Some Mac and Android users experience website connection issues caused by expired Let's Encrypt certificates
Reports are coming in that Internet users who run Mac devices or older Android devices are experiencing connection issues on some sites they visit in most web browsers.
Mac users who experience the issue get "your connection is not private" error messages with the error code NET::ERR_CERT_DATE_INVALID.
Most web browsers on Mac devices, including Google Chrome and other Chromium web browsers, throw the error messages when users connect to certain sites.
The issue is related to the expiration of the root certificate of Let's Encrypt on September 30, 2021. Let's Encrypt is a nonprofit organization that has issued more than 2 billion certificates since its founding.
Certificates that have been issued by an expired root certificate won't be trusted anymore by clients. Let's Encrypt tries to mitigate issues caused by the expiration of the root certificate through a new cross-signed root certificate that is valid until September 30, 2024.
Let's Encrypt released lists of platforms that may run into issues from September 30, 2021 onward and those that should not.
Older versions of Mac OS and iOS are on the not compatible lists well as older Linux distributions, and some other older devices such as Android devices running Android 2.3.6 or older.
Known Incompatible
- Blackberry < v10.3.3
- Android < v2.3.6
- Nintendo 3DS
- Windows XP prior to SP3
- cannot handle SHA-2 signed certificates
- Java 7 < 7u111
- Java 8 < 8u101
- Windows Live Mail (2012 mail client, not webmail)
- cannot handle certificates without a CRL
- PS3 game console
- PS4 game console with firmware < 5.00
Platforms that will no longer validate Let's Encrypt certificates
- macOS < 10.12.1
- iOS < 10
- Mozilla Firefox < 50
- Ubuntu >= precise / 12.04 and < xenial / 16.04
- Debian >= squeeze / 6 and < jessie /8
- Java 8 >= 8u101 and < 8u141
- Java 7 >= 7u111 and < 7u151
- NSS >= v3.11.9 and < 3.26
- Amazon FireOS (Silk Browser) (version range unknown)
- Cyanogen > v10 (version that added ISRG Root X1 unknown)
- Jolla Sailfish OS > v1.1.2.16 (version that added ISRG Root X1 unknown)
- Kindle > v3.4.1 (version that added ISRG Root X1 unknown)
- Blackberry >= 10.3.3 (version that added ISRG Root X1 unknown)
- PS4 game console with firmware >= 5.00 (version that added ISRG Root X1 unknown)
Newer versions of iOS or Mac OS should not be affected according to Let's Encrypt, but it appears that the issue is seen on some newer versions as well.
Scott Helmes confirms that he is seeing issues on iOS 11, 13 and 14, and several Mac OS versions that are "only a few minor releases behind" the current.
There are also many reports of iOS and macOS versions newer than expected seeing issues on sites serving the expired R3 intermediate. I've seen errors on iOS 11, 13 and 14 along with several macOS version only a few minor releases behind current. No fix on the client side yet.
— Scott Helme (@Scott_Helme) September 29, 2021
Helme created a test site for clients to test if the client is affected.
Workaround
It is not clear right now if users can do anything about the issue on their end. One option that users have is to use Firefox, as it uses its own certificate store. Connections that are broken in the default browser that is used on the system should work in Firefox on the same system.
Now You: did you experience any website connecting issues related to certificates since September 30, 2021?
Hi! So this worked for me! but one website I have been having an issue with for the same amount of time shows this result: ERR_EMPTY_RESPONSE. Is that a separate issue? I have a 2015 macbook and running on the 10.11.6 operating system. Any help is appreciated! Thanks.
@Nico Thank you, thank you, thank you! OSX 10.11.6
Thank you so much for writing this article! I opened Firefox and tried the sites that were giving me errors and they worked!
OSX 10.11.6
Mac Book Pro, Early 2015
Thank you so much. The last 2 weeks have been a nightmare. i followed the youtube link and it worked :)
As of today i see new errors. NET::ERR_CERT_AUTHORITY_INVALID
Again see issues with certificates, RSA Domain
There’s nothing here that you can’t find on the Let’s Encrypt site. The existence of this post is making it difficult to find an issue that’s occurring right now which is that existing up-to-date chrome users are receiving certificate errors.
Thanks a lot for your advices guys: it works perfectly on my rusted but trusted old MacBookPro (El Capitan 10.11.6 ).
Even to access some HSTS protected websites.
Here’s a video on a fix : https://www.youtube.com/watch?v=WLG6XVZPF34
Thanks Bill, the video worked for me!
Video instructions: (same as what Bill posted)
https://www.youtube.com/watch?v=WLG6XVZPF34&ab_channel=AintBigAintClever
Written instructions :
https://www.bounca.org/tutorials/install_root_certificate.html
Thanks All!
Like many, I too was having this problem and believed that I needed to upgrade/update my OS to overcome the problem… then I read comments, and watched the video, and gave it a whirl: it took about 3 minutes to download the certificate and ‘activate’ it and this solution solved my problems immediately. Thank you for making this solution available to so many!!!
Thank you, Bill! After being hesitant to click on links and download new things, I threw caution to the wind and followed the YouTube link. So far, it has absolutely worked. Thank you and thank you to that YouTuber.
After many hours of trying to sort this issue on my early 2009 MacBook Pro, running El Captan, I stumbled upon this post, followed the instructions on youtube https://www.youtube.com/watch?v=WLG6XVZPF34 (posted by Bill), and now I can visit my favourite websites again on both Safari and Chrome. Thank you very much indeed!
