Certificates are not trusted on Chrome and Safari on old iMac with El Capitan

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:https://atervinnmera.se

I ran this command: win-acme.v2.1.16.1037.x64.pluggable

It produced this output: A valid certificate with no errors

My web server is (include version):windows 2012 R

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):IIS

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): I used win-acme.v2.1.16.1037.x64.pluggable

I have been using letsencrypt for a long time and from yesterday it says in chrome and safari that my certificates are not valid(old root). I have used win-acme and when I run it yesterday I got no errors when creating the certificates, but still it says it is not valid?
Any help really appreciated, thanks.

This is strange, if I use chrome in my Macbook Air or in my windows 2012 server the certificate is valid, but it is not valid when I use chrome or Safari on my old iMac 24 ?

And now I see that my mail cant connect to my mail server. So there is something wrong with the certificate, but what?

2

Are you still having issue, or already fixed? The server seems correctly sending the short chain (old openSSL compatible):

$ openssl s_client -connect atervinnmera.se:443
---
Certificate chain
 0 s:CN = atervinnmera.se
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---

However, your old iMac 24 may not contain the ISRG Root X1 root certificate in its trust store. I do not know this, but possible.

3

I still have the problem. So you mean that the problem is only in my old iMac?
But I guess that everybody with an old Mac will have the same problem, or?
How do I check if it contains the ISRG X1?

I checked now and yes, my mail program gets an error with the cert, saying that its a problem with the ISRG Root X1 and that the cert is not valid.

4

See the list below of devices that trust ISRG Root X1. Any Mac running macOS 10.12.1 or greater should work.

5

Open Keychain Access, look in System Roots for ISRG Root X1 if it's not there, grab it from https://letsencrypt.org/certs/isrgrootx1.der then drag it onto the Keychain Access app window.

1 Like
6

Thanks, but thats the problem, it works on new macs but not my old imac with el capitan.

7

If it's just your own device, you can follow @webprofusion's advice above.

1 Like
8

Im trying to drag and drop it in the Keychain window, but it says that I should change the keychain trust something- it is in swedish. So I cant add it?

9

Yes it my own device, but off course I want it to work for everybody with older macs :slight_smile:

10

I have the same problem with my iPad 2 :crying_cat_face:

11

Unfortunately, that's not possible with Let's Encrypt. Only macOS >= 10.12.1 will work without manually trusting ISRG Root X1 in Keychain Access.

Can you show a screenshot of what happens when you drop the cert onto Keychain Access?

12

SkaĢˆrmavbild 2021-10-01 kl. 11.49.34
SkaĢˆrmavbild 2021-10-01 kl. 11.49.341269Ɨ772 196 KB

Its in swedish :wink:

13

I donĀ“t understand how these things work but in this post Certificated not Trusted Chrome / Safari. Chain issues incomplete - #7 by Claes the say " Change cert.pem to fullchain.pem". I donĀ“t know if thats my problem or where I can check if it is linking to the cert.pem or fullchain.pem file on my server?

14

Thank goodness for google translate! Click on "System" on the left side before dropping the certificate in.

15

This is terrible!
This means that all older Apple devices will no longer be able to open sites that use letsencrypt.

16

Eventually, it will be the case for every old device. We haven't seen this happen on such a large scale before because HTTPS has not been in wide use for long enough, but every old device that isn't updated anymore will eventually stop working with HTTPS entirely.

17

Ok so I added it to the system, but https://atervinnmera.se/ is still not working in chrome or safari?
Do I have to restart my mac for it to work perhaps?

18

Ah yes, there's one more step I forgot.

Find "ISRG Root X1" in the list and double click it. There'll be a Trust menu you can open, and then change "Use System Defaults" to "Always Trust". Then close the pop up window and it should ask you to enter your password.

You may have to restart as well, yes.

2 Likes
19

Thanks a lot. Yes it works now :slight_smile:

But what do you think about the other post I linked?
That is nothing that relates to my problem or?

1 Like
20

Unfortunately that solution wouldn't work in your situation. Your server is sending the correct certificates, however client devices must have ISRG Root X1 installed for it to work.

If you want to support older devices, then you would have to go with a certificate authority other than Let's Encrypt, and even then you're just delaying the inevitable. As I said before, all old devices will eventually stop working with HTTPS if they can't be updated any more.