How can I confirm whether `curl-8.15.0-4.fc43`'s certificates are outdated? (Are they?)

I ask per github.com/curl/curl/discussions/20144#discussioncomment-15388335, which states:

curl: (60) SSL certificate problem: self-signed certificate

My guess is the certificates your curl uses are not up to date. I had no problem connecting with OpenSSL or Schannel (Windows).

My apologies for the lack of context. I’m unfamiliar with this.

My Environment

Name        : curl
Version     : 8.15.0
Release     : 4.fc43
Architecture: x86_64
Install Date: Sun 07 Dec 2025 01:59:08 GMT
Size        : 472588
Signature   :
              RSA/SHA256, Thu 04 Dec 2025 12:53:23 GMT, Key ID 829b606631645531
Source RPM  : curl-8.15.0-4.fc43.src.rpm
Build Date  : Thu 04 Dec 2025 11:51:51 GMT
Build Host  : buildvm-x86-23.rdu3.fedoraproject.org
Packager    : Fedora Project
Vendor      : Fedora Project

The error message you quote:

curl: (60) SSL certificate problem: self-signed certificate

is a curl message letting you know that the server’s certificate is “self-signed” rather than signed by a trusted Certificate Authority. Does that specific error persist?

I highly doubt that curl’s nonexistent certificates are to blame here. The curl distribution doesn’t provide any and, unless the site to which are connecting requires mutual authentication (usually corporate servers restricted to employee systems, which requires installation of bespoke certificates prior to usage on every private corporate client and private corporate server – not commercial websites), aren’t required by TLS.

In fact, curl doesn’t even attempt to provide any certificates when it connects unless a certificate is specified on the command line.

The errors seen in the github link you provided (at least to me) all look like server-side errors not client-side ones.

tl;dr: TLS does not require the client to provide certificates to web servers. The errors seen are server-side errors (and/or mismatch in client/server capabilities. E.g., TLS versions, encryption suites, etc.) not evidence of curl breaking because its “certificates” are outdated.

You can use the openssl s_client command to probe details of certificates on a remote site.
See openssl-s_client - OpenSSL Documentation
There are options that print the certificate chain for you to investigate.

Thanks, @rwaskfedora. @barryascott, openssl s_client appears to hang: ^[1]

RokeJulianLockhart@Beedell:~$ time openssl s_client -showcerts example.com
^C

real    0m27.550s
user    0m0.006s
sys     0m0.004s

I hope that I’ve correctly understood its man-page.

1. security.stackexchange.com/revisions/159181/1 ↩︎

It is not hung, it is waiting for input. Typing ctrl-d will exit it.
Or type a valid HTTP command line to get a response from the web site.

@barryascott, IDK what “valid HTTP command line” refers to, but appending a port appears to work: ^[1]

