When LetsEncrypt's ROOT certificate expired, I was unable to access it from an old OS.

PHP Warning: file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in "executed program" on line 3 PHP Warning: file_get_contents(): Failed to enable crypto in "Executed program" on line 3 PHP Warning: file_get_contents(https://sites using LetsEncrypt certificate/): failed to open stream: operation failed in "Executed program" on line 3 bool(false )

The problem does not occur when using the curl command or the php curl function.

ldd /usr/bin/curl | grep ssl

ldd /usr/bin/wget | grep ssl

ldd /usr/bin/openssl | grep ssl

rpm -qf /usr/lib64/libssl3.so

rpm -qf /usr/lib64/libssl.so.10

Create rpm package from srpm

Obtaining openssl 1.0.2 srpm package from CentOS7 repository

cd /usr/local/src wget --no-check-certificate https://vault.centos.org/7.9.2009/updates/Source/SPackages/openssl-1.0.2k-21.el7_9.src.rpm rpm - i openssl-1.0.2k-21.el7_9.src.rpm

*A directory called rpmbuild is created under the home directory of the user who executed the rpm command, and the source code is extracted there, so move it there.

cd ~/rpmbuild

Modifying the SPEC file

*"%patch68" is an unnecessary process, so comment it out.

sed -i -e "s/%patch68/#%patch68/g" SPECS/openssl.spec

Modifying the patch file

*The glibc function called secure_getenv is not available in CentOS6, so replace it with getenv.

sed -i -e "s/secure_getenv/getenv/g" SOURCES/openssl-1.0.2a-env-zlib.patch sed -i -e "s/secure_getenv/getenv/g" SOURCES/openssl-1.0.2j-deprecate -algos.patch sed -i -e "s/secure_getenv/getenv/g" SOURCES/openssl-1.0.2a-fips-ctor.patch

build rpm package

*If the tools required for build are not installed, please install them before rpmbuild.

yum install rpm-build krb5-devel zkib-devel lksctp-tools-devel zlib-devel gcc rpmbuild -ba SPECS/openssl.spec

install rpm package

Install the required package (perl-WWW-Curl) as a dependency

yum install perl-WWW-Curl

Move to the directory where the rpm package was built and install it using the rpm command

cd RPMS/ rpm -Uvh openssl-*

Check if the version is updated properly

openssl version

Disabling DST Root CA X3 certificate

*If the DST Root CA

Update the OS root certificate

yum update ca-certificates

Enable the update-ca-trust function and update the root certificate once with the update-ca-trust command

update-ca-trust enable update-ca-trust

* Immediately after updating the root certificate with yum update ca-certificates, the OS's trusted root certificate (/pki/tls/certs/ca-bundle.crt) file contains not only the certificate content but also the issuer, expiration date, etc. The comment is now included.

There is no problem with the operation of the OS in this state, but if you run the update-ca-trust command without arguments, the OS's trusted root certificate will be organized into a file containing only the certificate contents and comments.
Be sure to run the following command to ensure that only the certificate part is extracted.

Extract only the "DST Root CA X3" certificate and save it as a file under /etc/pki/ca-trust/source/blacklist/

perl -e 'while(<>){last if $_ =~ m/DST Root CA X3/;}print $_;while(<>){last if length($_)==1;print $_} '</etc/pki/tls/certs/ca-bundle.crt > /etc/pki/ca-trust/source/blacklist/DST_Root_CA_X3.pem

*It is okay if a file named /etc/pki/ca-trust/source/blacklist/DST_Root_CA_X3.pem is created and the contents are as shown below. If that doesn't work, you can create the file manually.

#DST Root CA b290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhv cNAQEBBQADggEPADCCAQoCggEB AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq 5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw 7BZy1SbsOFU5Q9D8/RhcQPGX69 Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD aeQQmxkqtilX4+U9m5/ wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9Lww mglSBd49lZRNI+DT69 ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo Ob8VZRzI9neWagqNdw vYkQsEjgfbKbYK7p2CNTUQ -----END CERTIFICATE------

Disable "DST Root CA X3" certificate

update-ca-trust extract

grep "DST Root CA X3" /etc/pki/tls/certs/ca-bundle.crt

*It is OK if nothing is displayed.

grep "ISRG Root X1" /etc/pki/tls/certs/ca-bundle.crt

*If # ISRG Root X1 is displayed, it is OK.

After updating, try running the program that caused the error and see if the problem is resolved.

If a service that provides SSL (such as Apache) is running on the server, we recommend restarting the service.