Fixing curl’s Let’s Encrypt problem on Linux

One of Let’s Encrypt’s root certificates (“DST Root CA X3”) has expired on September 30th, 3021. Now a new root certificate (“ISRG Root X1”) is used. Let’s Encrypt’s Intermediate certificate “Let’s Encrypt R3” was signed by both root certificates. Older versions of curl (7.52) cannot handle this correctly and think that the R3 certificate is no longer valid because its root certificate has expired. However only one of the two root certificates has expired, the other is still valid and thus R3 is valid, too. You can find a diagram of the certificates here:

When you try to use curl 7.52 it can look like this:

# curl --head
curl: (60) SSL certificate problem: certificate has expired
More details here:

So one option is to update curl to a newer version, e.g. 7.64 or 7.74, then it works fine. Another option is to remove the expired root certificate (“DST Root CA X3”) from the Linux computer on which you want to use curl.

To remove the certificate, just edit the file /etc/ca-certificates.conf and disable the DST Root CA X3 certificate by writing an exclamation mark in front of it:


Then run update-ca-certificates to read the ca-certificates.conf file and update the system’s certificates. Afterward curl should work fine.

Update: When I compiled the new version of curl I also had to compile a new version of OpenSSL. It seems that the real problem is in OpenSSL 1.0, not in curl. So it seems to be sufficient to update OpenSSL 1.0 to at least OpenSSL 1.1 or to remove the expired certificate. You can now find a blog post that explains this here: