Fixing Windows installs that don't receive updates to their trusted roots

Remembering that Windows devices must have functional Windows Update to receive the latest certificate updates through the Microsoft Trusted Root Program.
If Windows does not have the ISRG Root X1 self-signed certificate, it is likely that it is not correctly updating the certificates due to some group policy or network block.
In this case, certificates should be imported manually, since the system is obviously not behave as it should.

3 Likes

Indeed, but reflecting on that I have a question. If the Windows didn't get update, just the Chrome, why he won't fail because of the ISRG Root X1, he shows the old DST Root CA X3 instead, in my understanding it should shows that it doesn't recognize the new ISRG Root X1 that was generated after the device update. I'm thinking right?

Chrome should show the chain: Subscriber Certificate <– R3 <– ISRG Root X1 (Self-Signed), whether your server has a long or short chain. You shouldn't show the old DST Root CA X3 anyway, unless it can't find the ISRG Root X1 (Self-signed) certificate in the client store.

image

On the Windows client, in a certificate management console, did you verify that the ISRG Root X1 certificate is present in the "Third Party Root Certification Authorities" directory?

I think I understood, so probably is the case on this Windows 7. He don't have the ISRG Root X1 because he didn't get any updates so it throws back to DST Root CA X3, right?

(Sorry, I misunderstood the question before, I thought you were asking about the server)

Correct.
The reason DST Root CA X3 still exists in the default chain is only for older Android devices that don't care about the expiration date of the root certificate, however, for other operating systems, it must have the ISRG Root X1 certificate locally.
You can try downloading the "ISRG Root X1" certificate in Chain of Trust - Let's Encrypt and put it in the "Third Party Root Certification Authorities" directory of Windows 7 to verify that this resolves the issue.

1 Like

Ok, I will try that tomorrow, our client turn it off already. But probably will fix it. I had hope to find another solution. But thanks for your help so far.

For anyone having issues with Google Chrome on Windows 7, this is the fix for me too. I just downloaded the .der file from there, and put it on "Third Party Root Certification Authorities" (o "Entidades de certificación raíz de confianza", en español).
Do that, restart the browser, and that's it.

Prior of that, I deleted the X3 certificates from the intermediate window, don't know if that's something required to do or not.

3 Likes

Hey could you please tell me which der file and how you installed it in Windows?

thanks

.der file probably found at: Chain of Trust - Let's Encrypt

2 Likes

Thanks but which one do i I use? There are multiple files there.

thanks

2 Likes

You're looking for https://letsencrypt.org/certs/isrgrootx1.der.

5 Likes

I don't really know which one he used. :frowning:
It might be this one:

2 Likes

You'll probably want this one

Active
    ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1)
        Self-signed: der, pem, txt
2 Likes

Beautiful, just what I needed. Thanks

The proposed solution worked for me on wind 10 with Chrome

1 Like

One particular Windows 10 machine in our office is having a certificate issue.
It was getting NET::ERR_CERT_DATE_INV error, so I renewed the certificate, restarted nginx, cleared certificate cache on the client, but the error was still there.
I deleted the DST Root certificate from the client and imported ISRG Root certificate from one of the working machine and now the client sees NET::ERR_CERT_AUTHORITY_INVALID error.
I deleted the ISRG Root certificate. Same error.
Why is this one machine having a problem out of 20 or so Windows 10 machines?

1 Like

Have you imported the self-signed ISRG Root X1 certificate or the certified ISRG Root X1 signed by DST Root CA X3?

1 Like

Oof, finally solved the problem.
If you export the ISRG Root X1 certificate from a working Windows 10 computer and import it from a non-working computer, the import won't work.
I downloaded the self-signed ISRG Root X1 .der file from Chain of Trust - Let's Encrypt and imported it and voila, it was able to access all sites with letsencrypt certificate without errors.
So my solution for Windows client machines would be to delete DST Root CA X3 certificate, download and import ISRG Root X1 certificate.
I still don't understand why this particular client wasn't served the new certificate from the server though.

3 Likes

The above worked for me as well - one tip is to make sure you double click the .der file to install it. Do not try to Import using certmgr.msc or Google Chrome.

2 Likes

Hi @Emanuuz
I'm having the same issues " Your connection is not private" on certain websites with my Chrome on Windows 7. Spent all night tying to fix it. I have downloaded the isrgrootx1.der file but what does "put it on "Third Party Root Certification Authorities"" mean and how do I do this? Thank you for your time!

1 Like

Double-click the file and then click the [install] button.
Choose where to install it to and pick "Third Party Root ..."
[not my advice - simple typing for clarification]

1 Like