The only "bug" is that Windows 7 is too old to get security updates. Let's Encrypt may be the most well-known issuer of certificates, but it's really nothing specific to them. As roots expire, old systems that aren't getting security (including trust store) updates will have less and less access to the Internet. The only possible "fix" is to update to a supported platform. If Firefox still runs on Windows 7, you could try that since it uses its own trust store. Or, you can try using another CA, but that will just defer the problem until whichever root that CA has in the old trust store also expires.
In terms of specific steps to install the root (though this is from memory so I might be missing a step):
Rename the file from isrgrootx1.pem to isrgrootx1.crt.
Double-click the file.
It should ask you to confirm that you want to add the certificate to the root store. You probably should check the thumbprint against some known-good source first here, too, but I'm not sure what a good source for that would be that you could reliably trust from such an old system.
I'm guessing somebody could put together a Powershell or batch file to simplify that somewhat. But again, you're just masking the problem of not getting security updates, and shouldn't actually consider any such system secure for anything.
Hmm. I was probably reading too much into someone above saying that visiting https://valid-isrgrootx1.letsencrypt.org/ on Windows 7 in IE also didn't work, and I assumed that it meant that Windows 7 didn't have it in the trust store. Perhaps it's just some configurations, or based on whether it had been lazy-loaded correctly in the past? Do we have confirmation that 7 does the same lazy-loading thing, or is it something they added in one of the versions of 10?
This is not a bug from Let's Encrypts side, but just a normal flow of how the PKI infrastructure works. Sysops have a choice between two different certificate chains, so sysops can make a difference there.
I am still confused about this, i am sry if this is a stupid question: Would changing the certificate chain help a client that doesn't have ISRG Root X1? E.g. a client with Windows 7 that has never been updated via windows update and is out of date?
Also this "lazy-loading" that has been mentioned: Is this possible and how does it work? This Post (Microsoft Windows Root Certificate Lazy-Loading) does talk about visiting https://valid-isrgrootx1.letsencrypt.org/ and lazy-Loading the cert but from my testing this does nothing and the page does not load on a client that does not have the current root.
Time for some SCIENCE! (By which I mean, of course, that I tried writing down what I did, since that's the key difference between "science" and "just messing around with stuff".)
Now, I don't know how similar that VM image (which lists a "created date" of 1/9/2018 in Hyper-V) is to a "real-world" Windows 7 instance which has who-knows-what installed and has been who-knows-where on the Internet to populate caches and whatnot, but it's at least some evidence that it's possible to have a Windows 7 computer that works for going to sites using Let's Encrypt's certificates. It makes me think that those computers that it's not working on must have had automatic updates turned off many years ago in order to not get the ISRG Root X1 certificate in its trust store, but maybe there's something else going on if people are seeing a high level of Windows 7 issues.
I don't know if this post is actually helpful information, but maybe other people can do their own controlled experiments to figure out what the difference is between Windows 7 systems that work and those that don't.
I'm having the same problem here. Google chrome windows 7 both 32bit and 64bit shows NET::ERR_CERT_DATE_INVALID error. I'm just a single guy manage around 100 computers. All those users don't know the admin password except my boss so they can't install firefox. I don't want to install all those 100 computers one by one. Please fix this ASAP =(
Hi all. I'm not sure what is going on but all R3, LetsEncrypt certified websites on my IExplorer, Opera and Chrome browsers are giving your clock is wrong error. Check error message from my forum help post:
I reinstalled long unused Mozilla Firefox and can resume to access those unaccessible websites but I think this is simply dissaster.
Regards all.
Safak
Please edit your post and state your problem as well - not just "me too"
If you thread becomes too large it might need to be moved to a separate topic.
One that would begin with:
[not very helpful for anyone searching for help - once we are concluded here]
Our users are getting error NET::ERR_CERT_DATE_INVALID while accessing our portal with a valid letsencrypt certificate in Chrome, Chromiun and IE. But its working with Firefox as reported by other users.
I'm sorry but I don't take anything for granted.
And, again, if this thread should get moved from this topic, it must stand on its' own two feet.
[yes, I can read the topic, read my posts]
@proemtech
There are many reasons Win7 can be failing.
But it is likely due to an outdated trust root store.
You may need to manually add the "ISRG Root X1" cert for them to trust the new (short pathed) LE certs.