SSL not working on Windows 7 running Chrome

Please CLICK on the item your arrow is pointing at and take a screenshot of the window which will appear.

We saw the "Not secure" message on your first screenshot, but we need the window that appears when you CLICK on it. Drawing arrows doesn't help with that to be honest.

2 Likes


I cant get access to a client system - that is why I shared
The client is a large IT company and they reported issues

Secondly, I test on crossbrowser - with Iphone5S - Safari also doesnt open the site as saying unsecure

attached already screenshot

1 Like

I would try reordering the ciphersuites OR removing the DHE ciphers altogether:

DHE won't negotiate the DH parameter and is thus difficult to implement.

1 Like

"Server has no preference", so that doesn't really matter.

2 Likes

That leaves the preference to the client - how is that any better?

Then option #2:

1 Like

Might be failing for a different reason. And, the "fix" for Safari would be different than for your client using Win7 and Chrome. But, for iPhone 5S, what version of iOS has that phone been updated to?

Let's Encrypt had its DST Root CA X3 certificate expire on Sept30. It is still part of the default chain (the "long chain") and is what your server uses. This was done to provide best support for older Android devices but other older devices may not work as well. If you need to support a wide variety of older clients you might be better off switching to a different Certificate Authority (CA). Something like ZeroSSL or another free CA.

See here for more explanation

3 Likes

@sudhanshubhasin For your Win7 / Chrome client, you might try these two things from this earlier thread.

Per @webprofusion
Browse to this site using Google Chrome: https://valid-isrgrootx1.letsencrypt.org/ in chrome, then go back to your site and see if it works. (Note he suggested the Win7 machine might be missing ISRG Root X1 in your thread earlier).

If that does not work, try these instructions @mel_mel posted. It is more complicated and read through the posts following it for full explanation. It sounds like you can not, and probably should not, load the intermediate cert but follow the rest of instructions.

3 Likes

The final option is to switch to a different ACME Certificate Authority (there are a couple of major ones: Automated Certificate Management Environment - Wikipedia), the benefit of doing that can be that the alternative certificate authority may have an more widely trusted root certificate. You would need to test. This is especially useful if you are trying to support a wide range of old client software (windows 7, old iOS, old Android etc).

2 Likes

I changed the site SSL from LetsEncrypt to ZeroSSL and it is solved now
I am amazed why Lets Encrypt SSL not worked and ZeroSSL worked

2 Likes

Because Windows is shitty with loading of root certificates.

4 Likes

I agree

But even the mac systems running IOS had problem on Letsencrypt - Apple iphone 6 running Safari had the same problem

Not on ZeroSSL

1 Like

Yes, older devices also can have issues with recent root certificates.

3 Likes

Will there be any solution from Letsencrypt for this or we simply switch to ZeroSSL ?

1 Like

What kind of solution do you mean? The ISRG Root X1 certificate is accepted in major root certificate stores for more than 5 years now. Let's Encrypt has decided to switch over to this root certificate without a new cross-sign: they have to be on their own without "assistance" of cross-signed roots some day. Only for Android there was a possibility to use a cross-signed cert of the already used (and now expired) root certificate from IdenTrust. But that is a very specific exemption which was only possible for a specific, but large group of users (older Android). No such highly specific situation is possible for other users.

3 Likes

The answer would be no solution to this

1 Like

Actually, within the next few years other CAs will start to have the same problem as their various old root certs expire. ZeroSSL stuff will stop working for old operating systems in 2029, which is obviously quite some time away.

3 Likes

There should have been a way letsencrypt should be able to do this
If there is no other way , I will just tick this is as undone work

1 Like

What way would that be then?

1 Like

Switching over to root certificate without a new cross-sign
So even a safe user from old browser would not be able to visit a lets-encrypt issued ssl website

1 Like