T The Triage ManualTechnical Guides for IT Emergencies
P3 · PKI & Certificate Management

cURL Error 60 – DST Root CA X3 Expiry Breaks HTTPS on Ubuntu 14

On Ubuntu 14 (end-of-life) servers, all HTTPS requests to Let's Encrypt-secured sites fail with cURL error 60 ('SSL certificate problem: certificate has expired') because the DST Root CA X3 root certificate expired on 30 September 2021 and remains trusted in the local CA store. The remote certificates are valid; the fault lies entirely in the outdated local trust store. The fix is to deselect mozilla/DST_Root_CA_X3.crt via dpkg-reconfigure ca-certificates, which removes the expired root from the trusted set.

Indicators

Likely causes

Diagnostic steps

  1. Reproduce the error: run 'curl -v https://website.com' and confirm error 60 with the message 'SSL certificate problem: certificate has expired'.
    Confirms the error is reproducible and captures the exact error string for triage.
  2. Verify the remote certificate chain is valid: run 'echo -n | openssl s_client -showcerts -connect website.com:443 -servername website.com' and confirm the server's certificate and intermediates are within their validity period.
    Determines whether the fault is in the remote certificate or the local trust store.
  3. Locate DST Root CA X3 in the local trust store: check for '/etc/ssl/certs/DST_Root_CA_X3.pem' or list entries with 'ls /etc/ssl/certs/ | grep -i DST'.
    Confirms the expired root certificate is present in the local CA store.
  4. Confirm the expiry date of the local DST Root CA X3 certificate: run 'openssl x509 -in /etc/ssl/certs/DST_Root_CA_X3.pem -noout -dates'. Expect 'notAfter=Sep 30 14:01:15 2021 GMT', confirming this root is the cause.
    Verifies the expired root is the specific certificate causing validation failure.
  5. Cross-check the ca-certificates configuration file to confirm DST_Root_CA_X3.crt is marked as trusted: run 'grep -i DST /etc/ca-certificates.conf'.
    Confirms the expired root is actively trusted in the ca-certificates configuration.
  6. Check system clock on client and server: run 'date; timedatectl' on Linux and compare to a trusted NTP source.
    Rules out clock skew as a false cause of certificate validity window failures.
  7. Verify which certificate is actually bound to the service listener: on Linux inspect nginx/apache config for ssl_certificate or SSLCertificateFile directives; on Windows run 'netsh http show sslcert'.
    Confirms the renewed certificate has been deployed and bound, not merely uploaded.
  8. Test trust chain from the client's perspective: run 'curl -v --cacert /path/to/ca-bundle.crt https://<host>' to isolate whether the fault is server-side (bad cert) or client-side (missing CA in trust store).
    Distinguishes a server certificate problem from a client trust store problem.

Resolution path

Prevention

Tools

References

ubuntu-14curlerror-60lets-encryptssltlsDST-Root-CA-X3ca-certificatescertificate-expiryopenssltrust-storeend-of-lifedpkg-reconfigureISRG-Root-X1cross-signed-certificatepkicertificatehostname-mismatchsanclock-skewcertbotwindowsintermediate-cacertificate-renewal