1. #!/usr/bin/env sh
   openssl s_client -showcerts gog-games.com:443
   

2. Connecting to 172.234.17.55
   CONNECTED(00000003)
   depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
   verify return:1
   depth=1 C=US, O=Let's Encrypt, CN=R13
   verify return:1
   depth=0 CN=gog-games.com
   verify return:1
   ---
   Certificate chain
    0 s:CN=gog-games.com
      i:C=US, O=Let's Encrypt, CN=R13
      a:PKEY: RSA, 2048 (bit); sigalg: sha256WithRSAEncryption
      v:NotBefore: Oct 21 23:45:10 2025 GMT; NotAfter: Jan 19 23:45:09 2026 GMT
   -----BEGIN CERTIFICATE-----
   MIIE9TCCA92gAwIBAgISBTBcUV/VcD3z7xMWaxD0aKb8MA0GCSqGSIb3DQEBCwUA
   MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
   EwNSMTMwHhcNMjUxMDIxMjM0NTEwWhcNMjYwMTE5MjM0NTA5WjAYMRYwFAYDVQQD
   Ew1nb2ctZ2FtZXMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
   1IGEecB6Q7ArCOEFuIa/jYCvzlPChJawCHiwapN5qFw7Kuf1h/WzDSgjUWtXPRlF
   zdvS0tO6oqpH6nd75VbWhI6g96xEU/PomSQOu6Bq3oa7lcMvPtwc2Pd7w77+ECjN
   O5xvALQ57hrrJAsd3ffy0DXtOrFoJUF+Pt3bfmTICWJYeaeOfgoamtsmugLLrYZE
   suRWB3rkT31/YJ0wHR3B2486XyFY+E65/fFUA3KT9DyVFvsz0TCimtPmINjmy0dR
   /r1z50zf+ofZOZUM4ZzoSBBVtU5q2uljjcWe9ZWyJqdxayEksWn3ml+U5GfvBurQ
   G6tZdRtSesvcKYhHaBx9rQIDAQABo4ICHDCCAhgwDgYDVR0PAQH/BAQDAgWgMB0G
   A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1Ud
   DgQWBBTZmBiPomoy5P2lTcWlCMHSRfv61TAfBgNVHSMEGDAWgBTnq58PLDOgU9Ne
   T3jIsoQOO9aSMzAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAKGF2h0dHA6Ly9y
   MTMuaS5sZW5jci5vcmcvMBgGA1UdEQQRMA+CDWdvZy1nYW1lcy5jb20wEwYDVR0g
   BAwwCjAIBgZngQwBAgEwLwYDVR0fBCgwJjAkoCKgIIYeaHR0cDovL3IxMy5jLmxl
   bmNyLm9yZy8xMjUuY3JsMIIBAgYKKwYBBAHWeQIEAgSB8wSB8ADuAHUAZBHEbKQS
   7KeJHKICLgC8q08oB9QeNSer6v7VA8l9zfAAAAGaCV8ipAAABAMARjBEAiAwMl/d
   iY+Lu0klr3dPZXv2fW9FyKVRcIMYOPKCR92zLwIgG/zqTLc45k1pHQLbptwfFiQt
   68WA1okhhd5+5/eoWpEAdQAOV5S8866pPjMbLJkHs/eQ35vCPXEyJd0hqSWsYcVO
   IQAAAZoJXyKnAAAEAwBGMEQCIFWk9ST1c9/L9Yi7DjcJ0FlvyZMLz9Vn+TlRvNcn
   XQS0AiAdjTVG146DcFvGy0xPuz1nKLKgfUs9v90xt8u58+Z0KjANBgkqhkiG9w0B
   AQsFAAOCAQEAJjHCJjhDWOZKITd5wmKP9DWGZkgUa3HEBZivwHZhlTBrWRkN2IgH
   iuX6SNZNTDtZ+Pbg9/dEDk53NkLwm50/g09UwA6c3j2yfoHuebxYg/FXS26fM+rf
   BHV6b0QQnnmdbB0mgnKzbjMxO4Z3XEqdHrf7dpb9YInNtrfusl52i1kCFg2UkzSK
   k90YqRPJyVnqlyQ97jmBDQY2c1w/S2dK6uwquEuhhMNRgoY9oqgLQBw+WVibXlnf
   dPfxO6bgS+0IEHjY9Wk71mA68yAzEjooWsmz3mEJnKiX4hUGWJAxWhTZpjGF4ukm
   6wrNiftxk0nt51oV1ghWw4pNyvAyXfleIA==
   -----END CERTIFICATE-----
    1 s:C=US, O=Let's Encrypt, CN=R13
      i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
      a:PKEY: RSA, 2048 (bit); sigalg: sha256WithRSAEncryption
      v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
   -----BEGIN CERTIFICATE-----
   MIIFBTCCAu2gAwIBAgIQWgDyEtjUtIDzkkFX6imDBTANBgkqhkiG9w0BAQsFADBP
   MQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFy
   Y2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMTAeFw0yNDAzMTMwMDAwMDBa
   Fw0yNzAzMTIyMzU5NTlaMDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBF
   bmNyeXB0MQwwCgYDVQQDEwNSMTMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
   AoIBAQClZ3CN0FaBZBUXYc25BtStGZCMJlA3mBZjklTb2cyEBZPs0+wIG6BgUUNI
   fSvHSJaetC3ancgnO1ehn6vw1g7UDjDKb5ux0daknTI+WE41b0VYaHEX/D7YXYKg
   L7JRbLAaXbhZzjVlyIuhrxA3/+OcXcJJFzT/jCuLjfC8cSyTDB0FxLrHzarJXnzR
   yQH3nAP2/Apd9Np75tt2QnDr9E0i2gB3b9bJXxf92nUupVcM9upctuBzpWjPoXTi
   dYJ+EJ/B9aLrAek4sQpEzNPCifVJNYIKNLMc6YjCR06CDgo28EdPivEpBHXazeGa
   XP9enZiVuppD0EqiFwUBBDDTMrOPAgMBAAGjgfgwgfUwDgYDVR0PAQH/BAQDAgGG
   MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATASBgNVHRMBAf8ECDAGAQH/
   AgEAMB0GA1UdDgQWBBTnq58PLDOgU9NeT3jIsoQOO9aSMzAfBgNVHSMEGDAWgBR5
   tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAKG
   Fmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0gBAwwCjAIBgZngQwBAgEwJwYD
   VR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVuY3Iub3JnLzANBgkqhkiG9w0B
   AQsFAAOCAgEAUTdYUqEimzW7TbrOypLqCfL7VOwYf/Q79OH5cHLCZeggfQhDconl
   k7Kgh8b0vi+/XuWu7CN8n/UPeg1vo3G+taXirrytthQinAHGwc/UdbOygJa9zuBc
   VyqoH3CXTXDInT+8a+c3aEVMJ2St+pSn4ed+WkDp8ijsijvEyFwE47hulW0Ltzjg
   9fOV5Pmrg/zxWbRuL+k0DBDHEJennCsAen7c35Pmx7jpmJ/HtgRhcnz0yjSBvyIw
   6L1QIupkCv2SBODT/xDD3gfQQyKv6roV4G2EhfEyAsWpmojxjCUCGiyg97FvDtm/
   NK2LSc9lybKxB73I2+P2G3CaWpvvpAiHCVu30jW8GCxKdfhsXtnIy2imskQqVZ2m
   0Pmxobb28Tucr7xBK7CtwvPrb79os7u2XP3O5f9b/H66GNyRrglRXlrYjI1oGYL/
   f4I1n/Sgusda6WvA6C190kxjU15Y12mHU4+BxyR9cx2hhGS9fAjMZKJss28qxvz6
   Axu4CaDmRNZpK/pQrXF17yXCXkmEWgvSOEZy6Z9pcbLIVEGckV/iVeq0AOo2pkg9
   p4QRIy0tK2diRENLSF2KysFwbY6B26BFeFs3v1sYVRhFW9nLkOrQVporCS0KyZmf
   wVD89qSTlnctLcZnIavjKsKUu1nA1iU0yYMdYepKR7lWbnwhdx3ewok=
   -----END CERTIFICATE-----
   ---
   Server certificate
   subject=CN=gog-games.com
   issuer=C=US, O=Let's Encrypt, CN=R13
   ---
   No client certificate CA names sent
   Peer signing digest: SHA256
   Peer signature type: rsa_pss_rsae_sha256
   Peer Temp Key: X25519, 253 bits
   ---
   SSL handshake has read 3127 bytes and written 1639 bytes
   Verification: OK
   ---
   New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
   Protocol: TLSv1.3
   Server public key is 2048 bit
   This TLS version forbids renegotiation.
   Compression: NONE
   Expansion: NONE
   No ALPN negotiated
   Early data was not sent
   Verify return code: 0 (ok)
   ---
   ---
   Post-Handshake New Session Ticket arrived:
   SSL-Session:
       Protocol  : TLSv1.3
       Cipher    : TLS_AES_256_GCM_SHA384
       Session-ID: 52AA135D88F797D7815FB56CEA6D9EE7A559529BB49ADCC9455CC3B386B4EFC3
       Session-ID-ctx: 
       Resumption PSK: AF61A906DA2EB965A4EDE91B719F451DB33624C1827132A902E1B7598EE8C872495D2A9C6A56A8187FF6255AC8208E57
       PSK identity: None
       PSK identity hint: None
       SRP username: None
       TLS session ticket lifetime hint: 86400 (seconds)
       TLS session ticket:
       0000 - df 87 6c 4a d9 57 36 c6-77 a1 43 41 73 38 90 a7   ..lJ.W6.w.CAs8..
       0010 - 12 95 14 7a 35 c3 21 05-f1 23 65 e5 e8 94 e0 1a   ...z5.!..#e.....
   
