From my post(s) on Discord:
It could be linked to the fact that Let's Encrypt changed their root certificate as per the 30th of September. This can/will create problems for certain devices and operating systems. There is a fair amount of general info about this on the internet to read and how to solve it. Since the Croc is running Debian Jessie 8, it could be working, or not. Jessie is one of the operating systems that could work depending on how updated it is. If it's not updated, it might not work since it trusts the old/unsupported chain and root cert. So, IdenTrust DST Root CA X3 has expired and ISRG Root X1 is the one to use. Validate the chain (for example using the "openssl" command on the Croc). It will perhaps say that the chain ends up with the expired IdenTrust DST Root CA X3 certificate. The scenario might be worth checking at least.
On the Croc, do the following
First check if this is the problem you are facing or not, either by executing:
openssl s_client -connect your.c2-domain.com:443 -servername your.c2-domain.com
or:
curl -I https://your.c2-domain.com/
Both should indicate that the certificate has expired (the root certificate that is)
Verify if the expired "DST Root CA X3" certificate is available on the system (hence probably giving you problems with the Croc), it will be there if you got expired certificate issues from the commands above
Command:
grep X3 /etc/ca-certificates.conf
Output (or the vital part of it):
mozilla/DST_Root_CA_X3.crt
Older Debian releases most likely have the needed ISRG Root X1 present as well
Command:
grep X1 /etc/ca-certificates.conf
Output (or the vital part of it):
mozilla/ISRG_Root_X1.crt
"Backup" the ca-certificates.conf file
cp /etc/ca-certificates.conf /etc/ca-certificates.conf.old1
Disable/remove/"blacklist" the X3 root certificate:
sed -i '/^mozilla\/DST_Root_CA_X3/s/^/!/' /etc/ca-certificates.conf
Then execute:
update-ca-certificates -f
Check that the change has taken place. The output of the command below should show the "DST Root CA X3" as the "diff" since it's removed
diff /etc/ca-certificates.conf /etc/ca-certificates.conf.old1
Verify the certificate chain again, it should now be OK (or, if you have C2 running, the Croc should show up more or less immediately after the "update-ca-certificates" command has been executed):
openssl s_client -connect your.c2-domain.com:443 -servername your.c2-domain.com
and/or:
curl -I https://your.c2-domain.com/