My issue is that the Overdrive and Libby apps by overdrive.com use the Let's Encrypt certificate and now neither app works on my older iPad (ios 9.3.5). I get a "the certificate for this server is invalid." error that refers to link.overdrive.com.
ISRG Root X1 isn't on the list of trusted certificates for this ios version and the older IdentTrust’s DST Root X3 is no longer trusted.
Is there a way to manually add this certificate (or convince Apple to put it on the list)???
@KarenZ I think I see the problem. The server at link.overdrive.com. is sending a faulty cert chain. You should contact them and refer to this post. Maybe they changed something recently incorrectly.
Their server returns a different chain on alternating requests. That is, running this command 3 times in a row gives ChainA, ChainB, then ChainA again. So, it looks like a Load Balancer is switching alternate servers and the two servers send different chains. The second chain shown below is faulty. I know this won't make sense to you but it should to them.
These are the 3 commands (output trimmed for clarity)
Hi @cheebase and welcome to the LE community forum
Please add some detail into your particular case, so that other readers may be able to help you.
[even when exactly as already mentioned - if your post(s) get split into a separate topic, then it would not get the attention it deserves. Think: SEO]
(these are two different formats for the exact same file; some software might prefer one or the other format)
Doing this allows an individual device to continue to trust sites that are using Let's Encrypt certificates.
On the other hand, if you are the administrator of a web site using Let's Encrypt, there's nothing you can do on the server site to allow all of your users on older systems (like iOS 9) to continue to access your site. (You can try to persuade individual users to manually install the ISRG root certificate, but particular users may or may not hear about or understand this suggestion, and may or may not be willing or able to follow it.)
Edit: I should also point out that I don't personally have an iOS device or know exactly how to do this on iOS 9. Although it should be possible in principle, I don't know that it's as simple as just downloading this file and following a few prompts or anything.
@schoen thank you!
Ah, so looks like this is what happened... OK. Now I know the reason and now I need to deliver your solution to the appropriate location on my iPad2 (iOS 9.3.5). Where and how do I find this elusive trust store?
Found a description (for installing the SSL certificate) which even I - a non-technical user - could follow. However, I realize that this is not the recipe for the ISRG certificate insertion... so could someone else tell me how do I work with these two processes in similar simple terms?
@rg305 & @schoen
Yes, it worked flawlessly!
The last part (Trusting The Certificate) of the kiwi "recipe" was not even required. Mind you there is no such thing as "Settings > General > About > Certificate Trust Settings (at the bottom of the page)" item on my iPad2. So, I did the next best thing: fired up Overdrive... and lo and behold!
Thanks again for both of you!
I am very happy for the thread, and the solution posted! Since x days ago, so many sites simply stopped being accessible to me via my old crucial Ipad because of this issue. Which seems to have been immediately fixed...at least for Overdrive...after following these instructions to download the additional certificate manually.
Kudos to all those who could understand the problem and trouble-shoot it. I am sure more users will find their way here. Some internet tags to hopefully help them...
Hi @eramosat and welcome to the LE community forum
Glad to see that you've been able to find a solution for your critical iPad problem; As have many.
And even more so to see someone else thinking about those that have yet to find theirs and how we might best help them in finding it; Via SEO.