Certificates are not trusted on Chrome and Safari on old iMac with El Capitan

Eventually, it will be the case for every old device. We haven't seen this happen on such a large scale before because HTTPS has not been in wide use for long enough, but every old device that isn't updated anymore will eventually stop working with HTTPS entirely.

Ok so I added it to the system, but https://atervinnmera.se/ is still not working in chrome or safari?
Do I have to restart my mac for it to work perhaps?

Ah yes, there's one more step I forgot.

Find "ISRG Root X1" in the list and double click it. There'll be a Trust menu you can open, and then change "Use System Defaults" to "Always Trust". Then close the pop up window and it should ask you to enter your password.

You may have to restart as well, yes.

2 Likes

Thanks a lot. Yes it works now :slight_smile:

But what do you think about the other post I linked?
That is nothing that relates to my problem or?

1 Like

Unfortunately that solution wouldn't work in your situation. Your server is sending the correct certificates, however client devices must have ISRG Root X1 installed for it to work.

If you want to support older devices, then you would have to go with a certificate authority other than Let's Encrypt, and even then you're just delaying the inevitable. As I said before, all old devices will eventually stop working with HTTPS if they can't be updated any more.

Ok good to know at least so I know there is nothing I can do :slight_smile: Thanks a lot for your help, you saved my day. Goldstar to you!

2 Likes

This really is devastating. I can resolve the problem for myself simply by using Firefox. But what of the many friends and customers who use Chrome on MACs they purchased 5 years ago? Yosemite won't update. Chrome won't update. It should not be necessary for everyone to purchase new computers just to visit the websites they like to frequent. Do you think anyone will develop a simple patch I can add to make my websites accessible?

2 Likes

Unfortunately, this is the way web based encryption was designed. It's ultimately about trust. Old computers and devices that are no longer being updated by their manufacturer don't know how to trust new Certificate Authorities or changes to existing Certificate Authorities. So they require some form of manual intervention in order to update that trust.

I understand your frustration. But as you can personally attest, they don't. They need to be willing to use different software like Firefox. It may also be possible to manually update the trust configuration on these old devices so they can continue using Chrome. I'm not familiar enough with the platform to say for sure. But it would require each user to make the change themselves (or a tech-savvy friend/relative) once the instructions are known.

If you want to continue using Let's Encrypt certificates, no. Your other option is to change which Certificate Authority you get your websites' certificates from to one that is still trusted by these old devices. But it's just a stop-gap until that CA has its next expiration that affects those devices.

1 Like

OS X Yosemite (10.10) and El Capitan (10.11) didn't trust ISRG Root X1 and so won't validate Let's Encrypt certificates. Sierra (10.12), released in 2016, does. According to Wikipedia, Sierra can run on:

I'm not sure why your friends and customers aren't able to update Yosemite or Chrome, but it would be good to contact Apple support about the problem. In particular, people who aren't receiving updates to their browser are at risk for malware, since each new browser release usually fixes some serious security bugs.

1 Like

Thank you, everyone, for your feedback! Chrome (version 87) won't update because it says the Yosemite version (10.10.5) is too old. Yosemite won't update because the 2013 MAC is too old. I'll try Apple Support. Meanwhile, I'll scout around to see if I can find a third party SSL certificate that will buy me a couple more years.

1 Like

@webprofusion @Tugzrida posts much appreciated!

1 Like

I can't even get to this link
as my old iMac says 'Your clock is ahead' NET::ERR_CERT_DATE_INVALID.

I am beyond frustrated. I've lost two days of work because of this.

Sorry to hear you've lost two days' worth of work, Ella! That's really frustrating.

Here's a copy of the file you need: isrgrootx1.txt (1.9 KB)

What year is your iMac from? Have you tried updating the OS?

Unfortunately I still get the error: Your clock is ahead.

I can get that text on my iPhone and sent it to my email. What do I do with it though?

I have an iMac 2009 Snow Leopard. It's been working fine until now.

I cannot upgrade as I have Adobe CS5 InDesign, Photoshop and Illustrator discs and they won't run on anything higher. Adobe no longer sells disks but charges $636 per year to use them now. Absolutely highway robbery for a small business.

I got on my MILs iMac Yosemite (late 2012) and her error message says: Your connection is not private and that the certificate date is invalid. NET::ERR_CERT_DATE_INVALID.

1 Like

Have you found a solution yet? I haven't been able to get into the websites I need to.

I also have an older iMac 2009 which was working fine until now.

In this post: Certificates are not trusted on Chrome and Safari on old iMac with El Capitan - #24 by jsha, I linked to a list of which Apple devices can be upgraded to OS X 10.12. It looks like your iMac might just barely be able to do it, depending on whether it is "late 2009" or earlier:

iMac : Late 2009 or newer

I know it's a major frustration to have to upgrade your OS across so many versions, but in the long run it's a very good idea. Old operating systems and especially old browsers have a lot of security bugs that can result in you getting malware.

One other possibility: You might be able to download and install ISRG Root X1 from this URL: http://x1.i.lencr.org/

1 Like

Funny, I've been on the Mac since the teeny SEs in 1990, I've had no issues with malware.

2 Likes

Ella, no, I haven't found a solution yet. I would update my Yosemite if I could, but so far no luck.

Jsha, I wish this were true! My OS is Yosemite 10.10.5. No updates available for MacPro 2013.

1 Like

Bummer! I'm far from a Mac expert, but this thread seems to suggest you need to go to the App Store to do the upgrade (it sounds like upgrades are done differently from regular updates): Mac won’t update past OS X Yosemite 10.10… - Apple Community

1 Like