0

Let’s Encrypt issue in alpine linux – SSL certificate problem: certificate has expired, How to fix it?

Posted on by Ambar Hasbiyatmoko

Let’s Encrypt certificate expired.

I was very frustated yesterday when using alpine linux (v3.6.5). I have an app (built with PHP) running on alpine image docker. There is a feature in the app to get some data by calling API endpoint using curl, but it didn’t work. The curl gave me empty response, something like this:

I then tried to debug the curl by using curl_error() function.

Let's Encrypt certificate expired

After adding that code, i run the app again. Finally the curl gave me error response. The response is SSL certificate problem: certificate has expired.

I am a little bit more confused here. I think SSL on my API endpoint doesn’t expire yet. i need to prove if the endpoint has not expired, i used online tool (SSL checker) on https://www.sslshopper.com/ssl-checker.html to check it.

Let's Encrypt certificate expired

As you can see above, the certificate will expire in 64 days, that means SSL is still available to the next 64 days, so there is no issue with SSL (on my API endpoint).


I try to figure out for the solution on the internet, and found 2 possibility causes:

  1. DST Root CA X3 Expiration (September 2021)
  2. Alpine linux issue

The first link said (official let’s encrypt website), DST Root CA X3 has expired on September 2021 (Now is 2023). And the second link said, you have to remove DST Root CA X3 that exist in your alpine image.

Based on those links, i will try following the instruction (remove DST Root CA X3 in alpine).

Here the steps i tried:

Open your alpine cointainer and open ca-certificates.conf

vi /etc/ca-certificates.conf

Scroll down, find mozilla/DST_Root_CA_X3.crt, comment it and save.

#mozilla/DST_Root_CA_X3.crt

Then update ca-certificate

update-ca-certificates

If you get some warning like this, just ignore it.

WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping

Now reload your webserver (i am using apache here)

httpd -k stop
httpd -k start

If you run container in the background (Detach mode), you may also need to restart container first

docker restart <your container name>

Run the app again, the curl now have the response.


Conclusion

The issue is in your alpine docker image. You have to remove DST_Root_CA_X3.crt in ca-certificates.conf, because it has been removed since September 2021. After removing, restart webserver and container, it will be working fine.


Ambar Hasbiyatmoko

Hello, I'm web developer. Passionate about programming, web server, and networking.

More Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.