt -text