My website uses a Let's Encrypt cert that works fine using a web browser. When retrieving a file from my website via wget/curl I receive a warning that the SSL cert has expired. So I have created a simple script to check my SSL cert on my side:

[root]# cat certinfo.sh
 nslookup $1
  (openssl s_client -showcerts -servername $1 -connect $1:443 <<< "Q" | openssl x509 -text | grep -iA2 "Validity")

I then run the script against my site:

[root]# ./certinfo.sh files.mysite.io
Server:         172.31.254.4
Address:        172.31.254.4#53

Non-authoritative answer:
Name:   files.mysite.io
Address: 52.204.19.216

depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
DONE
        Validity
            Not Before: Dec  1 04:00:19 2021 GMT
            Not After : Mar  1 04:00:18 2022 GMT

What exactly is going here? Today (Dec 14 2021) is in the range of the certificate validity as shown above. Yet there is a "notAfter" setting that has expired. I can't find that "notAfter" in my certificate or in the intermediate certificates.

Where is this coming from, and how do I fit it?

CodePudding user response：

Dave is correct, and as it's a server issue, the best option would be changing your certificate on server: https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/