Thanks @rg305. I found the "Third Party Root Certification Authorities" folder and installed it again. Unfortunately, it hasn't solved the problem. Thanks once again for your help though
2 Likes
@mel_mel
Can you get to this site (https://community.letsencrypt.org/) on that browser (without error)?
[both have the exact same chain]
2 Likes
I get a blank page at that link. Certificate is there, just no content!
Even when Windows 10, 21H1 Version, I am unable to see ISRG Root X1 in my Trusted Store.
Visiting the site https://valid-isrgrootx1.letsencrypt.org
is also not working anymore.
Letencrypt is also being shown as untrusted website
2 Likes
Have you done anything on your machine to disable Windows Updates? Or used some sort of "Win10 optimizer" that tries to do things like disable telemetry and unnecessary services? Those things can break key system components like this.
If this is a corporate managed machine, corporate policies could also be to blame for the root lazy loading not working.
Bottom line, your machine is in some sort of non-default configuration that is preventing normal processes from getting the ISRG Root X1 and putting it into your Trusted Roots store. You either need to fix the configuration or manually install it with this copy (https) or this copy (http).
5 Likes
Hi @rmbolger
The issue that I've posted is reported by our end-users. We have noticed that they are using normal WIndows (not corporate-managed). In most of their devices, even their Windows Update is not reporting any updates to be installed. Are there any configuration things that we can ask them to check or is there any program that they can run to fix this?
Or is manually downloading the copy and installing it the only process?
Please suggest us a standard process that we can suggest to our end-users with this type of issue.
Our end-users do not have much knowledge in this area.
Thanks
2 Likes
The standard process (which would automatically download and install the ISRG Root X1 cert) is broken on the affected machines. That's the problem. Unfortunately, there's not a lot of common knowledge out there regarding how this gets broken. And without knowing how each user's machine broke, you can't begin to fix their (potentially different) problems.
Installing the ISRG Root X1 certificate manually is a work around that should fix this particular symptom of the underlying problem. It can be as simple as providing a registry file that they can double-click to import the certificate such as this one. You'll have to remove the .txt extension because the forum won't let me attach .reg files.
ISRG Root X1 - HKLM - AuthRoot.reg.txt (11.1 KB)
But some users (with good reason) may not want to trust a random registry file from "some guy on the Internet". The more trustworthy instructions are also more complicated.
- Download the cert directly from Let's Encrypt here
- Install it into the Local Computer's
Trusted Root Certification Authoritiescert store, the process for which varies depending on the OS version.
4 Likes
Here is an example of how Windows gets certificate updates automatically. Simply open the Windows event viewer, navigate to Windows Logs > Applications, and filter through 4097 ID events to view recent updates of this type. If there are no recent events, it's likely that Windows isn't getting the updates automatically for some reason.
My Windows 10 client updated the "ISRG Root X1" certificate on 07/04/2021, but my Windows Server updated this same certificate only on "09/30/2021".
3 Likes
Evidently one way this gets broken is with bad proxy settings. There are separate proxy settings for the system vs the user. Microsoft has documentation at How the Windows Update client determines which proxy server to use to connect to the Windows Update website - Microsoft Support.
In particular, I'd like anyone affected by this issue to run:
netsh winhttp show proxy
(from that documentation page), and report back the results.
This also seems potentially useful: https://social.technet.microsoft.com/wiki/contents/articles/242.windows-pki-troubleshooting-capi2-diagnostics.aspx
6 Likes
Where do the .der files get downloaded to?
In short,
I have found the Import function, would like to Import the X1 to my trusted certs, but the download page gives no indication where it has put it.
Win XP, Chrome
Long version
Took me hours to get there, can't copy any info to this thread on the machine affected, because this forum will not work on older browsers
Writing this on a tablet.
3 Likes
Both the self signed and cross signed appear to be installed on my machine, but theCertificate Import Wizard appears unable to find them.
Active
ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1)
Self-signed: der, pem, txt
I click on the der, and get a dialog box saying "already installed"
2 Likes
Really? 
I'm sorry, friend. You're going to have a hard time finding someone to help support a 20 year old OS. Please disconnect that machine from the Internet for its own good.
5 Likes
You do know there is an Embedded Windows XP, such as used in some Tektronix Oscilloscopes.
I believe that Embedded devices are one of the most difficult situations for being on the Internet and security issues in general.
1 Like
I do indeed. There's a litany of industrial systems connected to super expensive hardware that can't be upgraded for a variety of legitimate reasons. I still strongly believe those devices should not be directly connected to the Internet or used for general web browsing (such that they would care about the DST root expiration). They are effectively just a control plane appliance used for their singular purpose of making the hardware function.
3 Likes
True, but it would be nice if they had some level of required security maintenance mandated.
As these devices are on local private networks that are being access by new up-to-date computers, and not have these Embedded devices up-to-date on TLS(SSL) and Certificates causes problems in environments doing security scans of the local private networks.
1 Like
If they can't be updated (which such updates should have stopped long ago IMHO), they should all be put behind firewalls, IPS, APP&URL filtering, and proxies.
So that no one from outside that same (think: SCADA type) network has any direct contact with any of those devices - nor should they be allowed to speak to anything outside of their networks directly.
2 Likes
Correct, and the ones I've used are. However internal audits still flag them as an issue on the internal networks. Thus the reason I would like mandates that they be supported (by their manufactures) for very long term support of TLS(SSL) and Certificates.
The automotive industry has a much longer support of old vehicles than the Tel-com industry.
1 Like
Then the software should be replaced/rewritten!
Software life ages in dog years... 20 year old software is 140 human years old!
How long are they going to milk it ?!?!?!
Micro$oft !!!
OR
Can't they disable TLS and just use HTTP within such a restricted/closed network...
And pass an audit?
3 Likes