Windows 7 Chrome - NET::ERR_CERT_DATE_INVALID

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.lexigram.gr

I ran this command:

It produced this output:

My web server is (include version): IIS 8.5

The operating system my web server runs on is (include version): Windows Server 2012 R2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): win-acme.v2.1.11.917.x64.pluggable

Hello, since the old certificates expired, I renewed them yesterday with win-acme and all is fine in Windows 10 with all browsers, but in Windows 7 Chrome (fully updated, version 94.xx) shows NET::ERR_CERT_DATE_INVALID and shows the old expired ones not ISRG.

What I have tried until now is in the server machine to declare both DST Root CA X3 and R3 in the untrusted ones and rebooted the server, but it did not help.

How can we fix this? there are many people with Chrome on Windows 7.

the same thing happens if i visit letsencrypt.org from chrome on windows 7.

2 Likes

Hey, @lggr Thanks for reporting this.

I also have the same issue. Some of my clients reported the same issue.

They are using windows 7
Chrome ver 94

I confirmed that the issue still exists even after I installed a new SSL certificate.

Guys, there are some serious issues are happening behind.

Please report this to senior letsencrypt devs , I think they didn't notice this issue.

1 Like

Hi, this sound like the exact issue we are having too. Multiple clients report the same issue, Chrome on Win 7. They don't have the new root cert in the windows cert store. But normally they should fetch it automatically (if i understand the process correctly) but they dont. Even navigating to https://valid-isrgrootx1.letsencrypt.org/ with IE did not work. Manually installing a root cert is, of course, not a realistic option. Please help!

3 Likes

I am facing the same issue all of my users reporting the same problem, a quick fix by the team appreciated

So i guess these clients need a software update or manual install of the root cert: How does an old client get the new Root-Cert?

As a webhost, many of our clients have users and potential website visitors who run windows7 and google chrome. It is beyond anyone's control to contact a potential visitor to a website and educate him in updating Windows. This has to be a bug that needs to be fixed ASAP.

The only "bug" is that Windows 7 is too old to get security updates. Let's Encrypt may be the most well-known issuer of certificates, but it's really nothing specific to them. As roots expire, old systems that aren't getting security (including trust store) updates will have less and less access to the Internet. The only possible "fix" is to update to a supported platform. If Firefox still runs on Windows 7, you could try that since it uses its own trust store. Or, you can try using another CA, but that will just defer the problem until whichever root that CA has in the old trust store also expires.

In terms of specific steps to install the root (though this is from memory so I might be missing a step):

  1. Download https://letsencrypt.org/certs/isrgrootx1.pem (which may involve clicking through warnings, I guess, as you don't currently trust the root)
  2. Rename the file from isrgrootx1.pem to isrgrootx1.crt.
  3. Double-click the file.
  4. It should ask you to confirm that you want to add the certificate to the root store. You probably should check the thumbprint against some known-good source first here, too, but I'm not sure what a good source for that would be that you could reliably trust from such an old system.

I'm guessing somebody could put together a Powershell or batch file to simplify that somewhat. But again, you're just masking the problem of not getting security updates, and shouldn't actually consider any such system secure for anything.

4 Likes

Windows 7 should have loaded ISRG Root X1 though, as Microsoft still provides root store updates even to Windows XP:

Systems not having ISRG Root X1 probably suffer from some lazy-loading issue, or have updates disabled.

1 Like

Hmm. I was probably reading too much into someone above saying that visiting https://valid-isrgrootx1.letsencrypt.org/ on Windows 7 in IE also didn't work, and I assumed that it meant that Windows 7 didn't have it in the trust store. Perhaps it's just some configurations, or based on whether it had been lazy-loaded correctly in the past? Do we have confirmation that 7 does the same lazy-loading thing, or is it something they added in one of the versions of 10?

1 Like

This is not a bug from Let's Encrypts side, but just a normal flow of how the PKI infrastructure works. Sysops have a choice between two different certificate chains, so sysops can make a difference there.

2 Likes

what do you mean by a sysop? the website owner? if so, what can a sysop do? because end users (website visitors) cannot do or expected to do ANYTHING.

