As of 9/30/2021, openssl 1.0.2 is not working with letsencrypt certs until there’s a cacert update that deletes the one that expired today.
More information from letsencrypt.org is here : DST Root CA X3 Expiration (September 2021) - Let's Encrypt
There are few workarounds to this issue which are mentioned here : Old Let’s Encrypt Root Certificate Expiration and OpenSSL 1.0.2 - OpenSSL Blog
Essentially DST Root CA X3 needs to be removed as a workaround. Also, If the new ISRG Root X1 self-signed certificate isn’t already in the trust store, add it. We have an active discussion going in various channel on this and many workarounds have been proposed which seem to work for certain platforms/systems.
Some of them are mentioned below ( Thanks to many of the members in our community slack who have contributed to come up with the workarounds which have been pasted below)
Ubuntu
sed -i '/DST Root CA X3/,+19d' /opt/chef/embedded/ssl/certs/cacert.pem
sed -i 's#^mozilla/DST_Root_CA_X3.crt#!mozilla/DST_Root_CA_X3.crt#' /etc/ca-certificates.conf && update-ca-certificates
Ubuntu 18.04+
apt install ca-certificates
(USN-5089-1: ca-certificates update | Ubuntu security notices | Ubuntu)
MacOS/Ubuntu
/usr/bin/sed -i '' '/DST Root CA X3/,/^$/ d' /opt/chef/embedded/ssl/certs/cacert.pem
Windows
((Get-Content -path cacerts.pem) -replace '(?s)DST Root CA X3.*?(END CERTIFICATE-----)', '') | | Set-Content -Path cacerts.pem
Hab team is actively working towards a fix for the package and will be posting information regarding the fix and the timeline in various slack channels.