Certificates are not trusted on Chrome and Safari on old iMac with El Capitan

Thanks a lot. Yes it works now

But what do you think about the other post I linked?
That is nothing that relates to my problem or?

Unfortunately that solution wouldn't work in your situation. Your server is sending the correct certificates, however client devices must have ISRG Root X1 installed for it to work.

If you want to support older devices, then you would have to go with a certificate authority other than Let's Encrypt, and even then you're just delaying the inevitable. As I said before, all old devices will eventually stop working with HTTPS if they can't be updated any more.

Ok good to know at least so I know there is nothing I can do Thanks a lot for your help, you saved my day. Goldstar to you!

This really is devastating. I can resolve the problem for myself simply by using Firefox. But what of the many friends and customers who use Chrome on MACs they purchased 5 years ago? Yosemite won't update. Chrome won't update. It should not be necessary for everyone to purchase new computers just to visit the websites they like to frequent. Do you think anyone will develop a simple patch I can add to make my websites accessible?

Unfortunately, this is the way web based encryption was designed. It's ultimately about trust. Old computers and devices that are no longer being updated by their manufacturer don't know how to trust new Certificate Authorities or changes to existing Certificate Authorities. So they require some form of manual intervention in order to update that trust.

I understand your frustration. But as you can personally attest, they don't. They need to be willing to use different software like Firefox. It may also be possible to manually update the trust configuration on these old devices so they can continue using Chrome. I'm not familiar enough with the platform to say for sure. But it would require each user to make the change themselves (or a tech-savvy friend/relative) once the instructions are known.

If you want to continue using Let's Encrypt certificates, no. Your other option is to change which Certificate Authority you get your websites' certificates from to one that is still trusted by these old devices. But it's just a stop-gap until that CA has its next expiration that affects those devices.

OS X Yosemite (10.10) and El Capitan (10.11) didn't trust ISRG Root X1 and so won't validate Let's Encrypt certificates. Sierra (10.12), released in 2016, does. According to Wikipedia, Sierra can run on:

• iMac: Late 2009 or newer
• MacBook and MacBook 12-inch: Late 2009 or newer
• MacBook Pro: Mid 2010 or newer
• MacBook Air: Late 2010 or newer
• Mac Mini: Mid 2010 or newer
• Mac Pro: Mid 2010 or newer
• Xserve is no longer compatible.

I'm not sure why your friends and customers aren't able to update Yosemite or Chrome, but it would be good to contact Apple support about the problem. In particular, people who aren't receiving updates to their browser are at risk for malware, since each new browser release usually fixes some serious security bugs.

Thank you, everyone, for your feedback! Chrome (version 87) won't update because it says the Yosemite version (10.10.5) is too old. Yosemite won't update because the 2013 MAC is too old. I'll try Apple Support. Meanwhile, I'll scout around to see if I can find a third party SSL certificate that will buy me a couple more years.

@webprofusion @Tugzrida posts much appreciated!

I can't even get to this link
as my old iMac says 'Your clock is ahead' NET::ERR_CERT_DATE_INVALID.

I am beyond frustrated. I've lost two days of work because of this.

Sorry to hear you've lost two days' worth of work, Ella! That's really frustrating.

Here's a copy of the file you need: isrgrootx1.txt (1.9 KB)

What year is your iMac from? Have you tried updating the OS?

Unfortunately I still get the error: Your clock is ahead.

I can get that text on my iPhone and sent it to my email. What do I do with it though?

I have an iMac 2009 Snow Leopard. It's been working fine until now.

I cannot upgrade as I have Adobe CS5 InDesign, Photoshop and Illustrator discs and they won't run on anything higher. Adobe no longer sells disks but charges $636 per year to use them now. Absolutely highway robbery for a small business.

I got on my MILs iMac Yosemite (late 2012) and her error message says: Your connection is not private and that the certificate date is invalid. NET::ERR_CERT_DATE_INVALID.

Have you found a solution yet? I haven't been able to get into the websites I need to.

I also have an older iMac 2009 which was working fine until now.

In this post: Certificates are not trusted on Chrome and Safari on old iMac with El Capitan - #24 by jsha, I linked to a list of which Apple devices can be upgraded to OS X 10.12. It looks like your iMac might just barely be able to do it, depending on whether it is "late 2009" or earlier:

iMac : Late 2009 or newer

I know it's a major frustration to have to upgrade your OS across so many versions, but in the long run it's a very good idea. Old operating systems and especially old browsers have a lot of security bugs that can result in you getting malware.

One other possibility: You might be able to download and install ISRG Root X1 from this URL: http://x1.i.lencr.org/

Funny, I've been on the Mac since the teeny SEs in 1990, I've had no issues with malware.

Ella, no, I haven't found a solution yet. I would update my Yosemite if I could, but so far no luck.

Jsha, I wish this were true! My OS is Yosemite 10.10.5. No updates available for MacPro 2013.

Bummer! I'm far from a Mac expert, but this thread seems to suggest you need to go to the App Store to do the upgrade (it sounds like upgrades are done differently from regular updates): Mac won’t update past OS X Yosemite 10.10… - Apple Community

@ella, were you able to download the root certificate onto your iMac using the http://x1.i.lencr.org/ link I provided?

I can Confirm a fix that worked on both a 10.9.5 & 10.11.6 Mac OS. Simply set the DST Root CA X3 to "Always Trust" on several Mac's I manage in an office and home's this fix work for 4 websites that previously had issues with this CERT ERR.

https://www.nynewspapers.com/

Directions for fix:

1. Open ~/Applications/Utilities/Keychain Access.app
2. From View menu select "Show Expired Certificates"
3. On the Left Sidebar pick System Root
4. In search bar top-right type DST
5. Double-click "DST Root CA X3"
6. In pop-up, turn down "Trust" arrow and set "When using this certificate" to "Always Trust"
7. Close the pop-up and put in an Administrator user/password info.
8. Close all open Browsers & Keychain you should be good to go after that.

Screen Shot 2021-10-01 at 6.26.50 PM1083×463 86.6 KB

Can confirm this fixes it. I found this fix elsewhere earlier today and since then things have been largely fine.

(There was one site I visited that insisted it was not secure but I was busy and forgot to record it. Can't recall which it was, unfortunately, but since a reboot, no problems at all.)