Some Mac and Android users experience website connection issues caused by expired Let's Encrypt certificates

Martin Brinkmann
Oct 2, 2021
Internet
|
40

Reports are coming in that Internet users who run Mac devices or older Android devices are experiencing connection issues on some sites they visit in most web browsers.

Mac users who experience the issue get "your connection is not private" error messages with the error code NET::ERR_CERT_DATE_INVALID.

Most web browsers on Mac devices, including Google Chrome and other Chromium web browsers, throw the error messages when users connect to certain sites.

The issue is related to the expiration of the root certificate of Let's Encrypt on September 30, 2021. Let's Encrypt is a nonprofit organization that has issued more than 2 billion certificates since its founding.

Certificates that have been issued by an expired root certificate won't be trusted anymore by clients. Let's Encrypt tries to mitigate issues caused by the expiration of the root certificate through a new cross-signed root certificate that is valid until September 30, 2024.

Let's Encrypt released lists of platforms that may run into issues from September 30, 2021 onward and those that should not.

Older versions of Mac OS and iOS are on the not compatible lists well as older Linux distributions, and some other older devices such as Android devices running Android 2.3.6 or older.

Known Incompatible

  • Blackberry < v10.3.3
  • Android < v2.3.6
  • Nintendo 3DS
  • Windows XP prior to SP3
    • cannot handle SHA-2 signed certificates
  • Java 7 < 7u111
  • Java 8 < 8u101
  • Windows Live Mail (2012 mail client, not webmail)
    • cannot handle certificates without a CRL
  • PS3 game console
  • PS4 game console with firmware < 5.00

Platforms that will no longer validate Let's Encrypt certificates

  • macOS < 10.12.1
  • iOS < 10
  • Mozilla Firefox < 50
  • Ubuntu >= precise / 12.04 and < xenial / 16.04
  • Debian >= squeeze / 6 and < jessie /8
  • Java 8 >= 8u101 and < 8u141
  • Java 7 >= 7u111 and < 7u151
  • NSS >= v3.11.9 and < 3.26
  • Amazon FireOS (Silk Browser) (version range unknown)
  • Cyanogen > v10 (version that added ISRG Root X1 unknown)
  • Jolla Sailfish OS > v1.1.2.16 (version that added ISRG Root X1 unknown)
  • Kindle > v3.4.1 (version that added ISRG Root X1 unknown)
  • Blackberry >= 10.3.3 (version that added ISRG Root X1 unknown)
  • PS4 game console with firmware >= 5.00 (version that added ISRG Root X1 unknown)

Newer versions of iOS or Mac OS should not be affected according to Let's Encrypt, but it appears that the issue is seen on some newer versions as well.

Scott Helmes confirms that he is seeing issues on iOS 11, 13 and 14, and several Mac OS versions that are "only a few minor releases behind" the current.

Helme created a test site for clients to test if the client is affected.

Workaround

It is not clear right now if users can do anything about the issue on their end. One option that users have is to use Firefox, as it uses its own certificate store. Connections that are broken in the default browser that is used on the system should work in Firefox on the same system.

Now You: did you experience any website connecting issues related to certificates since September 30, 2021?

Summary
Some Mac and Android users experience website connection issues caused by expired Let's Encrypt certificates
Article Name
Some Mac and Android users experience website connection issues caused by expired Let's Encrypt certificates
Description
Reports are coming in that Internet users who run Mac devices or older Android devices are experiencing connection issues on some sites they visit in most web browsers.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Meag said on May 10, 2022 at 12:39 am
    Reply

    Hi! So this worked for me! but one website I have been having an issue with for the same amount of time shows this result: ERR_EMPTY_RESPONSE. Is that a separate issue? I have a 2015 macbook and running on the 10.11.6 operating system. Any help is appreciated! Thanks.

  2. Jess said on April 6, 2022 at 12:04 pm
    Reply

    @Nico Thank you, thank you, thank you! OSX 10.11.6

  3. Anonymous said on November 11, 2021 at 3:33 pm
    Reply

    Thank you so much for writing this article! I opened Firefox and tried the sites that were giving me errors and they worked!

    OSX 10.11.6
    Mac Book Pro, Early 2015

  4. Cristina said on October 18, 2021 at 11:46 am
    Reply

    Thank you so much. The last 2 weeks have been a nightmare. i followed the youtube link and it worked :)

  5. Rombout Versluijs said on October 13, 2021 at 8:08 pm
    Reply

    As of today i see new errors. NET::ERR_CERT_AUTHORITY_INVALID
    Again see issues with certificates, RSA Domain

  6. Tom Hebert said on October 7, 2021 at 8:58 pm
    Reply

    There’s nothing here that you can’t find on the Let’s Encrypt site. The existence of this post is making it difficult to find an issue that’s occurring right now which is that existing up-to-date chrome users are receiving certificate errors.

