OS X 10.11 - Clients not connecting to site with Let's Encrypt certificates

My issue is with macOS clients receiving a "cert expired" message when attempting to connect to our website.

This is an apache 2.4.48 website:

SSLCertificateKeyFile /etc/letsencrypt/privkey.pem
SSLCertificateFile /etc/letsencrypt/fullchain.pem

I've tried replacing the last two certs in fullchain.pem with the new ISRG Root X1 one (https://letsencrypt.org/certs/isrgrootx1.pem) and restarting apache, but that has not fixed the problem.

The macOS client is using version 10.11.6 - El Capitan.

I've seen references to only versions >= 10.12.1 working. Is it really the case that versions older have no available path to working properly with Let's Encrypt certs? There is no support for these older versions?

That's correct. Sorry for the trouble. For what it's worth, most devices from the last 10 years should be able to upgrade to 10.12. See this post for details: Certificates are not trusted on Chrome and Safari on old iMac with El Capitan - #24 by jsha. If there are specific problems your visitors are having with upgrades, I would be curious to hear about them (though ultimately they will need to get help from Apple Support).

2 Likes

What are your plans for supporting versions < 10.12.1. When can we expect a fix? Our Mac laptop is unable to upgrade to 10.12, and thanks your changes, has now been rendered quite useless. Having one of our computers effectively thrown off the internet for a day is a problem, I assume your developers are working on an immediate fix for the problems that your company caused.

I just noticed the typo, I meant versions under 10.12.1.

Some points that should be considered:

  1. Let's Encrypt is only a certifying entity that allows website and software operators to issue a certificate free of charge within the security standards required by the market;
  2. Each site administrator is responsible for choosing the certifying entity that best serves its users;
  3. Apple is the only company responsible for which root certificates are included in its products and support for future updates.
3 Likes

The "change" was just the expiration of an old root certificate, which was created decades ago.

There is nothing that Let's Encrypt can or will do. They did create their own root certificate when they were formed, and that's what everything should be using. The use of "DST Root CA X3" in the meantime, was just an interim measure to help get Let's Encrypt off the ground.

Let's Encrypt is a non-profit, and almost everybody answering questions here is just a random other person on the Internet (that is to say, not an employee) who is trying to help.

Really, it's more that it's unfortunate that Apple doesn't provide security updates needed in order to allow devices to be connected to the Internet for longer. Planned obsolescence and all that.

I believe elsewhere on the forum people have posted how to add ISRG Root X1 to the trust store on your device manually. But as long as your device doesn't get security patches, it shouldn't be used for anything where one cares about security.

5 Likes

Hi @LarryWaterhouse, welcome to the LE community forum :slight_smile:

Fixed it for you :slight_smile:

I'll try to focus my reply on things specifically yet uncovered...

How useful was the laptop prior to this event? (maybe I'm missing something here - I don't MAC)
Which uses have actually been rendered useless? I can only think of one (but, again, no MAC here).
So.. you may have to use another browser until:

  • Apple fixes the problem or allows others to do so (I wouldn't hold my breath)
  • You get used to some other browser and life resumes (for the laptop - with that bit less useless)

It's really not the end of the world - just the end of the incredibly insecure world we once lived in.
Welcome to the future :slight_smile:

2 Likes

For older macOS, try:

  • downloading https://letsencrypt.org/certs/isrgrootx1.der
  • Open the Keychain Access app and dragging that file into the System folder of that app.
  • then find the ISRG Root X1 certificate in System and double click on it, open the Trust menu and change "Use System Defaults" to "Always Trust", then close that and enter your password to confirm the change (if prompted).
6 Likes

Hi @LarryWaterhouse, welcome to the forum and I'm sorry you've had a tough time with the breakages today. Due to technical details of how certificates on the web work, it's not practical for us to support OS X 10.11 and earlier anymore. Apple also doesn't support OS X 10.11 anymore. According to Wikipedia, Apple's support for OS X 10.11 ending as of December 2019. The computer may continue to work for now, but unless you're able to update to a newer OS, things will continue to break, and neither we nor Apple will be able to fix them. I would love to live in a world where software could be supported for longer, but that's where we are today.

For some additional background information: We came into existence in 2015. All software written before that date doesn't know about our root certificate, so we got a cross-signature - a sort of digital letter of introduction - that allowed us to act, for a time, as if we had been around since 2000. We've spent the time since then getting our root certificate added to all new operating systems, so up-to-date software can recognize our certificates. However, our letter of introduction is expired now, so we can now only work with software released after 2015.

@webprofusion's advice to install the root certificate manually on your machine is good. You may also try downloading it from http://x1.i.lencr.org/ if you have trouble reaching the other URL.

3 Likes

You can't assume a "one size fits all" situation is possible. Some collateral damage is expected I'm afraid.

In my opinion, you can't expect a brand new CA to keep getting cross-signed intermediate certificates forever. This expiration of root certificates is not new: it's unfortunately part of the PKI infrastructure and some breakage is to be expected, especially in older, unsupported devices/software.

Also, Let's Encrypt is not the only CA out there. It's not even the only free CA out there. You have a choice :slight_smile: Notice that Let's Encrypt, being a CA which issues certificates free of charge, does not promise anything. Please see the Let's Encrypt Subscriber Agreement for your rights as a subscriber.