I share adaminspace1’s sentiments. I am not a technical user. Trust is a big issue, but purchasing a new Apple computer just to browse the web is insane! Some simple ‘What you see, is What you get’ instructions would be great.
Solutions from Nico and ULi may be valid but I, for one, am not willing to download things to my keychain and mark them as trusted after following some comments on a blog.
If Martin can check them and confirm that would be enough for me, otherwise I will be going to Firefox.
Yes, agreed on clicking links and downloading unknowns.
Unfortunately, I just found this from the Mozilla support sight on Firefox with OS 10.11. After July 2021, Firefox is not offering security updates for 10.11… Sigh. At a loss. Would love concrete confirmation of the helpful suggestions here.
Firefox version 78 is the last supported Firefox version for Mac users of OS X 10.9 Mavericks, OS X 10.10 Yosemite and OS X 10.11 El Capitan. These users will be moved to the Firefox Extended Support Release (ESR) channel by an application update. This will provide security updates until the next ESR update in July 2021, after which the affected users will no longer receive security updates.
@adaminspace1; October 6, 2021 at 12:53 pm
https://letsencrypt.org/certificates/
Is legit.
But it would be great if Martin published a follow up article with instructions. :)
OSX has certificates build in for verification of websites, with “El Captain” (10.11.6) they are expired for some websites.
All browsers use the certificates issued by the OS, except Firefox, they use their own certificates.
explained here:
https://ask.metafilter.com/346251/Persistent-invalid-certificate-errors-are-making-my-life-difficult
To solve the problem on older Mac’s here is the instruction:
https://docs.certifytheweb.com/docs/kb/kb-202109-letsencrypt/
you download the ISRG Root X1 certificate, add it via Keychain to your certificates, mark it as trusted and all is ok again (was like this for me)
Was driving me crazy, tried this and
it worked!
Thank you so much for this!
Does anyone know if MEGAsync is affected by this. I have MEGA on an older 2012 Macbook Pro that won’t login. But on my iPad 4 it’s fine.
@CM; October 4, 2021 at 11:20 pm
As I said above:
Go to https://letsencrypt.org/certificates/
Download the ISRG Root X1 .pem file and then follow the instructions here:
https://www.bounca.org/tutorials/install_root_certificate.html
(screenshots are in Dutch…)
Brilliant -this worked for me! Though had to download the file using an incognito page for some reason – whatever, it worked!
Same same here with both Chrome and Safari on mid-2009 MacBook Pro OS10.11.6
So, a switch to Firefox is the solution? Does Firefox have ability to import bookmarks from Chrome? Thanks in advance for any suggestions!
So frustrated!
inally, i’ve found the way :
Win + r. and type “certmgr.msc”
Then, delete 3 items :
R3 Certificate and DST ROOT CA X3
To delete, just win + r “certmgr.msc” then go thru :
1. Trusted Root Certification Authorities > Certificates
2. Intermediate Certification Authorities > Certificates
3. Third-party root Certification Authorities > Certificates
Right click, and press delete
To locate the right certificate :
Just use Issued By and Expiration Date, search for certificate issued by DST ROOT CA X3, and expired around 29-30 sept 2021.
Install new certificate :
Download this : https://letsencrypt.org/certs/isrgrootx1.der
Double click it.
Then, Choose Local Machine, Next
Choose Place all Certificates in the following store, and then choose “Trusted Root Certification Authorities” folder
Restart your PC
Worked for WIN 7 and WIN 10 ( Tested )
It worked. Thanks.
WORKS GREAT!
Thank you.
Thank you for a lucid reason this is happening, though I keep getting the “Your connection is not private/ NET::ERR_CERT_DATE_INVALID” when trying to click on the helpful links in this post! (Am half LOLing) Using Chrome on an iMac with OS 10.11.6. I visited the letsencrypt site on FF, but have no idea how or what to download and install. Am really hoping someone figures out a work-around that doesn’t require me to buy a new desktop computer.
@VW
Try this:
Go to https://letsencrypt.org/certificates/
Download the ISRG Root X1 .pem file and then follow the instructions here:
https://www.bounca.org/tutorials/install_root_certificate.html
(screenshots are in Dutch…)
Thank you, thank you, thank you!
I’ve also confirmed this working on all Mac OS X operating systems going back to Snow Leopard 10.6.8.
You sir or ma’am are a lifesaver!
THANK YOU!!! Finally a fix.
Worked perfectly! Likewise on Mac OS 10.11.6
Nico, thank you so much, this also worked for me on 10.11.6 and Google Chrome 94.
@Nico
Thank you for that additional explanation! It took a bit of fiddling with my computer settings to get the file to be trusted, but I think I’ve done it, and when I click on links in Chrome they are now working. I am not exactly sure what I just did, but it appears I’ll be able to hang on to the old OS a bit longer!
WOW thank you. Also on Mac OS 10.11.6
Worked for me on Mac OS 10.11.6 – thanks!
Ubuntu 14.04 LTS and up validate everything correctly, as long as all updates are applied and ESM is enabled.
@Martin
>It is not clear right now if users can do anything about the issue on their end.
Download the certificate ISRG Root X1 with Firefox and install it system wide?
Maybe a follow up article about how to do that on Windows/macOS.
https://letsencrypt.org/certificates/
Yes, we’re experiencing the issue on Mac 10.10.5 and on Chrome and Safari says it can’t establish a connection to the sites. I first noticed it when trying to access Wikipedia.
We are using fortinet firewall and windows 10, we are facing same issue of expired certificates.