       Start Time: 1767378947
       Timeout   : 7200 (sec)
       Verify return code: 0 (ok)
       Extended master secret: no
       Max Early Data: 0
   ---
   read R BLOCK
   ---
   Post-Handshake New Session Ticket arrived:
   SSL-Session:
       Protocol  : TLSv1.3
       Cipher    : TLS_AES_256_GCM_SHA384
       Session-ID: 45F13E9E1893567C2185FD1053FC307AD1A8BEDD0111A3ED190D8C001C46EF70
       Session-ID-ctx: 
       Resumption PSK: C2487A4CD0B1696701F576A158F5E075F89F32E475234DE6D34C772FE2EBE39BCC2291F41D0AD18FFFC4D469C611D24F
       PSK identity: None
       PSK identity hint: None
       SRP username: None
       TLS session ticket lifetime hint: 86400 (seconds)
       TLS session ticket:
       0000 - 21 45 c7 6b 42 4b df d7-9c 8b d1 ed 9c 3f 18 88   !E.kBK.......?..
       0010 - 31 46 87 dc d8 57 9a 56-43 9f 88 47 ba 9d f1 72   1F...W.VC..G...r
   
       Start Time: 1767378947
       Timeout   : 7200 (sec)
       Verify return code: 0 (ok)
       Extended master secret: no
       Max Early Data: 0
   ---
   read R BLOCK
   

I’m surprised that it doesn’t default to a port, or return an error, when one isn’t specified.

