wget: “Issued certificate has expired” after September 30, 2021

Two websites that I download data from using automated processes stopped giving me new data from October 1. When I investigated the problem, I could see an error message from the wget program in Linux:

Connecting to SOME.HOSTNAME (SOME.HOSTNAME)|1.2.3.4|:443… connected.
ERROR: cannot verify SOME.HOSTNAME’s certificate, issued by ‘/C=US/O=Let’s Encrypt/CN=R3’:
Issued certificate has expired.
To connect to SOME.HOSTNAME insecurely, use `–no-check-certificate’.

The quick fix, obviously, was to add the –no-check-certificat to the command line, which allows the download to go ahead, but what’s the root cause? My assumption was that the site owner had let an SSL certificate expire, but after it happened with a second site from the same date, I got suspicious. It turns out, Let’s Encrypt which is used by many websites for free encryption certificates previously had a certificate that expired on September 30 and which has been replaced by a new certificate but many pieces of software don’t retrieve the new certificate. That’s because it’s signed with a new root certificate that a lot of older software don’t trust yet. They need an updated of the root certificate store.
In my case, running

sudo yum update

would update the ca-certificates package and that allowed wget to trust the new certificate.
Please see these links for more information:

3 thoughts on “wget: “Issued certificate has expired” after September 30, 2021

  1. Hi Joe,
    I had the exact same issue and hat to remove the DST_Root_CA_X3.pem altough the new ISRG Root X1 was already there. Even if you would obtain a new LE-Certificate today the “old” chain with the outdated DST included is delivered as “fullchain”.

    My SSL-Cert-Check-Tool is not clever enough to check alternative routes if the last certificate in the Chain (DST Root) is outdated. To force the tool to use the ISRG Root instead I head to remove the DST completely in my Client via (sudo) dpkg-reconfigure ca-certificates.

Leave a Reply

Your email address will not be published. Required fields are marked *