SSL certificate problem: unable to get local issuer certificate (potentially just on older firmware)

[m-hume]

I currently run EdgeRouter ER-X/ER-X-SFP/EP-R6: Firmware v1.10.10 on several devices Recently the following error is given (with --debug 3) SSL certificate problem: unable to get local issuer certificate

curl is using an out of date cacert.pem for SSL communications

# update to the latest version of the script
curl https://raw.githubusercontent.com/j-c-m/ubnt-letsencrypt/master/install.sh | sudo bash
# get the most recent cacert.pem
sudo curl --insecure https://curl.se/ca/cacert.pem --output /config/ssl/cacert.pem
# make acme.sh use it
echo CA_BUNDLE=\'/config/ssl/cacert.pem\' | sudo tee -a /config/.acme.sh/account.conf

Hope this saves someone some time mh

[rogerthn2019]

Did save my day, THANKS!

[j-c-m]

I had to downgrade a few ER-X from 2.0.9 to 1.10.11 because of stability issues, the above fix will still work. Also adding a system-wide fix from https://community.ui.com/questions/Fix-Solution-Lets-Encrypt-DST-Root-CA-X3-Expiration-Problems-with-IDS-IPS-Signature-Updates-HTTPS-E/0404a626-1a77-4d6c-9b4c-17ea3dea641d?page=1

sudo -i
sed -i 's|^mozilla\/DST_Root_CA_X3\.crt|!mozilla/DST_Root_CA_X3.crt|' /etc/ca-certificates.conf
curl -sk https://letsencrypt.org/certs/isrgrootx1.pem -o /usr/local/share/ca-certificates/ISRG_Root_X1.crt
update-ca-certificates --fresh

[RobBiddle]

@j-c-m should probably add those steps into the installation instructions, at least for EdgeOS 1.x.

[j-c-m]

0b6acca now incorporates the cacert bundle update in the install/update script!