Certificates are not trusted on Chrome and Safari on old iMac with El Capitan

Not sure if you saw this but my Mac works now after doing it!

Set the DST Root CA X3 to "Always Trust":

Directions for fix:

  1. Open ~/Applications/Utilities/Keychain Access.app
  2. From View menu select "Show Expired Certificates"
  3. On the Left Sidebar pick System Root
  4. In search bar top-right type DST
  5. Double-click "DST Root CA X3"
  6. In pop-up, turn down "Trust" arrow and set "When using this certificate" to "Always Trust"
  7. Close the pop-up and put in an Administrator user/password info.
  8. Close all open Browsers & Keychain you should be good to go after that.

Hi, I have to clients on Mac OS X 10.11 El Capitan, same Chrome and Safari and Firefox versions but slightly different type of hardware. Chrome and Safari on the older hardware show errors for root certificate.
The server runs on digitalocean, ubuntu, docker (nginx, acme-companion). Could you please comment on this issue? Domain is https://artpool.hu/

Hi @mkristof welcome to the LE community forum :slight_smile:

I believe there is another topic here more specifically dedicated to Mac OS.
I'll try to find it and move your post there soon.
In the meantime...
I think if you can upgrade to 10.12 or higher that would fix a lot.
If not, there are some manual workarounds posted throughout.

Did you see the comment immediately above yours? That solution works.

Ella, THANK YOU! The fix you outlined allows me to use Chrome and Safari on my older computer. This is wonderful. Of course, the larger question remains... how will readers who are not tech-savvy and often use older computers, be able to use their browsers? I understand the need for safety, but the new security update throws many people into Internet darkness.

1 Like

Realistically, those users will need to seek out the help of tech-savvy relatives, friends, or local paid support services.

Again, this was not a choice that Let's Encrypt made. They could not have prevented this even if they wanted to and they went to great lengths to delay the change for as long as possible. It is a simple reality of how web security works. Trust expires and needs to be updated. Devices that can't be updated will be left behind not due to malice or lack of caring, just math.


I'm just summarizing the symptoms and workarounds/fixes as far as I know, at least as far as Mac OS X goes.

Staring Sept 30th 2021, Mac OS X 10.11 El Capitan (Fall 2015), Mac OS X 10.10 Yosemite (Fall 2014), and Mac OS X 10.9 Mavericks (Fall 2013) (and earlier) no longer trust Let's Encrypt certificates.

Chrome error is something like: "Your connection is not private" "Attackers might be trying to steal your information from ... (for example, passwords, messages, or credit cards)." "NET::ERR_CERT_DATE_INVALID".

Safari error is something like "This Connection Is Not Private" "This website may be impersonating "..." to steal your personal or financial information. You should go back to the previous page."

There are at least 4 client-side fixes/workarounds for old versions of Mac OS X:

  1. Upgrade to Mac OS X Sierra (10.12.1) or newer. Here's the link which has links and hardware requirements for old MacOS versions: https://support.apple.com/en-gb/HT211683

  2. Use Firefox instead of Chrome or Safari. https://www.mozilla.org/firefox/new/

  3. Install and trust the ISRG Root X1 certificate from https://letsencrypt.org/certs/isrgrootx1.pem (I'm not sure what the exact instructions are for installing and trusting it. (der vs pem vs txt?, Login, local, System, or System Roots?, drag it in? set to "Always Trust", etc)

  4. Force Mac OS to Always Trust the expired DST Root CA X3 certificate:

  • Open the Keychain Access app (under Finder -> Applications -> Utilities )
  • On the left sidebar under System Keychains click System Roots
  • In the menu bar at the top of screen under View, select Show Expired Certificates
  • In the Search bar the top-right, type DST
  • Double-click DST Root CA X3 (or click it once and then press enter/return)
  • In the pop-up, click the > arrow next to Trust
  • Set When using this certificate to Always Trust
  • Close the pop-up by clicking the red x in the top-left
  • It will ask you to Enter your password to allow this
  • Restart Chrome or Safari (or your whole computer)
1 Like

Here's how to fix it. Go to the link below and then down to Mac OS and download the ISRG Root X1 certificate.

Once you download that file, go on your Mac to Applications>Utilities>Keychain Access.

• Once in Keychain Access select the System tab on the left.
• Select + on the bottom of the window to add the ISRG Root X1 certificate.
• Once imported, double click that certificate to open it.
• Select the arrow by the Trust tab to open it and change to 'Always Trust' under 'When using this certificate'.

This worked for me, I hope it works for you. Please do let me know if it worked or you're having any issues.


Thank you! it worked

1 Like

I still have a few “older” Macs in use. They’re actually great, as long as you’re not using graphics apps — they’re the last models that were easily upgradable. You can swap out the drives for larger ssds with ease and pop in 2-4x the amount of RAM - one of the popular Mac sites lists the actual amount of possible memory.

There is another site that has an app which will latch the OS X installers for a few versions. I think 10.10, 10.11 and 10.12 - to remove the hardware requirements. A wide range of macs support higher OS versions, but are just restricted out by a text file.

In any event, the correct way to handle this is importing the new root to the system keychain as described above. When using legacy systems that needs to be understood, because many actively used commercial trust roots are not in these older OS versions and also must be added when discovered.


1 Like

THIS WORKED for me!!!! Thank you so much. Wondering does this make me MORE VULNERABLE? Oh Well....

1 Like

It would only make you more vulnerable if you don't actually trust Let's Encrypt to validate the ownership of domains on the Internet and issue certificates for them. The actions you performed are simply telling your OS to trust Let's Encrypt.

1 Like

Just advising that this approach (which effectively means to just ignore the expiry of DST Root CA X3) will only work for a few years. When the cross-sign of ISRG Root X1 expires, this will no longer work. A more future-proof approach would be to include ISRG Root X1.

Trusting ISRG Root X1 was explained by @Ella here:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.