Windows 7 Chrome - NET::ERR_CERT_DATE_INVALID

The only "bug" is that Windows 7 is too old to get security updates. Let's Encrypt may be the most well-known issuer of certificates, but it's really nothing specific to them. As roots expire, old systems that aren't getting security (including trust store) updates will have less and less access to the Internet. The only possible "fix" is to update to a supported platform. If Firefox still runs on Windows 7, you could try that since it uses its own trust store. Or, you can try using another CA, but that will just defer the problem until whichever root that CA has in the old trust store also expires.

In terms of specific steps to install the root (though this is from memory so I might be missing a step):

  1. Download https://letsencrypt.org/certs/isrgrootx1.pem (which may involve clicking through warnings, I guess, as you don't currently trust the root)
  2. Rename the file from isrgrootx1.pem to isrgrootx1.crt.
  3. Double-click the file.
  4. It should ask you to confirm that you want to add the certificate to the root store. You probably should check the thumbprint against some known-good source first here, too, but I'm not sure what a good source for that would be that you could reliably trust from such an old system.

I'm guessing somebody could put together a Powershell or batch file to simplify that somewhat. But again, you're just masking the problem of not getting security updates, and shouldn't actually consider any such system secure for anything.

5 Likes

Windows 7 should have loaded ISRG Root X1 though, as Microsoft still provides root store updates even to Windows XP:

Systems not having ISRG Root X1 probably suffer from some lazy-loading issue, or have updates disabled.

1 Like

Hmm. I was probably reading too much into someone above saying that visiting https://valid-isrgrootx1.letsencrypt.org/ on Windows 7 in IE also didn't work, and I assumed that it meant that Windows 7 didn't have it in the trust store. Perhaps it's just some configurations, or based on whether it had been lazy-loaded correctly in the past? Do we have confirmation that 7 does the same lazy-loading thing, or is it something they added in one of the versions of 10?

1 Like

This is not a bug from Let's Encrypts side, but just a normal flow of how the PKI infrastructure works. Sysops have a choice between two different certificate chains, so sysops can make a difference there.

2 Likes

what do you mean by a sysop? the website owner? if so, what can a sysop do? because end users (website visitors) cannot do or expected to do ANYTHING.

I am still confused about this, i am sry if this is a stupid question: Would changing the certificate chain help a client that doesn't have ISRG Root X1? E.g. a client with Windows 7 that has never been updated via windows update and is out of date?
Also this "lazy-loading" that has been mentioned: Is this possible and how does it work? This Post (Microsoft Windows Root Certificate Lazy-Loading) does talk about visiting https://valid-isrgrootx1.letsencrypt.org/ and lazy-Loading the cert but from my testing this does nothing and the page does not load on a client that does not have the current root.

Correct.

Depends on what issue the clients have and what certificate chain the server is sending.

No, except for Android versions prior to 7.1.1. See https://letsencrypt.org/2020/12/21/extending-android-compatibility.html for that. For all other clients, ISRG Root X1 needs to be present in the trust store.

That would be a problem bigger than just an expired iot certificate.

I don't have experience nor knowledge with/about Windows, so maybe someone else may chime in.

2 Likes

Time for some SCIENCE! (By which I mean, of course, that I tried writing down what I did, since that's the key difference between "science" and "just messing around with stuff".)

  1. I went to Virtual Machines - Microsoft Edge Developer and downloaded the VM for "IE11 on Win7 (x86)" for "HyperV (Windows)" and imported it into Hyper-V
  2. In the VM, opened up Internet Explorer [in its about dialog, it says Version: 11.0.9600.18860; Update Versions: 11.0.49 (KB4052978)]
  3. I confirmed the date and time in the VM was correct.
  4. In IE, visited https://helloworld.letsencrypt.org (which uses the "default" DST Root CA X3 rooted chain), and it opened fine.
  5. In IE, visited https://valid-isrgrootx1.letsencrypt.org (which uses the "alternate" chain rooted in ISRG Root X1, and it opened fine.
  6. In IE, visited https://www.google.com/chrome, unchecked the two boxes, and downloaded Chrome for Windows 10/8.1/7 32-bit
  7. In Chrome, went to Menu / Help / About and got version number: Version 94.0.4606.71 (Official Build) (32-bit)
  8. In Chrome, visited https://helloworld.letsencrypt.org and it worked fine.
  9. In Chrome, visited https://valid-isrgrootx1.letsencrypt.org and it also worked fine.

Now, I don't know how similar that VM image (which lists a "created date" of 1/9/2018 in Hyper-V) is to a "real-world" Windows 7 instance which has who-knows-what installed and has been who-knows-where on the Internet to populate caches and whatnot, but it's at least some evidence that it's possible to have a Windows 7 computer that works for going to sites using Let's Encrypt's certificates. It makes me think that those computers that it's not working on must have had automatic updates turned off many years ago in order to not get the ISRG Root X1 certificate in its trust store, but maybe there's something else going on if people are seeing a high level of Windows 7 issues.

I don't know if this post is actually helpful information, but maybe other people can do their own controlled experiments to figure out what the difference is between Windows 7 systems that work and those that don't.

5 Likes

I'm having the same problem here. Google chrome windows 7 both 32bit and 64bit shows NET::ERR_CERT_DATE_INVALID error. I'm just a single guy manage around 100 computers. All those users don't know the admin password except my boss so they can't install firefox. I don't want to install all those 100 computers one by one. Please fix this ASAP =(

Same issue experiencing this on all chrome and chromium based browsers, firefox doesnt seem to have the same issue.

This is definitely something you need to fix yourself. Microsoft stopped supporting Windows 7 almost 2 years ago.

Assuming you have a domain admin account which can access all of the computers you need to script a group policy startup script that installs the ISRG Root X1 (self signed) certificate into the local computer or applies this registry method: Fixing Windows installs that don't receive updates to their trusted roots - #29 by rmbolger

Somehow your automatic CA root updates are not enabled, you should figure that out as well. Check your group policy to ensure automatic updates in not disabled: How to enable the "automatic root certificates update" on Windows Server 2016 - Microsoft Q&A

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn789196(v=ws.11)

3 Likes

@petercooperjr, could the results of your experiments be related to the observations in this thread?

If I understood that thread properly, it can matter somehow how a user accessed an X1-using site, but I don't quite follow the upshot.

Hi all. I'm not sure what is going on but all R3, LetsEncrypt certified websites on my IExplorer, Opera and Chrome browsers are giving your clock is wrong error. Check error message from my forum help post:

I reinstalled long unused Mozilla Firefox and can resume to access those unaccessible websites but I think this is simply dissaster.
Regards all.
Safak

1 Like

we had some visitors with this problem too

We are also facing the same problem

Hi @proemtech welcome to the LE community forum :slight_smile:

Please edit your post and state your problem as well - not just "me too"
If you thread becomes too large it might need to be moved to a separate topic.
One that would begin with:

[not very helpful for anyone searching for help - once we are concluded here]

Our users are getting error NET::ERR_CERT_DATE_INVALID while accessing our portal with a valid letsencrypt certificate in Chrome, Chromiun and IE. But its working with Firefox as reported by other users.

1 Like

@proemtech
Which O/S are those systems using?

I'm sorry but I don't take anything for granted.
And, again, if this thread should get moved from this topic, it must stand on its' own two feet.
[yes, I can read the topic, read my posts]

1 Like

Windows7

1 Like

@proemtech
There are many reasons Win7 can be failing.
But it is likely due to an outdated trust root store.
You may need to manually add the "ISRG Root X1" cert for them to trust the new (short pathed) LE certs.

2 Likes