I'm (remotely) helping a friend with an older laptop that is running macOS 10.11.6 (OS X El Capitan). In Chrome 94.0.4606.71, when navigating to a site with Lets's Encrypt (like https://www.solacecares.com/), they get the error NET::ERR_CERT_DATE_INVALID
. A lot of the help for this string suggests your clock is incorrect, but I suspect it is due to the expiration of the IdentTrust DST Root CA X3 on September 30th, 2021.
This comment has step-by-step instructions for installing the ISRG Root X1 cert on OS X
https://mjtsai.com/blog/2021/09/24/some-web-sites-will-stop-working-with-el-capitan-and-older/#comment-3538503
I'm expanding them here, since this is the official forum. It is the same process as earlier in the thread, just more detailed.
- Download the ISRG Root X1 Certificate
Download from: https://letsencrypt.org/certs/isrgrootx1.der
You want the self-signed, NOT the cross-signed cert from Chain of Trust - Let's Encrypt (Active > ISRG Root X1 > Self-signed > der)
OS X may offer to open in Keychain, but instead select "Save File".
- Verify the fingerprints
In Terminal (Command - Space, then type "terminal.app"):
cd ~/Downloads
shasum -a 1 isrgrootx1.der
This returns
cabd2a79a1076a31f21d253635cb039d4329a5e8 isrgrootx1.der
You can confirm this matches the one on Chain of Trust - Let's Encrypt, following the link "Self-signed" under "ISRG Root X1" to crt.sh | 9314791. Or, you can stick the SHA-1 in directly: crt.sh | cabd2a79a1076a31f21d253635cb039d4329a5e8.
This terminal command will generate the SHA-256 version:
shasum -a 256 isrgrootx1.der
returning
96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6 isrgrootx1.der
You can use the SHA-256 to cross-check against the root cert published by Apple in macOS Sierra (10.12):
Search for "ISRG Root X1" to find the entry, with the SHA-256 fingerprint as the last column.
- Install the certificate
Open the certificate by double-clicking isrgrootx1.der
in the Finder, or in the terminal:
open -a "Keychain Access.app" isrgrootx1.der
You'll get a "Add Certificates" dialog asking:
Do you want to add the certificate(s) from the file "isrgrootx1.der" to a keychain?
In the drop-down "Keychain", select "login" (for just your user) or "system" (for all users). If unsure, I suggest "login", and then add for "System" if it resolved your issue.
Click "Add" to add it and close the "Add Certificates" dialog, leaving the Keychain Access window open for step 4.
- Manually "Trust" that certificate
In the Keychain Access search box, type "ISRG". Find the ISRG Root X1, with the Keychain (login or system) that you added it. Double-click to open.
- In the ISRG Root X1 dialog box, expand the " Trust" area.
- For "When using this certificate", change "Use System Defaults" to "Always Trust". This will change other items as well
- Close the dialog box, and verify with your login password or Touch ID
- Test it out!
Try the website that gave the NET::ERR_CERT_DATE_INVALID
and confirm it worked.