Two websites that I download data from using automated processes stopped giving me new data from October 1. When I investigated the problem, I could see an error message from the wget program in Linux:
Connecting to SOME.HOSTNAME (SOME.HOSTNAME)|22.214.171.124|:443… connected.
ERROR: cannot verify SOME.HOSTNAME’s certificate, issued by ‘/C=US/O=Let’s Encrypt/CN=R3’:
Issued certificate has expired.
To connect to SOME.HOSTNAME insecurely, use `–no-check-certificate’.
The quick fix, obviously, was to add the –no-check-certificat to the command line, which allows the download to go ahead, but what’s the root cause? My assumption was that the site owner had let an SSL certificate expire, but after it happened with a second site from the same date, I got suspicious. It turns out, Let’s Encrypt which is used by many websites for free encryption certificates previously had a certificate that expired on September 30 and which has been replaced by a new certificate but many pieces of software don’t retrieve the new certificate. That’s because it’s signed with a new root certificate that a lot of older software don’t trust yet. They need an updated of the root certificate store.
In my case, running
sudo yum update
would update the ca-certificates package and that allowed wget to trust the new certificate.
Please see these links for more information:
- Sept. 30, 2021: Will we see trouble with old Let’s Encrypt certificates? (Born’s Tech and Windows World)
- Certificate Compatibility (Let’s Encrypt)