Fixing Windows installs that don't receive updates to their trusted roots

Hey could you please tell me which der file and how you installed it in Windows?

thanks

.der file probably found at: Chain of Trust - Let's Encrypt

2 Likes

Thanks but which one do i I use? There are multiple files there.

thanks

2 Likes

You're looking for https://letsencrypt.org/certs/isrgrootx1.der.

5 Likes

I don't really know which one he used. :frowning:
It might be this one:

2 Likes

You'll probably want this one

Active
    ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1)
        Self-signed: der, pem, txt
2 Likes

Beautiful, just what I needed. Thanks

The proposed solution worked for me on wind 10 with Chrome

1 Like

One particular Windows 10 machine in our office is having a certificate issue.
It was getting NET::ERR_CERT_DATE_INV error, so I renewed the certificate, restarted nginx, cleared certificate cache on the client, but the error was still there.
I deleted the DST Root certificate from the client and imported ISRG Root certificate from one of the working machine and now the client sees NET::ERR_CERT_AUTHORITY_INVALID error.
I deleted the ISRG Root certificate. Same error.
Why is this one machine having a problem out of 20 or so Windows 10 machines?

1 Like

Have you imported the self-signed ISRG Root X1 certificate or the certified ISRG Root X1 signed by DST Root CA X3?

1 Like

Oof, finally solved the problem.
If you export the ISRG Root X1 certificate from a working Windows 10 computer and import it from a non-working computer, the import won't work.
I downloaded the self-signed ISRG Root X1 .der file from Chain of Trust - Let's Encrypt and imported it and voila, it was able to access all sites with letsencrypt certificate without errors.
So my solution for Windows client machines would be to delete DST Root CA X3 certificate, download and import ISRG Root X1 certificate.
I still don't understand why this particular client wasn't served the new certificate from the server though.

3 Likes

The above worked for me as well - one tip is to make sure you double click the .der file to install it. Do not try to Import using certmgr.msc or Google Chrome.

2 Likes

Hi @Emanuuz
I'm having the same issues " Your connection is not private" on certain websites with my Chrome on Windows 7. Spent all night tying to fix it. I have downloaded the isrgrootx1.der file but what does "put it on "Third Party Root Certification Authorities"" mean and how do I do this? Thank you for your time!

1 Like

Double-click the file and then click the [install] button.
Choose where to install it to and pick "Third Party Root ..."
[not my advice - simple typing for clarification]

1 Like

Thanks @rg305. I found the "Third Party Root Certification Authorities" folder and installed it again. Unfortunately, it hasn't solved the problem. Thanks once again for your help though

2 Likes

@mel_mel
Can you get to this site (https://community.letsencrypt.org/) on that browser (without error)?
[both have the exact same chain]

2 Likes

I get a blank page at that link. Certificate is there, just no content!

Hi @rg305
No, I'm not able to access the site using the chrome browser

1 Like

@mel_mel

OK then your PC needs some tough love!
You're on Windows 7 right?

1 Like

Even when Windows 10, 21H1 Version, I am unable to see ISRG Root X1 in my Trusted Store.

Visiting the site https://valid-isrgrootx1.letsencrypt.org
is also not working anymore.

Letencrypt is also being shown as untrusted website

2 Likes

Have you done anything on your machine to disable Windows Updates? Or used some sort of "Win10 optimizer" that tries to do things like disable telemetry and unnecessary services? Those things can break key system components like this.

If this is a corporate managed machine, corporate policies could also be to blame for the root lazy loading not working.

Bottom line, your machine is in some sort of non-default configuration that is preventing normal processes from getting the ISRG Root X1 and putting it into your Trusted Roots store. You either need to fix the configuration or manually install it with this copy (https) or this copy (http).

5 Likes