  7. Zanza said on October 7, 2021 at 7:48 am
    Reply

    Thanks a lot for your advices guys: it works perfectly on my rusted but trusted old MacBookPro (El Capitan 10.11.6 ).
    Even to access some HSTS protected websites.

  8. Bill said on October 7, 2021 at 2:08 am
    Reply

    Here’s a video on a fix : https://www.youtube.com/watch?v=WLG6XVZPF34

    1. chet said on February 3, 2022 at 11:19 pm
      Reply

      Thanks Bill, the video worked for me!

      Video instructions: (same as what Bill posted)
      https://www.youtube.com/watch?v=WLG6XVZPF34&ab_channel=AintBigAintClever

      Written instructions :
      https://www.bounca.org/tutorials/install_root_certificate.html

      Thanks All!

    2. David Wheeler said on October 20, 2021 at 1:58 pm
      Reply

      Like many, I too was having this problem and believed that I needed to upgrade/update my OS to overcome the problem… then I read comments, and watched the video, and gave it a whirl: it took about 3 minutes to download the certificate and ‘activate’ it and this solution solved my problems immediately. Thank you for making this solution available to so many!!!

    3. CM said on October 9, 2021 at 7:39 pm
      Reply

      Thank you, Bill! After being hesitant to click on links and download new things, I threw caution to the wind and followed the YouTube link. So far, it has absolutely worked. Thank you and thank you to that YouTuber.

    4. Val said on October 7, 2021 at 12:52 pm
      Reply

      After many hours of trying to sort this issue on my early 2009 MacBook Pro, running El Captan, I stumbled upon this post, followed the instructions on youtube https://www.youtube.com/watch?v=WLG6XVZPF34 (posted by Bill), and now I can visit my favourite websites again on both Safari and Chrome. Thank you very much indeed!

  9. Paul White said on October 6, 2021 at 2:06 pm
    Reply

    I share adaminspace1’s sentiments. I am not a technical user. Trust is a big issue, but purchasing a new Apple computer just to browse the web is insane! Some simple ‘What you see, is What you get’ instructions would be great.

  10. adaminspace1 said on October 6, 2021 at 12:53 pm
    Reply

    Solutions from Nico and ULi may be valid but I, for one, am not willing to download things to my keychain and mark them as trusted after following some comments on a blog.
    If Martin can check them and confirm that would be enough for me, otherwise I will be going to Firefox.

    1. CM said on October 7, 2021 at 8:11 pm
      Reply

      Yes, agreed on clicking links and downloading unknowns.

      Unfortunately, I just found this from the Mozilla support sight on Firefox with OS 10.11. After July 2021, Firefox is not offering security updates for 10.11… Sigh. At a loss. Would love concrete confirmation of the helpful suggestions here.

      Firefox version 78 is the last supported Firefox version for Mac users of OS X 10.9 Mavericks, OS X 10.10 Yosemite and OS X 10.11 El Capitan. These users will be moved to the Firefox Extended Support Release (ESR) channel by an application update. This will provide security updates until the next ESR update in July 2021, after which the affected users will no longer receive security updates.

    2. Nico said on October 6, 2021 at 6:42 pm
      Reply

      @adaminspace1; October 6, 2021 at 12:53 pm

      https://letsencrypt.org/certificates/
      Is legit.

      But it would be great if Martin published a follow up article with instructions. :)

  11. ULi said on October 5, 2021 at 8:43 pm
    Reply

    OSX has certificates build in for verification of websites, with “El Captain” (10.11.6) they are expired for some websites.

    All browsers use the certificates issued by the OS, except Firefox, they use their own certificates.

    explained here:
    https://ask.metafilter.com/346251/Persistent-invalid-certificate-errors-are-making-my-life-difficult

    To solve the problem on older Mac’s here is the instruction:

    https://docs.certifytheweb.com/docs/kb/kb-202109-letsencrypt/

    you download the ISRG Root X1 certificate, add it via Keychain to your certificates, mark it as trusted and all is ok again (was like this for me)

    1. Doug said on October 7, 2021 at 6:10 pm
      Reply

      Was driving me crazy, tried this and
      it worked!

      Thank you so much for this!

  12. Brett said on October 5, 2021 at 5:09 pm
    Reply

    Does anyone know if MEGAsync is affected by this. I have MEGA on an older 2012 Macbook Pro that won’t login. But on my iPad 4 it’s fine.

  13. Nico said on October 5, 2021 at 10:30 am
    Reply

    @CM; October 4, 2021 at 11:20 pm

    As I said above:

    Go to https://letsencrypt.org/certificates/
    Download the ISRG Root X1 .pem file and then follow the instructions here:
    https://www.bounca.org/tutorials/install_root_certificate.html
    (screenshots are in Dutch…)

    1. Anonymous said on October 19, 2021 at 5:16 pm
      Reply

      Brilliant -this worked for me! Though had to download the file using an incognito page for some reason – whatever, it worked!

