Subset of Windows Users See Expired Let's Encrypt Certificates with `curl`

Help
22

Clever! Yes it's worth a try to attempt to force the certs to update in the store: Internet Explorer mode in Microsoft Edge - Microsoft Support - my assumption is that this would already have happened [at some point] if the OS feature was enabled.

3 Likes
23

We have identified that the player encountering the issue indeed lacks the necessary root certificate in their machine's certificate store. Additionally, their group policy does not prohibit root certificate updates, and they have also upgraded from Windows 10 to Windows 11. Despite these conditions, the required root certificate is still missing.

To address this gap, we are considering guiding them to try accessing the Let's Encrypt official website using IE mode to see if this resolves the issue.

Thank you for your assistance and guidance on this matter.

2 Likes
24

I'd suggest the following:

Browsing to https://valid-isrgrootx1.letsencrypt.org/ using IE (or IE mode) will prompt Windows to include ISRG Root X1 in its trust store automatically.

Where the trust store is not automatically updating they can manually install ISRG Root X1:

  • Browse to http://x1.i.lencr.org/ in order to download the .der file for ISRG Root X1 (your browser may warn about the file type and you may need to click "Keep" to save the file).
  • Open the file, click "Install Certificate..", Choose default option "automatically select..", Next, Finish
  • Reboot
4 Likes
26

It is impossible for the server end to fix such client deficiencies.
[you can't include the root cert for them to trust]
The closest you can come is to bend to their will.
By that I mean: Provide a cert that is trusted by as many of those "ancient" clients as possible.
And by combining that with a cert for all the newer clients you might closer approach 100%.
To be clear, what I'm proposing is that you serve more than one cert.
[to save on costs, only use certs from free CAs]

  • get an RSA 2048 cert that chains to a very old root [not sure about which one to use]
  • get an ECDSA 256 cert that chains to a very new root [Let's Encrypt]

Note: If for any reason you can't serve two certs from your current web service [IIS?], it would be very easy to put those requests through a web proxy that can serve two certs.

3 Likes
27

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.