1. serverfault.com/revisions/1011299/1 ↩︎

Are you still seeing the original problem you had?

When I tried curl -L https://gog-games.com/ about 10 hours ago, I got the same certificate error you did, but now it seems fine certificate-wise, and fails with a different error.

$ curl -Lv https://gog-games.com/
* Host gog-games.com:443 was resolved.
* IPv6: (none)
* IPv4: 172.234.17.201, 172.234.17.135, 172.234.17.55
*   Trying 172.234.17.201:443...
* connect to 172.234.17.201 port 443 from 192.168.0.250 port 37078 failed: No route to host
*   Trying 172.234.17.135:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=gog-games.com
*  start date: Oct 21 23:45:10 2025 GMT
*  expire date: Jan 19 23:45:09 2026 GMT
*  subjectAltName: host "gog-games.com" matched cert's "gog-games.com"
*  issuer: C=US; O=Let's Encrypt; CN=R13
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
* Connected to gog-games.com (172.234.17.135) port 443
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://gog-games.com/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: gog-games.com]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.15.0]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: gog-games.com
> User-Agent: curl/8.15.0
> Accept: */*
> 
* Request completely sent off
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* HTTP/2 stream 1 was not closed cleanly: PROTOCOL_ERROR (err 1)
* Connection #0 to host gog-games.com left intact
curl: (92) HTTP/2 stream 1 was not closed cleanly: PROTOCOL_ERROR (err 1)

Now, if I set curl’s user agent to fool the remote end into thinking it’s a real browser, I get as far as the attempted redirect to the shonky site:

