Openssl on 11.x and expired certificates [was: IMAP && Server certificate has expired]

John Capo jc at
Sat Jun 6 15:31:08 UTC 2020

On Fri, June 5, 2020 11:08, Andrea Venturoli wrote:
> On 2020-06-01 00:16, Garance A Drosehn wrote:
>> There is a cert from AddTrust which expired early on Saturday.  I
>> believe it was the cert for certificate-authority named USERTrust RSA. This shouldn't have been a
>> problem, because there is a newer cert for that same CA which has not expired.
>> I do not understand all the details, but apparently there is a bug in
>> versions of OpenSSL which are older than version 1.1.  If the older (now-expired) cert is known
>> on some system, it is used instead of the newer cert.  And therefore that cert, and every cert
>> which was generated by that CA is also considered invalid.  This problem hit us at RPI on many
>> Redhat systems yesterday.
>> I also saw the problem in on some of my older MacOS systems,
>> but does not have this problem on MacOS catalina.
> I can see it too, on many sites.
> E.g.
> "openssl s_client -connect" passes verification
> on 12.1, but fails on 11.3.
> Deleting the expired certificate from /etc/ssl/cert.pem is enough to
> solve the problem.
> Is anyone looking into this?
> What is the official position/suggestion for those stuck on 11.x?
> Has at least a bug been reported?

This worked for me to fix curl on 11.3.  Get the Mozilla cert bundle from here:

Replace the AddTrust External Root cert in that bundle with a new one from here:

Save the existing /usr/local/share/certs/ca-root-nss.crt somewhere and replace it with the modified bundle.

John Capo

More information about the freebsd-questions mailing list