Some Mac and Android users experience website connection issues caused by expired Let's Encrypt certificates
Reports are coming in that Internet users who run Mac devices or older Android devices are experiencing connection issues on some sites they visit in most web browsers.
Mac users who experience the issue get "your connection is not private" error messages with the error code NET::ERR_CERT_DATE_INVALID.
Most web browsers on Mac devices, including Google Chrome and other Chromium web browsers, throw the error messages when users connect to certain sites.
The issue is related to the expiration of the root certificate of Let's Encrypt on September 30, 2021. Let's Encrypt is a nonprofit organization that has issued more than 2 billion certificates since its founding.
Certificates that have been issued by an expired root certificate won't be trusted anymore by clients. Let's Encrypt tries to mitigate issues caused by the expiration of the root certificate through a new cross-signed root certificate that is valid until September 30, 2024.
Let's Encrypt released lists of platforms that may run into issues from September 30, 2021 onward and those that should not.
Older versions of Mac OS and iOS are on the not compatible lists well as older Linux distributions, and some other older devices such as Android devices running Android 2.3.6 or older.
- Blackberry < v10.3.3
- Android < v2.3.6
- Nintendo 3DS
- Windows XP prior to SP3
- cannot handle SHA-2 signed certificates
- Java 7 < 7u111
- Java 8 < 8u101
- Windows Live Mail (2012 mail client, not webmail)
- cannot handle certificates without a CRL
- PS3 game console
- PS4 game console with firmware < 5.00
Platforms that will no longer validate Let's Encrypt certificates
- macOS < 10.12.1
- iOS < 10
- Mozilla Firefox < 50
- Ubuntu >= precise / 12.04 and < xenial / 16.04
- Debian >= squeeze / 6 and < jessie /8
- Java 8 >= 8u101 and < 8u141
- Java 7 >= 7u111 and < 7u151
- NSS >= v3.11.9 and < 3.26
- Amazon FireOS (Silk Browser) (version range unknown)
- Cyanogen > v10 (version that added ISRG Root X1 unknown)
- Jolla Sailfish OS > v184.108.40.206 (version that added ISRG Root X1 unknown)
- Kindle > v3.4.1 (version that added ISRG Root X1 unknown)
- Blackberry >= 10.3.3 (version that added ISRG Root X1 unknown)
- PS4 game console with firmware >= 5.00 (version that added ISRG Root X1 unknown)
Newer versions of iOS or Mac OS should not be affected according to Let's Encrypt, but it appears that the issue is seen on some newer versions as well.
Scott Helmes confirms that he is seeing issues on iOS 11, 13 and 14, and several Mac OS versions that are "only a few minor releases behind" the current.
There are also many reports of iOS and macOS versions newer than expected seeing issues on sites serving the expired R3 intermediate. I've seen errors on iOS 11, 13 and 14 along with several macOS version only a few minor releases behind current. No fix on the client side yet.
— Scott Helme (@Scott_Helme) September 29, 2021
Helme created a test site for clients to test if the client is affected.
It is not clear right now if users can do anything about the issue on their end. One option that users have is to use Firefox, as it uses its own certificate store. Connections that are broken in the default browser that is used on the system should work in Firefox on the same system.
Now You: did you experience any website connecting issues related to certificates since September 30, 2021?Advertisement