  14. CM said on October 4, 2021 at 11:20 pm
    Reply

    Same same here with both Chrome and Safari on mid-2009 MacBook Pro OS10.11.6
    So, a switch to Firefox is the solution? Does Firefox have ability to import bookmarks from Chrome? Thanks in advance for any suggestions!
    So frustrated!

  15. AWS said on October 4, 2021 at 8:51 am
    Reply

    inally, i’ve found the way :

    Win + r. and type “certmgr.msc”

    Then, delete 3 items :
    R3 Certificate and DST ROOT CA X3

    To delete, just win + r “certmgr.msc” then go thru :
    1. Trusted Root Certification Authorities > Certificates
    2. Intermediate Certification Authorities > Certificates
    3. Third-party root Certification Authorities > Certificates

    Right click, and press delete

    To locate the right certificate :
    Just use Issued By and Expiration Date, search for certificate issued by DST ROOT CA X3, and expired around 29-30 sept 2021.

    Install new certificate :
    Download this : https://letsencrypt.org/certs/isrgrootx1.der
    Double click it.
    Then, Choose Local Machine, Next
    Choose Place all Certificates in the following store, and then choose “Trusted Root Certification Authorities” folder

    Restart your PC

    Worked for WIN 7 and WIN 10 ( Tested )

    1. User said on October 8, 2021 at 8:53 am
      Reply

      It worked. Thanks.

    2. ednjudy holmes said on October 5, 2021 at 6:23 pm
      Reply

      WORKS GREAT!
      Thank you.

  16. VW said on October 4, 2021 at 12:21 am
    Reply

    Thank you for a lucid reason this is happening, though I keep getting the “Your connection is not private/ NET::ERR_CERT_DATE_INVALID” when trying to click on the helpful links in this post! (Am half LOLing) Using Chrome on an iMac with OS 10.11.6. I visited the letsencrypt site on FF, but have no idea how or what to download and install. Am really hoping someone figures out a work-around that doesn’t require me to buy a new desktop computer.

    1. Nico said on October 4, 2021 at 9:03 am
      Reply

      @VW
      Try this:

      Go to https://letsencrypt.org/certificates/
      Download the ISRG Root X1 .pem file and then follow the instructions here:
      https://www.bounca.org/tutorials/install_root_certificate.html
      (screenshots are in Dutch…)

      1. Jess said on April 6, 2022 at 12:03 pm
        Reply

        Thank you, thank you, thank you!

      2. Stephen Fox said on October 31, 2021 at 3:03 am
        Reply

        I’ve also confirmed this working on all Mac OS X operating systems going back to Snow Leopard 10.6.8.

      3. Anonymous said on October 24, 2021 at 8:00 am
        Reply

        You sir or ma’am are a lifesaver!

      4. Anonymous said on October 22, 2021 at 4:16 am
        Reply

        THANK YOU!!! Finally a fix.

      5. George said on October 8, 2021 at 9:29 pm
        Reply

        Worked perfectly! Likewise on Mac OS 10.11.6

      6. Stephen Fox said on October 8, 2021 at 3:22 am
        Reply

        Nico, thank you so much, this also worked for me on 10.11.6 and Google Chrome 94.

      7. VW said on October 7, 2021 at 2:58 am
        Reply

        @Nico

        Thank you for that additional explanation! It took a bit of fiddling with my computer settings to get the file to be trusted, but I think I’ve done it, and when I click on links in Chrome they are now working. I am not exactly sure what I just did, but it appears I’ll be able to hang on to the old OS a bit longer!

      8. sethplg said on October 6, 2021 at 11:57 pm
        Reply

        WOW thank you. Also on Mac OS 10.11.6

      9. Anonymous said on October 5, 2021 at 10:00 pm
        Reply

        Worked for me on Mac OS 10.11.6 – thanks!

  17. Dimitri John Ledkov said on October 3, 2021 at 9:42 pm
    Reply

    Ubuntu 14.04 LTS and up validate everything correctly, as long as all updates are applied and ESM is enabled.

  18. Nico said on October 3, 2021 at 7:17 pm
    Reply

    @Martin

    >It is not clear right now if users can do anything about the issue on their end.

    Download the certificate ISRG Root X1 with Firefox and install it system wide?
    Maybe a follow up article about how to do that on Windows/macOS.

    https://letsencrypt.org/certificates/

  19. Anonymous said on October 3, 2021 at 12:01 pm
    Reply

    Yes, we’re experiencing the issue on Mac 10.10.5 and on Chrome and Safari says it can’t establish a connection to the sites. I first noticed it when trying to access Wikipedia.

  20. Govind Aldoncar said on October 3, 2021 at 5:23 am
    Reply

    We are using fortinet firewall and windows 10, we are facing same issue of expired certificates.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.