When LetsEncrypt's ROOT certificate expired, I was unable to access it from an old OS.
Unable to connect to some sites using HTTPS after October 1st?
Phenomenon that occurs
Causes and solutions by OS
For CentOS7, Amazon Linux, Amazon Linux2
yum -y update ca-certificates
CentOS6 and common errors
wget example
Sites using wget https://LetsEncrypt certificates
--2021-10-04 20:06:18-- https://Site using LetsEncrypt certificate/ Resolving Site using LetsEncrypt certificate... xx.xx.xx.xx Connecting to cLetsEncrypt's certificate |xx.xx.xx.xx|:443... connected. ERROR: cannot verify LetsEncrypt's certificate, issued by “/C =US/O=Let's Encrypt/CN=R3”: Issued certificate has expired. To connect to sites using LetsEncrypt certificate insecurely, use '--no-check-certificate'.
openssl command example
openssl s_client -connect Sites using LetsEncrypt certificates:443 -servername Sites using LetsEncrypt certificates < /dev/null
CONNECTED(00000003) ~Omitted~ Start Time: 1633378075 Timeout : 300 (sec) Verify return code: 10 (certificate has expired) --- DONE
Example of a php program that communicates using the openssl library (probably libssl.so.10)
<?php $url = "https://LetsEncryptの証明書を利用しているサイト/"; $output = file_get_contents($url); var_dump($output);
PHP Warning: file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in "executed program" on line 3 PHP Warning: file_get_contents(): Failed to enable crypto in "Executed program" on line 3 PHP Warning: file_get_contents(https://sites using LetsEncrypt certificate/): failed to open stream: operation failed in "Executed program" on line 3 bool(false )
The problem does not occur when using the curl command or the php curl function.
ldd /usr/bin/curl | grep ssl
libssl3.so => /usr/lib64/libssl3.so (0x00007f43fc44b000)
libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007f43fb1c5000)
ldd /usr/bin/wget | grep ssl
libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007f79a04c6000)
ldd /usr/bin/openssl | grep ssl
libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007f2872a3a000)
rpm -qf /usr/lib64/libssl3.so
nss-3.44.0-7.el6_10.x86_64
rpm -qf /usr/lib64/libssl.so.10
openssl-1.0.1e-58.el6_10.x86_64
In order to solve the problem
Steps to forcefully install openssl1.0.2 on CentOS6
Create rpm package from srpm
Obtaining openssl 1.0.2 srpm package from CentOS7 repository
cd /usr/local/src wget --no-check-certificate https://vault.centos.org/7.9.2009/updates/Source/SPackages/openssl-1.0.2k-21.el7_9.src.rpm rpm - i openssl-1.0.2k-21.el7_9.src.rpm
*A directory called rpmbuild is created under the home directory of the user who executed the rpm command, and the source code is extracted there, so move it there.
cd ~/rpmbuild
Modifying the SPEC file
*"%patch68" is an unnecessary process, so comment it out.
sed -i -e "s/%patch68/#%patch68/g" SPECS/openssl.spec
Modifying the patch file
*The glibc function called secure_getenv is not available in CentOS6, so replace it with getenv.
sed -i -e "s/secure_getenv/getenv/g" SOURCES/openssl-1.0.2a-env-zlib.patch sed -i -e "s/secure_getenv/getenv/g" SOURCES/openssl-1.0.2j-deprecate -algos.patch sed -i -e "s/secure_getenv/getenv/g" SOURCES/openssl-1.0.2a-fips-ctor.patch
build rpm package
*If the tools required for build are not installed, please install them before rpmbuild.
yum install rpm-build krb5-devel zkib-devel lksctp-tools-devel zlib-devel gcc rpmbuild -ba SPECS/openssl.spec
install rpm package
Install the required package (perl-WWW-Curl) as a dependency
yum install perl-WWW-Curl
Move to the directory where the rpm package was built and install it using the rpm command
cd RPMS/ rpm -Uvh openssl-*
Check if the version is updated properly
openssl version
*If it is 1.0.2k, it is a success.
Disabling DST Root CA X3 certificate
*If the DST Root CA
Update the OS root certificate
yum update ca-certificates
Enable the update-ca-trust function and update the root certificate once with the update-ca-trust command
update-ca-trust enable update-ca-trust
* Immediately after updating the root certificate with yum update ca-certificates, the OS's trusted root certificate (/pki/tls/certs/ca-bundle.crt) file contains not only the certificate content but also the issuer, expiration date, etc. The comment is now included.
There is no problem with the operation of the OS in this state, but if you run the update-ca-trust command without arguments, the OS's trusted root certificate will be organized into a file containing only the certificate contents and comments.
Be sure to run the following command to ensure that only the certificate part is extracted.
Extract only the "DST Root CA X3" certificate and save it as a file under /etc/pki/ca-trust/source/blacklist/
perl -e 'while(<>){last if $_ =~ m/DST Root CA X3/;}print $_;while(<>){last if length($_)==1;print $_} '</etc/pki/tls/certs/ca-bundle.crt > /etc/pki/ca-trust/source/blacklist/DST_Root_CA_X3.pem
*It is okay if a file named /etc/pki/ca-trust/source/blacklist/DST_Root_CA_X3.pem is created and the contents are as shown below. If that doesn't work, you can create the file manually.
#DST Root CA b290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhv cNAQEBBQADggEPADCCAQoCggEB AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq 5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw 7BZy1SbsOFU5Q9D8/RhcQPGX69 Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD aeQQmxkqtilX4+U9m5/ wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9Lww mglSBd49lZRNI+DT69 ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo Ob8VZRzI9neWagqNdw vYkQsEjgfbKbYK7p2CNTUQ -----END CERTIFICATE------
Disable "DST Root CA X3" certificate
update-ca-trust extract
grep "DST Root CA X3" /etc/pki/tls/certs/ca-bundle.crt
*It is OK if nothing is displayed.
grep "ISRG Root X1" /etc/pki/tls/certs/ca-bundle.crt
*If # ISRG Root X1 is displayed, it is OK.
After updating, try running the program that caused the error and see if the problem is resolved.
If a service that provides SSL (such as Apache) is running on the server, we recommend restarting the service.