1 Like

I'm (remotely) helping a friend with an older laptop that is running macOS 10.11.6 (OS X El Capitan). In Chrome 94.0.4606.71, when navigating to a site with Lets's Encrypt (like https://www.solacecares.com/), they get the error NET::ERR_CERT_DATE_INVALID. A lot of the help for this string suggests your clock is incorrect, but I suspect it is due to the expiration of the IdentTrust DST Root CA X3 on September 30th, 2021.

This comment has step-by-step instructions for installing the ISRG Root X1 cert on OS X

https://mjtsai.com/blog/2021/09/24/some-web-sites-will-stop-working-with-el-capitan-and-older/#comment-3538503

I'm expanding them here, since this is the official forum. It is the same process as earlier in the thread, just more detailed.

  1. Download the ISRG Root X1 Certificate

Download from: https://letsencrypt.org/certs/isrgrootx1.der
You want the self-signed, NOT the cross-signed cert from Chain of Trust - Let's Encrypt (Active > ISRG Root X1 > Self-signed > der)

OS X may offer to open in Keychain, but instead select "Save File".

  1. Verify the fingerprints

In Terminal (Command - Space, then type "terminal.app"):

cd ~/Downloads
shasum -a 1 isrgrootx1.der 

This returns

cabd2a79a1076a31f21d253635cb039d4329a5e8  isrgrootx1.der

You can confirm this matches the one on Chain of Trust - Let's Encrypt, following the link "Self-signed" under "ISRG Root X1" to crt.sh | 9314791. Or, you can stick the SHA-1 in directly: https://crt.sh/?q=CABD2A79A1076A31F21D253635CB039D4329A5E8.

This terminal command will generate the SHA-256 version:

shasum -a 256 isrgrootx1.der 

returning

96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6  isrgrootx1.der

You can use the SHA-256 to cross-check against the root cert published by Apple in macOS Sierra (10.12):

Search for "ISRG Root X1" to find the entry, with the SHA-256 fingerprint as the last column.

  1. Install the certificate

Open the certificate by double-clicking isrgrootx1.der in the Finder, or in the terminal:

open -a "Keychain Access.app" isrgrootx1.der

You'll get a "Add Certificates" dialog asking:

Do you want to add the certificate(s) from the file "isrgrootx1.der" to a keychain?

In the drop-down "Keychain", select "login" (for just your user) or "system" (for all users). If unsure, I suggest "login", and then add for "System" if it resolved your issue.

Click "Add" to add it and close the "Add Certificates" dialog, leaving the Keychain Access window open for step 4.

  1. Manually "Trust" that certificate

In the Keychain Access search box, type "ISRG". Find the ISRG Root X1, with the Keychain (login or system) that you added it. Double-click to open.

  • In the ISRG Root X1 dialog box, expand the ":arrow_forward: Trust" area.
  • For "When using this certificate", change "Use System Defaults" to "Always Trust". This will change other items as well
  • Close the dialog box, and verify with your login password or Touch ID
  1. Test it out!

Try the website that gave the NET::ERR_CERT_DATE_INVALID and confirm it worked.

3 Likes

+1. Eventually, as devices age, you'd need to upgrade them unfortunately.

If you want macOS older support, probably using acme.sh client and switching to ZeroSSL SSL certificate might help as it has a cross signed AAA Certificate Services CA root certificate which was added to macOS 10.4 so old enough to support it. That's one suggestion I have for my users, switch to ZeroSSL https://blog.centminmod.com/2021/10/02/2425/centmin-mod-managing-letsencrypt-dst-root-ca-x3-certificate-expiration-on-centos-7/

The USERTrust RSA/ECC and COMODO RSA/ECC CA roots were added to the following devices since:

Apple :

  • macOS Sierra 10.12.1 Public Beta 2
  • iOS 10

Microsoft :

  • Windows XP (via Automatic Root Update; note that ECC wasn’t supported by Windows until Vista)
  • Windows Phone 7

Mozilla :

  • Firefox 3.0.4 (COMODO ECC Certification Authority)
  • Firefox 36 (the other 3 roots)

Google :

  • Android 2.3 (COMODO ECC Certification Authority)
  • Android 5.1 (the other 3 roots)

Oracle :

  • Java JRE 8u51

Opera :

  • [Browser release on December 2012]

360 Browser :

  • SE 10.1.1550.0 and Extreme browser 11.0.2031.0

And the cross-signed AAA Certificate Services root provides compatibility to older devices:

  • Apple iOS 3.
  • Apple macOS 10.4.
  • Google Android 2.3.
  • Mozilla Firefox 1.
  • Oracle Java JRE 1.5.0_08.
1 Like

@jwhitlock Thanks for writing up these detailed instructions! Do you mind if we adapt them for a documentation page on letsencrypt.org?

2 Likes

Thanks for writing up these detailed instructions! Do you mind if we adapt them for a documentation page on letsencrypt.org?

Yes, go ahead!

2 Likes

Thanks you so much, it worked! OS= Yosemite 10.10.5 (yes oldddd..waiting for the new Imac)

3 Likes

Thanks for the tip. Worked for me.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.