I had a problem with PHPMailer suddenly saying my certificate had expired and refusing to connect properly to port 587 with TLS encryption, from Oct 1 2021.
Changing the ssl flags to not verify_peer and not verify_peer_name will temp fix the email issue.
$mail->SMTPOptions = array (
'ssl' => array(
'verify_peer' => false,
'verify_peer_name' => false,
'allow_self_signed' => true
));
But its not an ideal solution.
If I go to the same server via port 80 and web there is nothing wrong with the certificate.
If I connect with OpenSSL command line it says the certificate expired on Sep 30 2021.
This problem also appears under the php command file_get_contents.
NOTE: This issue is PHPMailer and email specific and provides good information about PHPMailer, it should not be closed. It has nothing to do with docker or the other question its associated with other than the cause and fix being similar.
The issue here is a real expired authority cert embedded in the LetsEncrypt chain which really DID expire on Sep 30 2021.
From the openssl blog ... The currently recommended certificate chain as presented to Let’s Encrypt ACME clients when new certificates are issued contains an intermediate certificate (ISRG Root X1) that is signed by an old DST Root CA X3 certificate that expires on 2021-09-30. In some cases the OpenSSL 1.0.2 version will regard the certificates issued by the Let’s Encrypt CA as having an expired trust chain.
Read more here ... https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
It mainly affects OpenSSL 1.0.2. On my Mac with OpenSSL 1.1.1 I did not have the issue.
CentOS, and I'm sure others have provided fixes to this issue ...
Backup
cp -i /etc/pki/tls/certs/ca-bundle.crt ~/ca-bundle.crt-backup
Add certificate to blacklist directory
trust dump --filter "pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1%4b%90%75%ff%c4%15%60%85%89%10" | openssl x509 | sudo tee /etc/pki/ca-trust/source/blacklist/DST-Root-CA-X3.pem
Update root store
sudo update-ca-trust extract
Verify removal
diff ~/ca-bundle.crt-backup /etc/pki/tls/certs/ca-bundle.crt
The CentOS specific steps above are from this post ... https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4#:~:text=So%2C%20DST%20Root%20CA%20X3%20needs%20to%20be,The%20manual%20steps%20below%20are%20no%20longer%20necessary.
This is quite a crazy issue that appeared out of nowhere (unless you follow the openSSL blog)
Took me approx 1 day to track down, all the while no emails are being sent and large pieces of the web site not appearing.
Hope this points people in the right direction.
UPDATE: As pointed out by @hakre you may be able to get away with just ...
yum upgrade ca-certificates