Let’s Encrypt certificate expired.
I was very frustated yesterday when using alpine linux (v3.6.5). I have an app (built with PHP) running on alpine image docker. There is a feature in the app to get some data by calling API endpoint using curl, but it didn’t work. The curl gave me empty response, something like this:
I then tried to debug the curl by using curl_error()
function.
After adding that code, i run the app again. Finally the curl gave me error response. The response is SSL certificate problem: certificate has expired
.
I am a little bit more confused here. I think SSL on my API endpoint doesn’t expire yet. i need to prove if the endpoint has not expired, i used online tool (SSL checker) on https://www.sslshopper.com/ssl-checker.html to check it.
As you can see above, the certificate will expire in 64 days, that means SSL is still available to the next 64 days, so there is no issue with SSL (on my API endpoint).
I try to figure out for the solution on the internet, and found 2 possibility causes:
The first link said (official let’s encrypt website), DST Root CA X3 has expired on September 2021 (Now is 2023). And the second link said, you have to remove DST Root CA X3 that exist in your alpine image.
Based on those links, i will try following the instruction (remove DST Root CA X3 in alpine).
Here the steps i tried:
Open your alpine cointainer and open ca-certificates.conf
vi /etc/ca-certificates.conf
Scroll down, find mozilla/DST_Root_CA_X3.crt, comment it and save.
#mozilla/DST_Root_CA_X3.crt
Then update ca-certificate
update-ca-certificates
If you get some warning like this, just ignore it.
WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
Now reload your webserver (i am using apache here)
httpd -k stop
httpd -k start
If you run container in the background (Detach mode), you may also need to restart container first
docker restart <your container name>
Run the app again, the curl now have the response.
Conclusion
The issue is in your alpine docker image. You have to remove DST_Root_CA_X3.crt in ca-certificates.conf, because it has been removed since September 2021. After removing, restart webserver and container, it will be working fine.