Fixing Windows installs that don't receive updates to their trusted roots

Hi @rg305
No, I'm not able to access the site using the chrome browser

1 Like

@mel_mel

OK then your PC needs some tough love!
You're on Windows 7 right?

1 Like

Even when Windows 10, 21H1 Version, I am unable to see ISRG Root X1 in my Trusted Store.

Visiting the site https://valid-isrgrootx1.letsencrypt.org
is also not working anymore.

Letencrypt is also being shown as untrusted website

2 Likes

Have you done anything on your machine to disable Windows Updates? Or used some sort of "Win10 optimizer" that tries to do things like disable telemetry and unnecessary services? Those things can break key system components like this.

If this is a corporate managed machine, corporate policies could also be to blame for the root lazy loading not working.

Bottom line, your machine is in some sort of non-default configuration that is preventing normal processes from getting the ISRG Root X1 and putting it into your Trusted Roots store. You either need to fix the configuration or manually install it with this copy (https) or this copy (http).

5 Likes

Hi @rmbolger
The issue that I've posted is reported by our end-users. We have noticed that they are using normal WIndows (not corporate-managed). In most of their devices, even their Windows Update is not reporting any updates to be installed. Are there any configuration things that we can ask them to check or is there any program that they can run to fix this?

Or is manually downloading the copy and installing it the only process?

Please suggest us a standard process that we can suggest to our end-users with this type of issue.
Our end-users do not have much knowledge in this area.

Thanks

2 Likes

The standard process (which would automatically download and install the ISRG Root X1 cert) is broken on the affected machines. That's the problem. Unfortunately, there's not a lot of common knowledge out there regarding how this gets broken. And without knowing how each user's machine broke, you can't begin to fix their (potentially different) problems.

Installing the ISRG Root X1 certificate manually is a work around that should fix this particular symptom of the underlying problem. It can be as simple as providing a registry file that they can double-click to import the certificate such as this one. You'll have to remove the .txt extension because the forum won't let me attach .reg files.
ISRG Root X1 - HKLM - AuthRoot.reg.txt (11.1 KB)

But some users (with good reason) may not want to trust a random registry file from "some guy on the Internet". The more trustworthy instructions are also more complicated.

  • Download the cert directly from Let's Encrypt here
  • Install it into the Local Computer's Trusted Root Certification Authorities cert store, the process for which varies depending on the OS version.
4 Likes

Here is an example of how Windows gets certificate updates automatically. Simply open the Windows event viewer, navigate to Windows Logs > Applications, and filter through 4097 ID events to view recent updates of this type. If there are no recent events, it's likely that Windows isn't getting the updates automatically for some reason.
My Windows 10 client updated the "ISRG Root X1" certificate on 07/04/2021, but my Windows Server updated this same certificate only on "09/30/2021".


3 Likes

Evidently one way this gets broken is with bad proxy settings. There are separate proxy settings for the system vs the user. Microsoft has documentation at How the Windows Update client determines which proxy server to use to connect to the Windows Update Web site.

In particular, I'd like anyone affected by this issue to run:

netsh winhttp show proxy

(from that documentation page), and report back the results.

This also seems potentially useful: https://social.technet.microsoft.com/wiki/contents/articles/242.windows-pki-troubleshooting-capi2-diagnostics.aspx

6 Likes

Where do the .der files get downloaded to?

In short,
I have found the Import function, would like to Import the X1 to my trusted certs, but the download page gives no indication where it has put it.

Win XP, Chrome

Long version
Took me hours to get there, can't copy any info to this thread on the machine affected, because this forum will not work on older browsers

Writing this on a tablet.

3 Likes

Both the self signed and cross signed appear to be installed on my machine, but theCertificate Import Wizard appears unable to find them.

Active
ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1)
Self-signed: der, pem, txt

I click on the der, and get a dialog box saying "already installed"

2 Likes

Really? :man_facepalming: I'm sorry, friend. You're going to have a hard time finding someone to help support a 20 year old OS. Please disconnect that machine from the Internet for its own good.

5 Likes

You do know there is an Embedded Windows XP, such as used in some Tektronix Oscilloscopes.
I believe that Embedded devices are one of the most difficult situations for being on the Internet and security issues in general.

1 Like

I do indeed. There's a litany of industrial systems connected to super expensive hardware that can't be upgraded for a variety of legitimate reasons. I still strongly believe those devices should not be directly connected to the Internet or used for general web browsing (such that they would care about the DST root expiration). They are effectively just a control plane appliance used for their singular purpose of making the hardware function.

3 Likes

True, but it would be nice if they had some level of required security maintenance mandated.
As these devices are on local private networks that are being access by new up-to-date computers, and not have these Embedded devices up-to-date on TLS(SSL) and Certificates causes problems in environments doing security scans of the local private networks.

1 Like

If they can't be updated (which such updates should have stopped long ago IMHO), they should all be put behind firewalls, IPS, APP&URL filtering, and proxies.
So that no one from outside that same (think: SCADA type) network has any direct contact with any of those devices - nor should they be allowed to speak to anything outside of their networks directly.

2 Likes

Correct, and the ones I've used are. However internal audits still flag them as an issue on the internal networks. Thus the reason I would like mandates that they be supported (by their manufactures) for very long term support of TLS(SSL) and Certificates.
The automotive industry has a much longer support of old vehicles than the Tel-com industry.

1 Like

Then the software should be replaced/rewritten!
Software life ages in dog years... 20 year old software is 140 human years old!
How long are they going to milk it ?!?!?!
Micro$oft !!!

OR
Can't they disable TLS and just use HTTP within such a restricted/closed network...
And pass an audit?

3 Likes

Yeah, having a proper audit model that takes into account older devices would be very helpful.

2 Likes

I guess also I am worried about the whole IoT devices that are really embedded devices, such as home appliances that have a much longer life than normal software life cycle. Or maybe Smart homes aren't so safe.

3 Likes

The problem with unsupported versions of Windows is that updates are done with

Windows 10 upgrades windows 7 and so does windows 11 if your box is not too old

1 Like