I am still confused about this, i am sry if this is a stupid question: Would changing the certificate chain help a client that doesn't have ISRG Root X1? E.g. a client with Windows 7 that has never been updated via windows update and is out of date?
Also this "lazy-loading" that has been mentioned: Is this possible and how does it work? This Post (Microsoft windows lazy-loading root certificate) does talk about visiting https://valid-isrgrootx1.letsencrypt.org/ and lazy-Loading the cert but from my testing this does nothing and the page does not load on a client that does not have the current root.

Correct.

Depends on what issue the clients have and what certificate chain the server is sending.

No, except for Android versions prior to 7.1.1. See Extending Android Device Compatibility for Let's Encrypt Certificates - Let's Encrypt for that. For all other clients, ISRG Root X1 needs to be present in the trust store.

That would be a problem bigger than just an expired iot certificate.

I don't have experience nor knowledge with/about Windows, so maybe someone else may chime in.

2 Likes

Time for some SCIENCE! (By which I mean, of course, that I tried writing down what I did, since that's the key difference between "science" and "just messing around with stuff".)

  1. I went to Virtual Machines - Microsoft Edge Developer and downloaded the VM for "IE11 on Win7 (x86)" for "HyperV (Windows)" and imported it into Hyper-V
  2. In the VM, opened up Internet Explorer [in its about dialog, it says Version: 11.0.9600.18860; Update Versions: 11.0.49 (KB4052978)]
  3. I confirmed the date and time in the VM was correct.
  4. In IE, visited https://helloworld.letsencrypt.org (which uses the "default" DST Root CA X3 rooted chain), and it opened fine.
  5. In IE, visited https://valid-isrgrootx1.letsencrypt.org (which uses the "alternate" chain rooted in ISRG Root X1, and it opened fine.
  6. In IE, visited https://www.google.com/chrome, unchecked the two boxes, and downloaded Chrome for Windows 10/8.1/7 32-bit
  7. In Chrome, went to Menu / Help / About and got version number: Version 94.0.4606.71 (Official Build) (32-bit)
  8. In Chrome, visited https://helloworld.letsencrypt.org and it worked fine.
  9. In Chrome, visited https://valid-isrgrootx1.letsencrypt.org and it also worked fine.

Now, I don't know how similar that VM image (which lists a "created date" of 1/9/2018 in Hyper-V) is to a "real-world" Windows 7 instance which has who-knows-what installed and has been who-knows-where on the Internet to populate caches and whatnot, but it's at least some evidence that it's possible to have a Windows 7 computer that works for going to sites using Let's Encrypt's certificates. It makes me think that those computers that it's not working on must have had automatic updates turned off many years ago in order to not get the ISRG Root X1 certificate in its trust store, but maybe there's something else going on if people are seeing a high level of Windows 7 issues.

I don't know if this post is actually helpful information, but maybe other people can do their own controlled experiments to figure out what the difference is between Windows 7 systems that work and those that don't.

4 Likes

I'm having the same problem here. Google chrome windows 7 both 32bit and 64bit shows NET::ERR_CERT_DATE_INVALID error. I'm just a single guy manage around 100 computers. All those users don't know the admin password except my boss so they can't install firefox. I don't want to install all those 100 computers one by one. Please fix this ASAP =(

Same issue experiencing this on all chrome and chromium based browsers, firefox doesnt seem to have the same issue.

This is definitely something you need to fix yourself. Microsoft stopped supporting Windows 7 almost 2 years ago.

Assuming you have a domain admin account which can access all of the computers you need to script a group policy startup script that installs the ISRG Root X1 (self signed) certificate into the local computer or applies this registry method: Fixing Windows installs that don't receive updates to their trusted roots - #29 by rmbolger

Somehow your automatic CA root updates are not enabled, you should figure that out as well. Check your group policy to ensure automatic updates in not disabled: How to enable the "automatic root certificates update" on Windows Server 2016 - Microsoft Q&A

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn789196(v=ws.11)

3 Likes

@petercooperjr, could the results of your experiments be related to the observations in this thread?

If I understood that thread properly, it can matter somehow how a user accessed an X1-using site, but I don't quite follow the upshot.

Hi all. I'm not sure what is going on but all R3, LetsEncrypt certified websites on my IExplorer, Opera and Chrome browsers are giving your clock is wrong error. Check error message from my forum help post:

I reinstalled long unused Mozilla Firefox and can resume to access those unaccessible websites but I think this is simply dissaster.
Regards all.
Safak

1 Like

we had some visitors with this problem too