How do I check if a certificate is expired?

Run: openssl s_client -connect host:443 2>/dev/null | openssl x509 -noout -dates — shows notBefore and notAfter dates.

Why does git fail with SSL certificate problem?

Git uses the system CA bundle. Update ca-certificates package, or set GIT_SSL_CAINFO to point to the correct CA bundle.

Linux SSL/TLS Certificate Errors — Expired, Self-Signed & Chain Issues

Warningsecurity

Overview

Fix Linux SSL/TLS errors including certificate expired, unable to verify certificate chain, self-signed certificate rejection, and CA bundle configuration.

Key Details

Certificate errors from curl, wget, git, and other tools indicate TLS verification failure
Common: 'SSL certificate problem: unable to get local issuer certificate'
CA certificates are stored in /etc/ssl/certs/ or /etc/pki/tls/certs/ depending on distro
Let's Encrypt certificates require the ISRG Root X1 CA in the trust store
Self-signed certificates are rejected by default — must be explicitly trusted

Common Causes

System CA certificate bundle outdated (missing newer CAs)
Clock significantly wrong causing valid certificates to appear expired
Corporate proxy with MITM certificate not in the trust store
Self-signed certificate used on server
Intermediate certificate missing from server configuration (incomplete chain)

Steps

1Update CA certificates: sudo apt install --reinstall ca-certificates (Debian/Ubuntu) or sudo yum reinstall ca-certificates (RHEL)
2Check system time: date — fix with: sudo timedatectl set-ntp true
3Test certificate: openssl s_client -connect hostname:443 -showcerts
4Add custom CA: copy cert to /usr/local/share/ca-certificates/ then sudo update-ca-certificates
5For curl specifically: curl --cacert /path/to/ca-bundle.crt URL