I have this problem on a debian 9 client, that try to run a curl to a website that have valid SSL .
The fix is to blacklist the expired ssl on the client computer, not on server.
sed -i ‘s|mozilla/DST_Root_CA_X3.crt|!mozilla/DST_Root_CA_X3.crt|’ /etc/ca-certificates.conf && update-ca-certificates
