8

Since 1 or 2 days my old php container (dockerhub php:5.4-apache) can't use curl anymore. this is the log when running curl inside this container.

$> docker run --rm -ti php:5.6-apache bash
$> curl -X POST https://xxxxx.com
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

This same call works on a modern (updated) OS.

Raphael PICCOLO
  • 2,095
  • 1
  • 12
  • 18

2 Answers2

17

the reason is cacerts of the os are outdated

To update them you need to do the following

curl -k https://curl.se/ca/cacert.pem > cacert.pem
# works : curl --cacert cacert.pem -X POST https://xxxxx.com

apt-get install ca-certificates
openssl x509 -outform der -in cacert.pem -out cacert.crt
cp cacert.crt /usr/local/share/ca-certificates/
update-ca-certificates

other option :

sed -i 's/mozilla\/DST_Root_CA_X3.crt/!mozilla\/DST_Root_CA_X3.crt/g' /etc/ca-certificates.conf
update-ca-certificates

best option (imho) :

apt-get update
apt-get upgrade -y
Raphael PICCOLO
  • 2,095
  • 1
  • 12
  • 18
  • 2
    Another reason can be that OpenSSL is outdated. Both these reasons can be related to Lets Encrypt Certificates _and_ the date September 30th 2021. If so, please compare with [DST Root CA X3 Expiration (September 2021) - Let's Encrypt Docs](https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/) – hakre Oct 02 '21 at 00:56
  • 1
    you mean that updating openssl (apt-get install openssl) could also solve the situation ? – Raphael PICCOLO Oct 02 '21 at 01:10
  • IIRC that is the case of Ubuntu 16.04. It is only needed to upgrade on _very old_ debian based systems. On old Centos systems the update is with CA-Certs as you did. If updating the CA-Certificates works for you in the first place, it's all fine and dandy. – hakre Oct 02 '21 at 01:15
  • found this very interesting explaination / solution : https://medium.com/geekculture/will-you-be-impacted-by-letsencrypt-dst-root-ca-x3-expiration-d54a018df257 – Raphael PICCOLO Oct 02 '21 at 01:25
  • 1
    There is also the [Help thread for DST Root CA X3 expiration (September 2021)](https://community.letsencrypt.org/t/help-thread-for-dst-root-ca-x3-expiration-september-2021/149190) – hakre Oct 02 '21 at 01:59
  • 2
    ty, you'r a lifesaver apt-get update && apt-get upgrade -y inside my docker machine worked like a charm for me – Tiago_nes Nov 26 '21 at 17:06
  • 2
    "other option" worked for me. I dont know how much time i spent on this issue. Thanks a lot. – Thejas Apr 20 '22 at 09:51
  • The "best option" did not worked for me, the "other option" did ! Thanks – Kvn91 Sep 12 '22 at 14:49
1

Raphael's answer is somewhat correct. I checked the https://curl.se/ca/cacert.pem file and found that as of today it contains the Digital Signature Trust Co. (DST Root CA X3) CA Root certificate. So replacing your Root CA certificate bundle may not be the answer, if it contains the same expired certificate.

It doesn't get clear what cacert you're using. Can you share?

You didn't mention what OS is that, so I would assume Linux.

You can isolate your OS CA Root certificate location and check, if one of your expired certificates is the cause.

The steps in this article are the same for any expired CA Root certificate in the CA Root bundle (e.g. https://curl.se/ca/cacert.pem) cert chain. https://stackoverflow.com/a/69411107/1549092

GTodorov
  • 1,993
  • 21
  • 24