$ curl -LvA "Mozilla/5.0 (X11; Linux x86_64; rv:146.0) Gecko/20100101 Firefox/146.0" https://gog-games.com
* Host gog-games.com:443 was resolved.
* IPv6: (none)
* IPv4: 172.234.17.55, 172.234.17.201, 172.234.17.135
*   Trying 172.234.17.55:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=gog-games.com
*  start date: Oct 21 23:45:10 2025 GMT
*  expire date: Jan 19 23:45:09 2026 GMT
*  subjectAltName: host "gog-games.com" matched cert's "gog-games.com"
*  issuer: C=US; O=Let's Encrypt; CN=R13
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
* Connected to gog-games.com (172.234.17.55) port 443
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://gog-games.com/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: gog-games.com]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:146.0) Gecko/20100101 Firefox/146.0]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: gog-games.com
> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:146.0) Gecko/20100101 Firefox/146.0
> Accept: */*
> 
* Request completely sent off
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/2 302 
< server: openresty
< date: Fri, 02 Jan 2026 19:20:19 GMT
< content-type: text/html
< content-length: 142
< location: https://serenapulse.com/r/diz8WxbHiq49mP6eSSMKrS10tsjJfAXw2Oqpgrh9GBEb2WLfuxlZSAsx9CevhahBxXJ6jMUtxNgIBHRbi0TQYscBL5Dza-H2jFF5td0Jo45PHMN1elSyHmPrWVjgtjvKfxABvNEjSOND3sc60OlOyMD9W4FI_Z64KnC13xbkpKxy1uktJUocteX8JYArxd02kOzm9eQB6MuygYefSFXdAbEon2M8Mrwkh40Y0lb-nvZgwiSB2wYeN3pwrAqYB1f532FcpxCy7oEH80wfhJ8uCG1c9gEdw-9l5DdBtqbmSmUpwdN7fA5OgGzg2lSfWKDpEOQ1yT3_C0tMyex2WiuWmCnfOOkn8jw77TuiuM3yXT1de1Gl9ntBNj7X8LAkas8I7TJANYfdbjPXMq3hBC7ofehag1ntQVu_UStjBNIHQamiEq-9ueM6CqGuCmgjRMzgH8kKHiTCRUEPPp68dRyVV3urNiU23BRUbdUe9za75t75gXPQaIWN-MIIZzumyVa7QcFXq5IvkJUVEMl1Izt5jQayz1Q6KVm_S3nBTGWsZ5lRm8wPfqNeZJpX0xcnR7wPnYHq1osYlXLH1ZbkMnVMBvpS5TBzI0Cdm0mgc8Y2S8Uxmw-G3i1n5oop3c1H37JSM6gxAOeEYCl2shoFPuNXcl96xiE5vCsB39doAQgDSRLQwyw10DLgvsiAacA_zyEpwzKqZwfVdOUCkvIARIxEBZubdSk-CpyXdIiRk7I8Q0hTWpfPaCa2xyCFOzPvmzUfQV9r_8Mu5uU
< cache-control: no-store, max-age=0
< accept-ch: Sec-CH-UA, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-WoW64
< permissions-policy: ch-ua=(self "https://*.parklogic.com"), ch-ua-arch=(self "https://*.parklogic.com"), ch-ua-bitness=(self "https://*.parklogic.com"), ch-ua-full-version=(self "https://*.parklogic.com"), ch-ua-full-version-list=(self "https://*.parklogic.com"), ch-ua-mobile=(self "https://*.parklogic.com"), ch-ua-model=(self "https://*.parklogic.com"), ch-ua-platform=(self "https://*.parklogic.com"), ch-ua-platform-version=(self "https://*.parklogic.com"), ch-ua-wow64=(self "https://*.parklogic.com")
* Ignoring the response-body
* setting size while ignoring
< 
* Connection #0 to host gog-games.com left intact
* Issue another request to this URL: 'https://serenapulse.com/r/diz8WxbHiq49mP6eSSMKrS10tsjJfAXw2Oqpgrh9GBEb2WLfuxlZSAsx9CevhahBxXJ6jMUtxNgIBHRbi0TQYscBL5Dza-H2jFF5td0Jo45PHMN1elSyHmPrWVjgtjvKfxABvNEjSOND3sc60OlOyMD9W4FI_Z64KnC13xbkpKxy1uktJUocteX8JYArxd02kOzm9eQB6MuygYefSFXdAbEon2M8Mrwkh40Y0lb-nvZgwiSB2wYeN3pwrAqYB1f532FcpxCy7oEH80wfhJ8uCG1c9gEdw-9l5DdBtqbmSmUpwdN7fA5OgGzg2lSfWKDpEOQ1yT3_C0tMyex2WiuWmCnfOOkn8jw77TuiuM3yXT1de1Gl9ntBNj7X8LAkas8I7TJANYfdbjPXMq3hBC7ofehag1ntQVu_UStjBNIHQamiEq-9ueM6CqGuCmgjRMzgH8kKHiTCRUEPPp68dRyVV3urNiU23BRUbdUe9za75t75gXPQaIWN-MIIZzumyVa7QcFXq5IvkJUVEMl1Izt5jQayz1Q6KVm_S3nBTGWsZ5lRm8wPfqNeZJpX0xcnR7wPnYHq1osYlXLH1ZbkMnVMBvpS5TBzI0Cdm0mgc8Y2S8Uxmw-G3i1n5oop3c1H37JSM6gxAOeEYCl2shoFPuNXcl96xiE5vCsB39doAQgDSRLQwyw10DLgvsiAacA_zyEpwzKqZwfVdOUCkvIARIxEBZubdSk-CpyXdIiRk7I8Q0hTWpfPaCa2xyCFOzPvmzUfQV9r_8Mu5uU'
* Could not resolve host: serenapulse.com
* shutting down connection #1
curl: (6) Could not resolve host: serenapulse.com

@pg-tips, I do:

RokeJulianLockhart@Beedell:~$ curl -vL https://gog-games.com/
* Host gog-games.com:443 was resolved.
* IPv6: (none)
* IPv4: 172.234.17.55, 172.234.17.201, 172.234.17.135
*   Trying 172.234.17.55:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=gog-games.com
*  start date: Oct 21 23:45:10 2025 GMT
*  expire date: Jan 19 23:45:09 2026 GMT
*  subjectAltName: host "gog-games.com" matched cert's "gog-games.com"
*  issuer: C=US; O=Let's Encrypt; CN=R13
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
* Connected to gog-games.com (172.234.17.55) port 443
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://gog-games.com/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: gog-games.com]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.15.0]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: gog-games.com
> User-Agent: curl/8.15.0
> Accept: */*
> 
* Request completely sent off
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* HTTP/2 stream 1 was not closed cleanly: PROTOCOL_ERROR (err 1)
* Connection #0 to host gog-games.com left intact
curl: (92) HTTP/2 stream 1 was not closed cleanly: PROTOCOL_ERROR (err 1)

What you last observed might be due to a redirect somehow succeeding (unless it consistently failed with that, I suppose), because some of the redirected-to spam sites don’t employ captchas, and might themselves be unreachable.