Chrome & Safari - Your connection is not private ERROR

I am getting Your connection is not private ERROR because the certificate is invalid but the expiration on the certificate is November 26th '21 in MAC Chrome Version 93.0.4577.82 and version Version 94.0.4606.71 (latest) on my site iperQ.com from yesterday. Even https://letsencrypt.org/ and Wikipedia.org shows the same error.
Is something up?
Screen Shot 2021-10-01 at 8.56.10 AM
Screen Shot 2021-10-01 at 8.59.24 AM
Screen Shot 2021-10-01 at 9.00.11 AM

1 Like

Same problems here.

2 Likes

Further testing has the same issue in Safari. I am using Firefox to write this post. I think the issue is on any site using Let's Encrypt R3

1 Like

Seems this is the problem (no idea on a fix though):

2 Likes

There was some Scheduled Maintenance yesterday

Let's Encrypt Status

Title: Boulder Update to release-2021-09-27

Planned Start: September 30, 2021 17:00 UTC
Expected End: September 30, 2021 17:45 UTC

Affected Infrastructure
Components: acme-v02.api.letsencrypt.org (Production), ocsp.root-x1.letsencrypt.org, {e1,e2,r3,r4}.o.lencr.org & ocsp.int-x{3..4}.letsencrypt.org
Locations: High Assurance Datacenter 1, High Assurance Datacenter 2

Details:
We will be updating Boulder to release-2021-09-27. Changelog is: Comparing release-2021-09-21...release-2021-09-27 · letsencrypt/boulder · GitHub This will be applied as a rolling restart. No downtime is expected.

Maybe this has something to do with it

2 Likes

Thanks for that

1 Like

If you reissue (not renew) your cert, it will grab the valid alternate cert chain. That should fix the iOS, Chrome & Safari problem.

7 Likes

Thanks so much

2 Likes

This was standard weekly maintenance, despite the fact that DST Root CA X3 expired.

4 Likes

Hi Jim,

I have run the following command:

certbot certonly --nginx --agree-tos --no-eff-email --email jgillmor@gmail.com

and got this:

Which names would you like to activate HTTPS for?


1: iperq.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/iperq.com.conf)

What would you like to do?


1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)


Select the appropriate number [1-2] then [enter] (press 'c' to cancel): c

Operation canceled. You may re-run the client.

I entered C to cancel because you said not to renew. Should I have entered 2 to Renew & replace the certificate or am I totally off and be doing something else.

Thanks again for your help.

2 Likes

You can press 2 (Renew & replace).
If you still have a problem with Chrome & Safari, let us know. There are other fixes for this.

6 Likes

Unfortunately entering 2: Renew & replace the certificate, has not fixed the issue.

Any other suggestions

Thanks

2 Likes

As you've already seen and also read correctly earlier, that doesn't help. Only if you also changed the preferred root using --preferred-root "ISRG Root X1" it would have changed something. (That option requires certbot 1.12.0 or newer.)

The issue you're having is most likely Mac-related. Please check the Community for other Mac-threads related to the DST Root CA X3 expiry.

2 Likes

i used certbot certonly --nginx -d iperq.com -d www.iperq.com --agree-tos --no-eff-email --email jgillmor@gmail.com --preferred-root "ISRG Root X1" not working, it returned :

certbot: error: unrecogni-zed arguments: --preferred-root ISRG Root X1

A little research I tried: certbot certonly --nginx -d iperq.com -d www.iperq.com --agree-tos --no-eff-email --email jgillmor@gmail.com --preferred-chain "ISRG Root X1"

It did its thing but still not resolved the issue.

Anything else I could try

Thanks

2 Likes

Hi @JAG007,

The form --preferred-chain (not --preferred-root) is correct, and looking at your site now, it looks like it did what it was supposed to do.

It doesn't look like anyone in this thread has asked you what version of macOS you're running. Since Chrome uses the list of root CAs from the local operating system (not its own list), the version of macOS is much more important here than the version of Chrome.

According to the certificate compatibility list,

you need macOS 10.12.1 or later for compatibility with Let's Encrypt certificates from now on (unless you want to install a browser like Firefox that includes its own list of trusted root CAs). Which version of macOS are you running?

4 Likes

I have absolutely no idea why I said root instead of chain.. My apologies. Probably didn't have my coffee yet.

2 Likes

:grinning: Thanks anyway

2 Likes

My Mac version 10.11.6

So that means that all mac machines running chrome on machines before 10.12 will have this issue.

WOW!!

Thanks for your help

2 Likes

In an ideal world, people wouldn't keep using unsupported software. So in an ideal world, this wouldn't be an issue.

3 Likes

I'm looking after the website for a not for profit and users reported the same issue with latest Chome Browser & Safari.
I'm renewing the certificate with

sudo certbot certonly --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

When I try to fix the issue by adding the preferred-chain argument I get the following

udo certbot certonly --manual --preferred-chain "ISRG Root X1" --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

certbot: error: unrecognized arguments: --preferred-chain ISRG Root X1

1 Like