Keywords: cURL Error 60 | SSL Certificate Expired | Certificate Chain Verification | Root Certificate | HTTPS Security
Abstract: This article provides a detailed analysis of the root causes behind cURL Error 60 related to SSL certificate expiration, particularly when the certificate itself is not expired but verification fails. Using a real-world Amazon EC2 case study, it explains the impact of expired root certificates in the certificate chain and offers a complete solution involving online tools for detection and repair. Additionally, the article discusses supplementary methods for updating system-level certificate libraries, helping developers comprehensively understand and resolve SSL/TLS connection issues.
Problem Background and Phenomenon Analysis
In distributed system architectures, the validity of SSL/TLS certificates is crucial for ensuring secure communication. This article is based on a practical case where two applications are deployed on Amazon EC2 instances: backend.example.com and frontend.example.com. These applications use paid SSL certificates with an expiration date of June 2021. However, during operation, the system reported cURL Error 60: SSL certificate problem: certificate has expired. Initial checks showed that the certificate itself was not expired, but further analysis revealed deeper issues.
Detailed diagnosis using command-line tools, such as curl -v --url https://backend.example.com --cacert /etc/ssl/ssl.cert/cacert.pem, resulted in a successful connection with server certificate verification passing and the expiration date appearing normal. This indicates that the certificate is valid. However, when initiating a cURL request from frontend.example.com to backend.example.com, the error recurred, indicating certificate expiration. This inconsistency suggests that the issue may stem from other components in the certificate chain, rather than the end certificate itself.
Root Cause Investigation: Certificate Chain and Expired Root Certificates
SSL/TLS certificate verification relies on a complete certificate chain, including the end certificate, intermediate certificates, and root certificates. Root certificates are maintained by certificate authorities (CAs), and their expiration can cause the entire chain verification to fail, even if the end certificate is not expired. In this case, the error message indicated that the certificate chain included an expired root certificate, explaining why direct cURL commands succeeded (possibly using a correct local certificate store) while cURL calls in the application failed (likely relying on a chain containing the expired root certificate).
Using online tools like whatsmychaincert.com to test the server can quickly identify if an expired root certificate exists in the chain. This tool analyzes the certificate chain provided by the server and confirms whether invalid components are present. If an expired root certificate is detected, downloading and applying a repaired certificate chain (without the expired certificate) is key to resolving the issue. This ensures that the verification process relies only on valid certificates, restoring secure HTTPS connections.
Solution Implementation: Removing Expired Root Certificates
Based on best practices, the core method to resolve cURL Error 60 is to update the certificate chain to exclude expired root certificates. First, visit whatsmychaincert.com and enter the server domain for testing. The tool will provide a detailed certificate chain analysis report. If the report confirms an expired root certificate, download the recommended .crt file, which has been cleaned of invalid components.
Next, integrate the downloaded certificate file into the application environment. For example, in PHP code, ensure that cURL configuration points to the correct certificate file:
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://backend.example.com");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CAINFO, "/path/to/updated/certificate.crt"); // Specify the updated certificate file
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); // Enable peer certificate verification
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); // Verify hostname
$output = curl_exec($ch);
if (curl_error($ch)) {
echo "Error: " . curl_error($ch);
}
curl_close($ch);This code example rewrites the original snippet from the problem, emphasizing the use of CURLOPT_CAINFO to specify the updated certificate file and enabling strict SSL verification. This avoids the security risks associated with temporarily disabling verification (e.g., setting CURLOPT_SSL_VERIFYPEER to FALSE).
Supplementary Methods: System-Level Certificate Library Updates
In addition to application-level fixes, maintaining system-level certificate libraries is essential. Referencing other solutions, in Linux systems like Ubuntu, expired root certificates may reside in the system certificate store. For instance, by editing the /etc/ca-certificates.conf file to comment out or remove entries for expired certificates (such as AddTrust_External_Root.crt), and then running the update-ca-certificates command to update the store. This method ensures that all system tools, including cURL, use the latest certificate chain, but it should be done carefully to avoid impacting other applications.
Practice shows that combining online tool detection with system updates can comprehensively resolve certificate chain issues. Regularly monitoring certificate expiration dates and using automated tools for renewal are effective strategies to prevent similar problems.
Conclusion and Best Practices
cURL Error 60 often stems from expired components in the certificate chain, rather than the end certificate itself. Through tool analysis and certificate chain repair, services can be quickly restored. Developers should prioritize using online detection services to ensure certificate chain integrity and avoid disabling SSL verification in code. Additionally, maintaining system certificate stores and implementing monitoring processes help identify and resolve potential issues early, ensuring secure communication in distributed systems.