Fixing Windows installs that don't receive updates to their trusted roots

For anyone having issues with Google Chrome on Windows 7, this is the fix for me too. I just downloaded the .der file from there, and put it on "Third Party Root Certification Authorities" (o "Entidades de certificación raíz de confianza", en español).
Do that, restart the browser, and that's it.

Prior of that, I deleted the X3 certificates from the intermediate window, don't know if that's something required to do or not.

3 Likes

Hey could you please tell me which der file and how you installed it in Windows?

thanks

.der file probably found at: Chain of Trust - Let's Encrypt

2 Likes

Thanks but which one do i I use? There are multiple files there.

thanks

2 Likes

You're looking for https://letsencrypt.org/certs/isrgrootx1.der.

5 Likes

I don't really know which one he used. :frowning:
It might be this one:

2 Likes

You'll probably want this one

Active
    ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1)
        Self-signed: der, pem, txt
2 Likes

Beautiful, just what I needed. Thanks

The proposed solution worked for me on wind 10 with Chrome

1 Like

One particular Windows 10 machine in our office is having a certificate issue.
It was getting NET::ERR_CERT_DATE_INV error, so I renewed the certificate, restarted nginx, cleared certificate cache on the client, but the error was still there.
I deleted the DST Root certificate from the client and imported ISRG Root certificate from one of the working machine and now the client sees NET::ERR_CERT_AUTHORITY_INVALID error.
I deleted the ISRG Root certificate. Same error.
Why is this one machine having a problem out of 20 or so Windows 10 machines?

1 Like

Have you imported the self-signed ISRG Root X1 certificate or the certified ISRG Root X1 signed by DST Root CA X3?

1 Like

Oof, finally solved the problem.
If you export the ISRG Root X1 certificate from a working Windows 10 computer and import it from a non-working computer, the import won't work.
I downloaded the self-signed ISRG Root X1 .der file from Chain of Trust - Let's Encrypt and imported it and voila, it was able to access all sites with letsencrypt certificate without errors.
So my solution for Windows client machines would be to delete DST Root CA X3 certificate, download and import ISRG Root X1 certificate.
I still don't understand why this particular client wasn't served the new certificate from the server though.

3 Likes

The above worked for me as well - one tip is to make sure you double click the .der file to install it. Do not try to Import using certmgr.msc or Google Chrome.

2 Likes

Hi @Emanuuz
I'm having the same issues " Your connection is not private" on certain websites with my Chrome on Windows 7. Spent all night tying to fix it. I have downloaded the isrgrootx1.der file but what does "put it on "Third Party Root Certification Authorities"" mean and how do I do this? Thank you for your time!

1 Like

Double-click the file and then click the [install] button.
Choose where to install it to and pick "Third Party Root ..."
[not my advice - simple typing for clarification]

1 Like

Thanks @rg305. I found the "Third Party Root Certification Authorities" folder and installed it again. Unfortunately, it hasn't solved the problem. Thanks once again for your help though

2 Likes

@mel_mel
Can you get to this site (https://community.letsencrypt.org/) on that browser (without error)?
[both have the exact same chain]

2 Likes

I get a blank page at that link. Certificate is there, just no content!

Hi @rg305
No, I'm not able to access the site using the chrome browser

1 Like

@mel_mel

OK then your PC needs some tough love!
You're on Windows 7 right?

1 Like

Even when Windows 10, 21H1 Version, I am unable to see ISRG Root X1 in my Trusted Store.

Visiting the site https://valid-isrgrootx1.letsencrypt.org
is also not working anymore.

Letencrypt is also being shown as untrusted website

2 Likes