I have IdenTrust 1 and my Mac OSX is still screwed

So Let's Encrypt's expiration has screwed all 10.11 and lower Macs. Opera and Vivaldi will not run without security cert prohibitions, so the issue may also involve Chromium. Firefox is fine. The thing is, I have IdentTrust 1 on my old Macs but still get the security certificate error when I use Opera. Having the new cert should mean I don't have a problem.

The websites affected are completely random but never big corporate sites like Amazon.com, ebay.com or whatever. Could be a tech blog. So, what is the problem here? What can people with lower than 10.12 do to fix this?

Hi Techblues,

Examples I've deployed quickly that work on all Windows and a minority of MacOS/iOS devices:
https://random.iamonthe.cloud
https://certtest.rightflank.app (a successful tls connection expects a no healthy upstream response)

^Can you load the above endpoints? Half of my team on MacOS cannot load these.

Related threads;

https://community.letsencrypt.org/t/help-thread-for-dst-root-ca-x3-expiration-september-2021/149190/1242?u=deciderwill

Related article:

Update: Fixed on Mac and iOS by providing the full chain - works for both default and alt chain.

First, this issue is because Apple has refused to support legacy Macs and has tried to make them obsolete by stopping software updates. The DST Root is not the only expired/expiring root, to trigger these changes - many large websites have been switching Trust Anchors to other newer roots that are not available on legacy Macs.

You have two options:

  1. Install the ISRG Root Certificates onto your legacy Mac. They are available at Chain of Trust - Let's Encrypt . You can just download, click, and follow the instructions to add to your system keychain. I suggest downloading the DER version first, that tends to open correctly on Macs.
    You need:

    • ISRG Root X1 - Self-Signed
    • ISRG Root X2 - Self-Signed

    In terms of Opera, it most likely has it's own TrustStore (like firefox) and you have an older version. If you can not upgrade to a newer version because your OS is too old, you will also need to install the Certificates into Opera and any other applications with the same problem.

    This same process can be used on other verified roots to add them to your trust store. I've added several on one of my test machines to keep it usable.

  2. Upgrade your Mac to a newer OS. You can find patches for the OSX installers on http://dosdude1.com/, which will bypass the unsupported hardware check, and allow you to install any of the 10.x series on l almost every mac released after 2008.

2 Likes

@deciderwill
If these are the real FQDNs:

You are not serving a chain file (at all):

s_client -connect random.iamonthe.cloud:443 -servername random.iamonthe.cloud | head
depth=0 CN = nfa93b91e0-7f1e-4635-87b6-0dd94c9c545e-r.salvo.northflank.app
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = nfa93b91e0-7f1e-4635-87b6-0dd94c9c545e-r.salvo.northflank.app
verify error:num=21:unable to verify the first certificate
verify return:1
CONNECTED(00000005)
---
Certificate chain
 0 s:CN = nfa93b91e0-7f1e-4635-87b6-0dd94c9c545e-r.salvo.northflank.app
   i:C = US, O = Let's Encrypt, CN = R3
---
openssl s_client -connect certtest.rightflank.app:443 -servername certtest.rightflank.app | head
depth=0 CN = nfed99f2f6-6fc6-4b54-93d8-9e0a8b18d8f8-r.salvo.northflank.app
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = nfed99f2f6-6fc6-4b54-93d8-9e0a8b18d8f8-r.salvo.northflank.app
verify error:num=21:unable to verify the first certificate
verify return:1
CONNECTED(00000005)
---
Certificate chain
 0 s:CN = nfed99f2f6-6fc6-4b54-93d8-9e0a8b18d8f8-r.salvo.northflank.app
   i:C = US, O = Let's Encrypt, CN = R3
---

See:
SSL Server Test: random.iamonthe.cloud (Powered by Qualys SSL Labs)

Hi guys!

Half of my team on MacOS/iOS are not able to connect to a number of endpoints with certificates generated including buffalochip.com. There are no failures on Windows and a minority of MacOS/iOS devices can connect.

I have a feeling @Mikek won't be able to load the below sites:

Examples:
https://random.iamonthe.cloud
https://certtest.rightflank.app (a successful tls connection expects a no healthy upstream response)

Is there a wider issue with MacOS/iOS that has not been considered with the rollout of the new root certificates? See: Why won’t Safari open that web page? – The Eclectic Light Company

Update: Fixed on Mac and iOS by providing the full chain - works for both default and alt chain.

Hi @sherrikalak & @schoen

Update: Fixed on Mac and iOS by providing the full chain - works for both default and alt chain.

A very similar issue on this thread: SSL Shows Not Valid In Safari and some version of Chrome on Mac computers - I've posted further down in that thread that half my team on MacOS/iOS are struggling to load a few endpoints with Let's Encrypt certificates.

@sherrikalak are you able to load the domains below:

Examples we've deployed quickly that work on all Windows and a minority of MacOS/iOS devices:
https://random.iamonthe.cloud
https://certtest.rightflank.app (a successful tls connection expects a no healthy upstream response)

Is there a wider issue with MacOS/iOS that has not been considered with the rollout of the new root certificates? See: Why won’t Safari open that web page? – The Eclectic Light Company

2 Likes

Here are screen shots when trying to open links in order

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.