This began in early June, I know the exact day but I think this is irrelevant.
curl/wget with all the needed CA certs installed in system refuse to setup a secure connection. The web browser as well as DarkMX's own update checker are unaffected (lucky, this must be the reason it went unnoticed).
According to {1} the reason is: the web server doesn't supply the intermediary certificates. I wonder then how the web browser and DarkMX still manage to find it out and connect correctly...
Link 1:
https://community.letsencrypt.org/t/certs-issued-by-cn-r3-are-not-recognized/141500/3
$ wget --verbose -o - https://darkmx.app/
--DATE-- https://darkmx.app/
Connecting to darkmx.app (darkmx.app)|<IP>|:443... connected.
ERROR: The certificate of ‘darkmx.app’ is not trusted.
ERROR: The certificate of ‘darkmx.app’ doesn't have a known issuer.
In comparison, tixati.com supplies them correctly:
echo | openssl s_client -connect tixati.com:443 -servername tixati.com -showcerts 2> /dev/null | grep '^ [0-9]'
0 s:CN = tixati.com
1 s:C = US, O = Let's Encrypt, CN = R3
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
echo | openssl s_client -connect darkmx.app:443 -servername darkmx.app -showcerts 2> /dev/null | grep '^ [0-9]'
0 s:CN = darkmx.app
curl -v "https://darkmx.app/check_for_update/1.16.1" -H 'Connection: close'
* STATE: INIT => CONNECT handle 0x800083bc8; line 1634 (connection #-5000)
* Added connection 0. The cache now contains 1 members
* STATE: CONNECT => RESOLVING handle 0x800083bc8; line 1680 (connection #0)
* family0 == v4, family1 == v6
* Trying <IP>:443...
* STATE: RESOLVING => CONNECTING handle 0x800083bc8; line 1762 (connection #0)
* Connected to darkmx.app (<IP>) port 443 (#0)
* STATE: CONNECTING => PROTOCONNECT handle 0x800083bc8; line 1825 (connection #0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
* CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* STATE: PROTOCONNECT => PROTOCONNECTING handle 0x800083bc8; line 1845 (connection #0)
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* multi_done
* The cache now contains 0 members
* Closing connection 0
* Expire cleared (transfer 0x800083bc8)
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.