Why Did Our HTTPS Calls Suddenly Fail? Solving the 2020 AddTrust Root Expiration

Problem

Our application’s HTTPS requests to the Sentry server started failing with SSL certificate verification errors, despite the server’s own certificate appearing valid.

Analysis

Log entries showed

Raven::Error - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (certificate has expired)

. Checking the domain’s certificate chain revealed that the AddTrust External CA Root expired on May 30 2020.

Using curl https://sentry.xxx.com reproduced the error, while other hosts (CentOS, other domains) succeeded, indicating the problem was specific to the worker host.

Running

openssl s_client -showcerts -servername sentry.xxx.com -connect sentry.xxx.com:443

confirmed the expired root certificate.

Solution

Remove the expired AddTrust root from the CA configuration and update the CA bundle.

Ubuntu host

sed -i "/AddTrust_External_Root.crt/d" /etc/ca-certificates.conf

Then refresh the certificates: sudo update-ca-certificates --fresh Restart the affected services.

Docker (Alpine) container

sed -i "/AddTrust_External_Root.crt/d" /etc/ca-certificates.conf

update-ca-certificates -f -v

Ideally add these commands to the Dockerfile before CMD so the container always has an up‑to‑date CA bundle.

macOS

Backup the system certificate file and comment out the expired AddTrust block:

sudo cp /etc/ssl/cert.pem ~/etc-ssl-cert.pem-20200601

sudo sed -i "/^### AddTrust/,/^-.*END/ s/^/#/g" /etc/ssl/cert.pem

After updating the CA store, the curl https://sentry.xxx.com command succeeds.

Additional notes

The issue only affects server‑side HTTPS calls that encounter the expired AddTrust root; browsers typically have updated trust stores, so end‑users are not impacted. Use configuration management tools (Ansible, SaltStack) for host‑wide fixes, and remember to restart services after updating the CA bundle.

Source: https://aliasmee.github.io/post/resolve-certificate-verify-failed-with-2020-may-30/