I'm running a Debian 10 server and I can't connect to other machines using Let's Enccrypt certificates anymore since LE's CA (DST Root CA X3) expired a few days ago:
root#> curl -I https://example.com
curl: (60) SSL certificate problem: certificate has expired
What I've done so far:
- I updated the
ca-certificatespackage - I installed
libgnutls-openssl27andlibgnutls30 - I ran the
update-ca-certificatescommand.
Still, the server is not able to establish a trusted connection to the target host. The LE certificate on the target host is fine, there are no SSL errors when I trigger curl from any other hosts.
How can I solve this problem and establish a trusted SSL connection? Any help would be highly appreciated, thanks in advance!
Disable "DST Root CA X3" the certificate on your server. Run:
On the first screen that prompts "Trust new certificates from certificate authorities?" choose "yes". On the next screen press the down arrow key on your keyboard until you find
mozilla/DST_Root_CA_X3.crt, press the space bar to deselect it (the[*]should turn into[ ]) and press Enter.The symlink CA certificate of the new Let's Encrypt CA was missing in
/etc/ssl/certsand it was commented out in/etc/ca-certificates.conf. I created it by running:Everything has been working fine since then. You can run
dpkg-reconfigure ca-certificatesto activate it as well.