What causes cURL Error 60 – DST Root CA X3 Expiry Breaks HTTPS on Ubuntu 14?

DST Root CA X3 root certificate expired on 30 September 2021 and remains in the Ubuntu 14 local CA trust store • Ubuntu 14.04 reached end-of-life and no longer receives ca-certificates package updates that would remove expired roots • Let's Encrypt certificate chains include a cross-signature from DST Root CA X3; older OpenSSL versions prefer the expired cross-signed path over the valid ISRG Root X1 path • No automated CA trust store maintenance or monitoring in place for EOL hosts

How do I resolve cURL Error 60 – DST Root CA X3 Expiry Breaks HTTPS on Ubuntu 14?

Run: sudo dpkg-reconfigure ca-certificates • At the first prompt 'Trust new certificates from certificate authorities?' select 'yes' and press Enter. • On the certificate selection list, use the down arrow key to navigate to 'mozilla/DST_Root_CA_X3.crt'. • Press the space bar to deselect it, changing [*] to [ ]. • Press Enter/Tab to select OK and apply the changes. The update-ca-certificates script will run automatically and remove the expired root. • Verify the fix: run 'curl https://website.com' and confirm the request succeeds with no SSL error. • Optionally confirm the certificate is no longer in the active bundle: run 'grep -r DST_Root_CA_X3 /etc/ssl/certs/' — the symlink should be absent.

P3 · PKI & Certificate Management

cURL Error 60 – DST Root CA X3 Expiry Breaks HTTPS on Ubuntu 14

On Ubuntu 14 (end-of-life) servers, all HTTPS requests to Let's Encrypt-secured sites fail with cURL error 60 ('SSL certificate problem: certificate has expired') because the DST Root CA X3 root certificate expired on 30 September 2021 and remains trusted in the local CA store. The remote certificates are valid; the fault lies entirely in the outdated local trust store. The fix is to deselect mozilla/DST_Root_CA_X3.crt via dpkg-reconfigure ca-certificates, which removes the expired root from the trusted set.

Indicators

curl: (60) SSL certificate problem: certificate has expired on requests to Let's Encrypt-secured sites
All HTTPS connections to Let's Encrypt sites fail simultaneously with no change to remote certificates
openssl s_client confirms the remote certificate chain is valid and unexpired
Issue is isolated to Ubuntu 14 hosts; other OS versions are unaffected
Error appears suddenly with no modifications made to the target servers or their certificates
DST_Root_CA_X3.pem or mozilla/DST_Root_CA_X3.crt present in /etc/ssl/certs with expiry of 30 Sep 2021

Likely causes

DST Root CA X3 root certificate expired on 30 September 2021 and remains in the Ubuntu 14 local CA trust store
Ubuntu 14.04 reached end-of-life and no longer receives ca-certificates package updates that would remove expired roots
Let's Encrypt certificate chains include a cross-signature from DST Root CA X3; older OpenSSL versions prefer the expired cross-signed path over the valid ISRG Root X1 path
No automated CA trust store maintenance or monitoring in place for EOL hosts

Diagnostic steps

Reproduce the error: run 'curl -v https://website.com' and confirm error 60 with the message 'SSL certificate problem: certificate has expired'.
Verify the remote certificate chain is valid: run 'echo -n | openssl s_client -showcerts -connect website.com:443 -servername website.com' and confirm the server's certificate and intermediates are within their validity period.
Locate DST Root CA X3 in the local trust store: check for '/etc/ssl/certs/DST_Root_CA_X3.pem' or list entries with 'ls /etc/ssl/certs/ | grep -i DST'.
Confirm the expiry date of the local DST Root CA X3 certificate: run 'openssl x509 -in /etc/ssl/certs/DST_Root_CA_X3.pem -noout -dates'. Expect 'notAfter=Sep 30 14:01:15 2021 GMT', confirming this root is the cause.
Cross-check the ca-certificates configuration file to confirm DST_Root_CA_X3.crt is marked as trusted: run 'grep -i DST /etc/ca-certificates.conf'.

Resolution path

Run: sudo dpkg-reconfigure ca-certificates
At the first prompt 'Trust new certificates from certificate authorities?' select 'yes' and press Enter.
On the certificate selection list, use the down arrow key to navigate to 'mozilla/DST_Root_CA_X3.crt'.
Press the space bar to deselect it, changing [*] to [ ].
Press Enter/Tab to select OK and apply the changes. The update-ca-certificates script will run automatically and remove the expired root.
Verify the fix: run 'curl https://website.com' and confirm the request succeeds with no SSL error.
Optionally confirm the certificate is no longer in the active bundle: run 'grep -r DST_Root_CA_X3 /etc/ssl/certs/' — the symlink should be absent.

Prevention

Upgrade Ubuntu 14.04 hosts to a supported LTS release (20.04 or later) that receives ongoing security and CA certificate updates.
Keep the ca-certificates package updated on all active servers: 'sudo apt-get update && sudo apt-get install --only-upgrade ca-certificates'.
Monitor CA expiration announcements from Let's Encrypt (letsencrypt.org/docs) and the Mozilla CA Certificate Program.
Periodically audit local CA trust stores on all servers for expired root certificates: 'for f in /etc/ssl/certs/*.pem; do openssl x509 -in $f -noout -dates 2>/dev/null | grep notAfter; done'.
Set up automated alerting for cURL/SSL errors in application and system logs to detect trust store issues early.
Include EOL OS status in the infrastructure asset register and track supported-until dates to prioritise upgrades before CA update cessation.

Tools

curl
openssl
openssl s_client
dpkg-reconfigure

References

cURL on Ubuntu 14: all Let's Encrypt certificates are expired (error 60) – Super User

ubuntu-14curlerror-60lets-encryptssltlsDST-Root-CA-X3ca-certificatescertificate-expiryopenssltrust-storeend-of-lifedpkg-reconfigureISRG-Root-X1cross-signed-certificate