Search code examples
sslcurlwget

Wget and Curl stopped working with HTTPS. Wrongly complain about an expired certificate

I have a script that runs every day on an Ubuntu 14.04 server. The script is a simple wget command that downloads a file from a remote server and saves it to the local file system:

wget https://example.com/resources/scripts/myfile.php -O myfile.php

It has worked fine for months until this morning when suddenly when I run it I get:

--2020-05-30 11:57:16--  https://example.com/resources/scripts/myfile.php
Resolving example.com (example.com)... xx.xx.xx.xx
Connecting to example.com (example.com)|xx.xx.xx.xx|:443... connected.
ERROR: cannot verify example.com's certificate, issued by ‘/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA’:
  Issued certificate has expired.
To connect to example.com insecurely, use `--no-check-certificate'.

The SSL for the domain is valid and expires in Jan. 2022. Nothing has changed on that front. And yet somehow wget no longer sees that.

Here is another interesting fact. If I run this same exact command on an Ubuntu 18 box, it works like a charm without any complaints. This tells me something is wrong with my Ubuntu 14.04 machine.

Curl produces the same error:

curl https://example.com
curl: (60) SSL certificate problem: certificate has expired

This post suggest that the certificate bundle is out of date. I have downloaded the suggested PEM file and tried running wget with by specifying the --ca-certificate=cacert.pem option, but to no avail.

I have also tried running: apt install ca-certificates and update-ca-certificates, but that did not work either.

Again, everything works great on an Ubuntu 18 box, but not Ubuntu 14 or 16. Also why did it work fine until this morning when I know nobody has touched the box? Clearly something is out of date, but I can't seem to figure out how to fix it.

Does anybody have any suggestions?

Solution

  • https://askubuntu.com/questions/440580/how-does-one-remove-a-certificate-authoritys-certificate-from-a-system

    Like the original poster the method of editing ca-certificates.conf did not work for me on Ubuntu 14.04. What did work:

    1. Run sudo dpkg-reconfigure ca-certificates

    2. Deselect the problem CA: AddTrust_External_Root

    3. Press OK

    My understanding is that deletes the expired CA of AddTrust_External_Root and the newer CA USERTrust_RSA_Certification_Authority is used instead.