SSL certificate problem: certificate has expired

In this article

A lot of websites are using a global certificate, which expired on September 30 2021. This creates an issue when you are trying to connect to our API.

The problem is about the certificate of your own server, and it can only be solved by your host!

1. How to check the error?

Go to our Help center and under Possible Conflicts press the Test connection button, your page will get refreshed with an error log inside the Debug information part. That log will contain a similar error:

* SSL certificate problem: certificate has expired
or:
* SSL certificate problem: unable to get local issuer certificate

2. How to confirm the error?

Create a new php file and put the following content inside:

    <?php
// create curl resource 
$ch = curl_init();

// set url 
curl_setopt($ch, CURLOPT_URL, "https://api.nextendweb.com/");

//return the transfer as a string 
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$errorFile = dirname(__FILE__) . '/curl_error.txt';
$out       = fopen($errorFile, "w");
curl_setopt($ch, CURLOPT_VERBOSE, true);
curl_setopt($ch, CURLOPT_STDERR, $out);

// $output contains the output string 
$output = curl_exec($ch);

curl_close($ch);
fclose($out);

echo "<h1>LOG</h1>";
echo "<pre>";
echo htmlspecialchars(file_get_contents($errorFile));
unlink($errorFile);
echo "</pre>";

Upload the php file you created into your server, e.g. via FTP and open it in your browser. For example, if you created test.php then you can open, e.g. https://yoursite.com/test.php. Look for lines that start with SSL to identify the issue with your certificate.

If you need to contact your host to get this problem sorted, you can send them the link to this file which should help them understand the problem and provide an accurate fix in a timely manner.

If you see the certificate is fine here, then your WordPress certificate is the one that needs updated.

Possible example results

Below you can see some example results the code above produces that indicate problems.

2.1. Issue: Certificate not set

* Trying 172.104.28.39...
* TCP_NODELAY set
* Connected to api.nextendweb.com (172.104.28.39) port 443 (#0)
* ALPN, offering http/1.1
* SSL certificate problem: unable to get local issuer certificate
* stopped the pause stream!
* Closing connection 0

Here the key error is in the 5th line, that starts with: SSL certificate problem. In this example the cause of the problem is that PHP is unable to get local issuer certificate, which is caused by a misconfiguration of the SSL certificate on your server.

2.2. Issue: Expired certificate

* Trying 172.104.28.39...
* Connected to api.nextendweb.com (172.104.28.39) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* SSL certificate problem: certificate has expired
* Closing connection 0

Here the key error is in the 7th line, that starts with: SSL certificate problem. In this example the cause of the problem is that the certificate has expired and it needs to be updated.

2.3. Server's SSL certificate is fine

If your SSL is fine, you should see a similar log:

*Trying 172.104.28.39...
* TCP_NODELAY set
* Connected to api.nextendweb.com (172.104.28.39) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: C:\wamp64\bin\apache\apache2.4.51\conf\cacert.pem
  CApath: none
* SSL connection using unknown / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=api1.nextendweb.com
*  start date: Sep 27 20:46:16 2022 GMT
*  expire date: Dec 26 20:46:15 2022 GMT
*  subjectAltName: host "api.nextendweb.com" matched cert's "api.nextendweb.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
> GET / HTTP/1.1
Host: api.nextendweb.com
Accept: */*

The key here is the last line that starts with a star ( *). It reads SSL certificate verify ok. which means that your server's certificate is fine.

If you see the certificate is fine here, but you still keep getting the message about the certificate being expired then your WordPress certificate is the one that needs updated.

3. What's the cause of the error?

The cause of the problem is that the root SSL certificate of the server is expired on September 30, 2021. This certificate is used to communicate between two websites, and this communication can only happen via https. The communication between two servers uses a different certificate than the communication between the browser and the website.

So even if you have a valid certificate for your site for the SSL connection between the site and browser you can still have another, expired certificate on the server that's used when your site communicates with other websites. If you receive the 60SSL certificate problem: certificate has expired error that means the server's root certificate has expired, and the host needs to update that.

Send your host this Let’s Encrypt article that explains the problem in detail: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ and tell them it's impacting you as well.

4. How to solve the problem?

⚠️ Warning: Server related problems need to be solved by the host. We're unable to provide support for server management.

The only solution to this problem is to get your host to update the root certificate on your server.

So, you need to contact your server host and ask them to insert a new cacert.pem file into their servers, and configure it within their php.ini file. That way your website won't use the globally accessible certificate anymore, but it will have its own.

A website has multiple SSL certificates. If your host says, that your SSL certificate is fine, then they checked the wrong certificate! Ask them to follow the solution examples below, to fix the root certificate.

The php test file above shows the location of the root certificate your host needs to update. Creating the testing file and providing it to your host can help them understand which certificate they need to look at.

Solution examples

You can find a few examples here on how to solve the problem on certain servers. You can send these instructions to your host which they should be able to understand and apply to your own server. Depending on the used server, some steps might be different.

⚠️ Warning: Server related problems need to be solved by the host. We're unable to provide support for server management.

Solution on WampServer

1

Download this cacert.pem file.

2

Place this file into your PHP folder. Like if you are using php7.4.9, put the file here:
C:\wamp64\bin\php\php7.4.9

3

Open the php.ini file of the server (left click on the Wamp icon → PHP → php.ini):

4

Find this line: ;curl.cainfo

5

Change it to where your cacert.pem file is: curl.cainfo = "C:\wamp64\bin\php\php7.4.9\cacert.pem"

6

Make sure you remove the ; sign at the beginning of the line!

7

Save the php.ini file.

8

Restart Wamp, and the problem should be fixed!

Solution on MAMP - Mac localhost server

1
Download this cacert.pem file.
2
Replace your MAMP server's file with it: /Applications/MAMP/Library/OpenSSL/certs/cacert.pem
3
Restart MAMP, and the problem should be fixed!

Solution on Windows server

1

Download this cacert.pem file.

2

Place this file into your PHP folder. Like if you are using php7.0 and your server installation happened in the Program Files (x86) folder, put the file here:
C:\Program Files (x86)\PHP\v7.0\

3

Open the php.ini file of the server.

4

Find this line: ;curl.cainfo

5

Change it to where your cacert.pem file is: curl.cainfo = "C:\Program Files (x86)\PHP\v7.0\cacert.pem"

6

Make sure you remove the ; sign at the beginning of the line!

7

Save the php.ini file.

8

Restart your server: iisreset /restart
and the problem should be fixed!

Tips based on user feedbacks

openssl.cafile

One person with CentOS server, in his php.ini file also had to change the openssl.cafile value, to point to the new cacert.pem file:

openssl.cafile = "C:\wamp64\bin\php\php7.4.9\cacert.pem"

Expired WordPress certificate

☝️ Note: The certificate update was shipped in many WordPress updates released on November 10, 2021 and it's also part of the 5.9 release. WordPress 5.2 and newer versions got the patch. So if you use one of these versions then already have the updated file.

This issue is connected to a certain OpenSSL version and a WordPress certificate problem. You can learn more about it here. To solve this problem, update your wp-includes/certificates/ca-bundle.crt file with the content you can find here: https://github.com/WordPress/WordPress/blob/master/wp-includes/certificates/ca-bundle.crt

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.