Certificate error running Weather API requests

If you are getting an expired certificate error running Visual Crossing Weather API queries, this article will explain the likely cause and how to fix it.

The problem

On September 30, 2021, an old version of the Let’s Encrypt “intermediate” certificate expired. While our servers have been delivering the updated version of this certificate for some time, your environment may have a local certificate store that still contains the old certificate. In this case, you may get an error from certain tools such as PHP and cURL that rely on your local certificate store. In cURL, for example, you will get an error that looks like this.

curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

In PHP, using the ‘file_get_contents’ method, the error will be similar to this.

file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:\nerror:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed 

While this error appears to be telling you that the Visual Crossing Weather server is sending an expired certificate, that is not the case. Instead the problem is triggered by the older version of this intermediate certificate stored in your machine’s local certificate store.

Note that this problem is generally limited to Unix environments that are running without a regular update policy. On Windows, forced updates from Microsoft keep the certificate store updated as needed. Likewise, on a well maintained Unix environment, the regular updating process typically updates the certificate store as well.

The Solution

The solution is to update the certificate store in your environment. As mentioned above, if you are on a modern version of Windows, the automatic update process should ensure that your certificate store is kept up to date. If you are seeing this problem on Windows, make sure that you have the latest Microsoft updates installed. If you are running a version of Windows that is no longer supported by Microsoft, you may need to do manual installation steps, and those are outside the scope of this article.

On a Unix environment such as Linux, you simply need to install the latest certificate store as well. The exact steps vary based on your exact distribution. If you have Debian, you can use a dpky command such as this.

sudo dpkg-reconfigure ca-certificates

If you are on a Yum-based system such as Centos, you can use this command.

yum reinstall ca-certificates

If you are on the Amazon Web Services (AWS) platform, you can follow their technote that gives detailed instructions depending upon the version of their platform that you are running.

How can I prevent this problem in the future?

First, Let’s Encrypt themselves has taken steps that should help avoid this problem being caused by future updates on their side. You can read more about their explanation here. In addition, you should talk to your system administrator to ensure that updates are applied regularly to your environment. A regularly update system would not only have prevent this specific problem but will also keep your system safer from hackers and damaging exploits.

Questions or need help?

If you have a question or need help, please post on our actively monitored forum for the fastest replies. You can also contact us via our support site or drop us an email at support@visualcrossing.com.