Curl SSL error certificate has expired
SSL certificate problem: certificate has expired
TLS certificates contain two dates and will be not valid before the start date and not valid after the expire date and verification will fail if the time/date on the client is outside of that time range.
That can have two reasons, the certificate is actually expired, or the clock on your client is off and by a big margin.
Related videos on Youtube
Phan Cường
Updated on September 18, 2022Comments
-
Phan Cường over 1 year
I'm doing with python for getting result from API URL. But it happened like this:
Traceback (most recent call last): File "grafana-utils.py", line 95, in <module> grafana_backup_all() File "/home/trobz/.local/lib/python2.7/site-packages/click/core.py", line 700, in __call__ return self.main(*args, **kwargs) File "/home/trobz/.local/lib/python2.7/site-packages/click/core.py", line 680, in main rv = self.invoke(ctx) File "/home/trobz/.local/lib/python2.7/site-packages/click/core.py", line 873, in invoke return ctx.invoke(self.callback, **ctx.params) File "/home/trobz/.local/lib/python2.7/site-packages/click/core.py", line 508, in invoke return callback(*args, **kwargs) File "grafana-utils.py", line 56, in grafana_backup_all data = json.loads(api_grafana_get_data(host, key)) File "grafana-utils.py", line 15, in api_grafana_get_data data = requests.get( host + '/api/search', headers=key).text File "/home/trobz/.local/lib/python2.7/site-packages/requests/api.py", line 72, in get return request('get', url, params=params, **kwargs) File "/home/trobz/.local/lib/python2.7/site-packages/requests/api.py", line 58, in request return session.request(method=method, url=url, **kwargs) File "/home/trobz/.local/lib/python2.7/site-packages/requests/sessions.py", line 512, in request resp = self.send(prep, **send_kwargs) File "/home/trobz/.local/lib/python2.7/site-packages/requests/sessions.py", line 622, in send r = adapter.send(request, **kwargs) File "/home/trobz/.local/lib/python2.7/site-packages/requests/adapters.py", line 511, in send raise SSLError(e, request=request) requests.exceptions.SSLError: HTTPSConnectionPool(host='grafana.trobz.com', port=443): Max retries exceeded with url: /api/search (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))
Curl also the same issue:
curl: (60) SSL certificate problem: certificate has expired More details here: https://curl.haxx.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.
I have a look https://curl.haxx.se/docs/sslcerts.html but still don't understand how to solve this issue.
No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: X25519, 253 bits --- SSL handshake has read 3208 bytes and written 295 bytes Verification error: certificate has expired --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: D84D38798779A0009ED548D3C05188D46793E9BCEF4F79DA65C47CF27110282F Session-ID-ctx: Master-Key: 5F60F42E744D123FB51B271E347C9B6690F4E13D4A0D2634D9468B427D5A6C2A6D6DCB855BE2561EF34477A40190890B PSK identity: None PSK identity hint: None SRP username: None Start Time: 1541057942 Timeout : 7200 (sec) Verify return code: 10 (certificate has expired) Extended master secret: yes --- closed
I don't understand this issue only happen with this machine, on my localmachine it work will to connect to the host.
Some people tell me curl -k host but I don't like that because insecure.
One more thing, I'm sure the server is OK. so the problem look like from the machine.
Server here:
Resolves to grafana.trobz.com Expiration date Dec 31, 2018 Vendor signed Yes Hostname Matches Key length 2048 Server type nginx Common name *.trobz.com SAN *.trobz.com, trobz.com Organization Let's Encrypt Common name Let's Encrypt Authority X3 Let's Encrypt Authority X3 Serial number 03:1b:2d:bb:65:5d:b4:b2:70:c3:18:45:0a:ea:db:05:62:48 Signature algorithm sha256WithRSAEncryption Fingerprint (SHA-1) A35C6987779070AB273471A0E2FA55AB87621822 Fingerprint (MD5) A4BBF42BED757F638CB273095102E807
Anyone could help please?
-
Tux_DEV_NULL over 5 yearsCan you check if the server is configured right? You might try openssl tool.
openssl s_client -showcerts -connect yourserver:443
Maybe some intermediate certs are missing? It might be an issue with certificate chain. Maybe the issuer's root certificates need to exist in your system. -
Michael Hampton over 5 yearsYour client machine has a wrong date in the system clock.
-