2

I have two machines. One is running Fedora (30) and the other one is running Debian (buster).

When I run curl https://www.ultimate-guitar.com/ on the Fedora machine, I get the expected response. However, when I run that same command on the Debian machine, I get a curl: (60) SSL certificate problem: certificate has expired.

With -v flag on Debian:

$ curl -v https://www.ultimate-guitar.com/ * Trying 205.185.216.42... * TCP_NODELAY set * Connected to www.ultimate-guitar.com (205.185.216.42) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (OUT), TLS alert, Server hello (2): * SSL certificate problem: certificate has expired * Curl_http_done: called premature == 1 * stopped the pause stream! * Closing connection 0 curl: (60) SSL certificate problem: certificate has expired More details here: https://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.

On that Debian machine I have almost no packages installed (manually) besides vim and docker btw.

I was thinking that maybe my openssl package or whatever needs an update, so I ran apt update and apt upgrade, but the problem didn't go away...

I can access other sites without issues from the Debian machine btw. For example: curl https://ultimate-guitar.com/ (without the www.) works fine.

One more interesting thing I found was a warning when checking the certificate using this website:

enter image description here

I have no idea what that means. I mean, seeing that I have no certificate issues from my Fedora machine, I can't make any sense of it.

Any help would be highly appreciated.

Improve this question
4
  • 2
    This is currently a hot topic since 2020-05-30: check the reason/explanation there and there : support.sectigo.com/articles/Knowledge/…, support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000rgSZ . Look also on SF and SU, there are similar questions spawning. eg: superuser.com/questions/1556491/… Commented May 31, 2020 at 15:32
  • 1
    I had just resolved this exact same issue for my site. Chromium said my certificate was valid but Lynx didn't. The problem is that the intermediate certificate has expired, so you'll just have to download the new intermediate certificate from Sectigo and replace the old one your server sends. Commented May 31, 2020 at 18:00
  • @A.B Thank you, that was the issue. It's fixed now. Commented Jun 1, 2020 at 13:50
  • Could you add the steps you took to fix the issue as an answer to your own question? This would help other people better than my comment Commented Jun 1, 2020 at 20:52

1 Answer 1

Reset to default
0

I managed to work around the issue by commenting out the AddTrust certificate.

I simply changed

mozilla/AddTrust_External_Root.crt

to

!mozilla/AddTrust_External_Root.crt

in /etc/ca-certificates.conf.

And then ran update-ca-certificates.

If update-ca-certificates is not available you might have to install the ca-certificates package:

apt-get update && apt-get install ca-certificates
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.