ISRG Root X1 not supported on ios 9.3.5

My issue is that the Overdrive and Libby apps by overdrive.com use the Let's Encrypt certificate and now neither app works on my older iPad (ios 9.3.5). I get a "the certificate for this server is invalid." error that refers to link.overdrive.com.

ISRG Root X1 isn't on the list of trusted certificates for this ios version and the older IdentTrust’s DST Root X3 is no longer trusted.

Is there a way to manually add this certificate (or convince Apple to put it on the list)???

@KarenZ Welcome to the community.

I don't have any specific suggestions but this thread has more details and possibly a solution. I have linked to the middle of the thread but earlier posts there might be helpful too.

Yes, make sure you have "ISRG Root X1" in your trust store.

---
Certificate chain
 0 s:CN = *.hq.overdrive.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

If you do and continue to have issues (not likely), then try also adding "DST Root CA X3".

Thanks, but there doesn't seem to be a trust store on this old iPad.

Well, there is a trust store, but it's grayed out so I can't access it.

1 Like

Time for some Google-fu!
"Yo! MySmartThing": Find me topics with "iPad" and "update root store" ... and order me a pizza too!

1 Like

@KarenZ I think I see the problem. The server at link.overdrive.com. is sending a faulty cert chain. You should contact them and refer to this post. Maybe they changed something recently incorrectly.

Their server returns a different chain on alternating requests. That is, running this command 3 times in a row gives ChainA, ChainB, then ChainA again. So, it looks like a Load Balancer is switching alternate servers and the two servers send different chains. The second chain shown below is faulty. I know this won't make sense to you but it should to them.

These are the 3 commands (output trimmed for clarity)

[TEST] openssl s_client -connect link.overdrive.com:443 -servername link.overdrive.com -trusted_first |head
---
Certificate chain
 0 s:/CN=*.hq.overdrive.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

===============================================
[TEST] openssl s_client -connect link.overdrive.com:443 -servername link.overdrive.com -trusted_first |head

depth=0 CN = TRAEFIK DEFAULT CERT
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = TRAEFIK DEFAULT CERT
verify error:num=21:unable to verify the first certificate
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:/CN=TRAEFIK DEFAULT CERT
   i:/CN=TRAEFIK DEFAULT CERT

===============================================
[TEST] openssl s_client -connect link.overdrive.com:443 -servername link.overdrive.com -trusted_first |head

Certificate chain
 0 s:/CN=*.hq.overdrive.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

Good luck and let us know what happens.

2 Likes

Nice detective work Mike! I'm also seeing that the chain is in the wrong order for
*.api.overdrive.com
*.svc.overdrive.com

It serves ISRG Root X1 > R3 rather than the other way around, which is a little unusual but will still work.

1 Like

Where?
[On your left? or my left?]

Well, that's different :slight_smile:

openssl s_client -connect thunder.api.overdrive.com:443 -servername thunder.api.overdrive.com -trusted_first

Certificate chain
 0 s:/CN=*.api.overdrive.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
 2 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1

Order matters!
Shoes go on AFTER you put on your socks! LOL

How does one even get a chain that is in the wrong order?

1 Like

Manual edits? Poor custom deploy hooks? Bad acme agents? Funky custom servers? It takes some effort :slight_smile:

4 Likes

@KarenZ Hi, I ran into the same problem - yesterday... and it persists today as well. Guess it is a "permanent" condition... however...
Did you get the issue resolved? If so, how?
Thanks!

Hi @cheebase and welcome to the LE community forum :slight_smile:

Please add some detail into your particular case, so that other readers may be able to help you.
[even when exactly as already mentioned - if your post(s) get split into a separate topic, then it would not get the attention it deserves. Think: SEO]

One thing to clarify or reiterate, either for @cheebase or future readers of this thread:

If you're the owner of an older device, you can personally manually add ISRG Root X1 to most older devices' root CA stores, if those devices didn't ship with it.

https://letsencrypt.org/certs/isrgrootx1.pem
https://letsencrypt.org/certs/isrgrootx1.der

(these are two different formats for the exact same file; some software might prefer one or the other format)

Doing this allows an individual device to continue to trust sites that are using Let's Encrypt certificates.

On the other hand, if you are the administrator of a web site using Let's Encrypt, there's nothing you can do on the server site to allow all of your users on older systems (like iOS 9) to continue to access your site. (You can try to persuade individual users to manually install the ISRG root certificate, but particular users may or may not hear about or understand this suggestion, and may or may not be willing or able to follow it.)

Edit: I should also point out that I don't personally have an iOS device or know exactly how to do this on iOS 9. Although it should be possible in principle, I don't know that it's as simple as just downloading this file and following a few prompts or anything.

8 Likes

@schoen thank you! :clap:
Ah, so looks like this is what happened... OK. Now I know the reason and now I need to deliver your solution to the appropriate location on my iPad2 (iOS 9.3.5). Where and how do I find this elusive trust store?
Found a description (for installing the SSL certificate) which even I - a non-technical user - could follow. However, I realize that this is not the recipe for the ISRG certificate insertion... so could someone else tell me how do I work with these two processes in similar simple terms?

Almost there... :pray:

3 Likes

@cheebase
It seems like if you just amend the first couple of steps, in that one you found, it could do the trick.
[replacing "N4L SSL Certificate" with "ISRG Root X1"]

3 Likes

@rg305 & @schoen
Yes, it worked flawlessly!
The last part (Trusting The Certificate) of the kiwi "recipe" was not even required. Mind you there is no such thing as "Settings > General > About > Certificate Trust Settings (at the bottom of the page)" item on my iPad2. So, I did the next best thing: fired up Overdrive... and lo and behold!
Thanks again for both of you!
:clap: :clap:

3 Likes

I am very happy for the thread, and the solution posted! Since x days ago, so many sites simply stopped being accessible to me via my old crucial Ipad because of this issue. Which seems to have been immediately fixed...at least for Overdrive...after following these instructions to download the additional certificate manually.

Kudos to all those who could understand the problem and trouble-shoot it. I am sure more users will find their way here. Some internet tags to hopefully help them...

Overdrive Download Certificates

2 Likes

Hi @eramosat and welcome to the LE community forum :slight_smile:

Glad to see that you've been able to find a solution for your critical iPad problem; As have many.
And even more so to see someone else thinking about those that have yet to find theirs and how we might best help them in finding it; Via SEO.