Hmm. I was probably reading too much into someone above saying that visiting https://valid-isrgrootx1.letsencrypt.org/ on Windows 7 in IE also didn't work, and I assumed that it meant that Windows 7 didn't have it in the trust store. Perhaps it's just some configurations, or based on whether it had been lazy-loaded correctly in the past? Do we have confirmation that 7 does the same lazy-loading thing, or is it something they added in one of the versions of 10?
This is not a bug from Let's Encrypts side, but just a normal flow of how the PKI infrastructure works. Sysops have a choice between two different certificate chains, so sysops can make a difference there.
what do you mean by a sysop? the website owner? if so, what can a sysop do? because end users (website visitors) cannot do or expected to do ANYTHING.
I am still confused about this, i am sry if this is a stupid question: Would changing the certificate chain help a client that doesn't have ISRG Root X1? E.g. a client with Windows 7 that has never been updated via windows update and is out of date?
Also this "lazy-loading" that has been mentioned: Is this possible and how does it work? This Post (Microsoft windows lazy-loading root certificate) does talk about visiting https://valid-isrgrootx1.letsencrypt.org/ and lazy-Loading the cert but from my testing this does nothing and the page does not load on a client that does not have the current root.
Depends on what issue the clients have and what certificate chain the server is sending.
No, except for Android versions prior to 7.1.1. See Extending Android Device Compatibility for Let's Encrypt Certificates - Let's Encrypt for that. For all other clients, ISRG Root X1 needs to be present in the trust store.
That would be a problem bigger than just an expired iot certificate.
I don't have experience nor knowledge with/about Windows, so maybe someone else may chime in.
Time for some SCIENCE! (By which I mean, of course, that I tried writing down what I did, since that's the key difference between "science" and "just messing around with stuff".)
- I went to Virtual Machines - Microsoft Edge Developer and downloaded the VM for "IE11 on Win7 (x86)" for "HyperV (Windows)" and imported it into Hyper-V
- In the VM, opened up Internet Explorer [in its about dialog, it says Version: 11.0.9600.18860; Update Versions: 11.0.49 (KB4052978)]
- I confirmed the date and time in the VM was correct.
- In IE, visited https://helloworld.letsencrypt.org (which uses the "default" DST Root CA X3 rooted chain), and it opened fine.
- In IE, visited https://valid-isrgrootx1.letsencrypt.org (which uses the "alternate" chain rooted in ISRG Root X1, and it opened fine.
- In IE, visited https://www.google.com/chrome, unchecked the two boxes, and downloaded Chrome for Windows 10/8.1/7 32-bit
- In Chrome, went to Menu / Help / About and got version number: Version 94.0.4606.71 (Official Build) (32-bit)
- In Chrome, visited https://helloworld.letsencrypt.org and it worked fine.
- In Chrome, visited https://valid-isrgrootx1.letsencrypt.org and it also worked fine.
Now, I don't know how similar that VM image (which lists a "created date" of 1/9/2018 in Hyper-V) is to a "real-world" Windows 7 instance which has who-knows-what installed and has been who-knows-where on the Internet to populate caches and whatnot, but it's at least some evidence that it's possible to have a Windows 7 computer that works for going to sites using Let's Encrypt's certificates. It makes me think that those computers that it's not working on must have had automatic updates turned off many years ago in order to not get the ISRG Root X1 certificate in its trust store, but maybe there's something else going on if people are seeing a high level of Windows 7 issues.
I don't know if this post is actually helpful information, but maybe other people can do their own controlled experiments to figure out what the difference is between Windows 7 systems that work and those that don't.
I'm having the same problem here. Google chrome windows 7 both 32bit and 64bit shows NET::ERR_CERT_DATE_INVALID error. I'm just a single guy manage around 100 computers. All those users don't know the admin password except my boss so they can't install firefox. I don't want to install all those 100 computers one by one. Please fix this ASAP =(
Same issue experiencing this on all chrome and chromium based browsers, firefox doesnt seem to have the same issue.
This is definitely something you need to fix yourself. Microsoft stopped supporting Windows 7 almost 2 years ago.
Assuming you have a domain admin account which can access all of the computers you need to script a group policy startup script that installs the ISRG Root X1 (self signed) certificate into the local computer or applies this registry method: Fixing Windows installs that don't receive updates to their trusted roots - #29 by rmbolger
Somehow your automatic CA root updates are not enabled, you should figure that out as well. Check your group policy to ensure automatic updates in not disabled: How to enable the "automatic root certificates update" on Windows Server 2016 - Microsoft Q&A
@petercooperjr, could the results of your experiments be related to the observations in this thread?
If I understood that thread properly, it can matter somehow how a user accessed an X1-using site, but I don't quite follow the upshot.
Hi all. I'm not sure what is going on but all R3, LetsEncrypt certified websites on my IExplorer, Opera and Chrome browsers are giving your clock is wrong error. Check error message from my forum help post:
I reinstalled long unused Mozilla Firefox and can resume to access those unaccessible websites but I think this is simply dissaster.
we had some visitors with this problem too
We are also facing the same problem
Hi @proemtech welcome to the LE community forum
Please edit your post and state your problem as well - not just "me too"
If you thread becomes too large it might need to be moved to a separate topic.
One that would begin with:
[not very helpful for anyone searching for help - once we are concluded here]
Our users are getting error NET::ERR_CERT_DATE_INVALID while accessing our portal with a valid letsencrypt certificate in Chrome, Chromiun and IE. But its working with Firefox as reported by other users.
Which O/S are those systems using?
I'm sorry but I don't take anything for granted.
And, again, if this thread should get moved from this topic, it must stand on its' own two feet.
[yes, I can read the topic, read my posts]
There are many reasons Win7 can be failing.
But it is likely due to an outdated trust root store.
You may need to manually add the "ISRG Root X1" cert for them to trust the new (short pathed) LE certs.
Just posted a similar, I cannot access sites using lets encrypt on my windows 7 PC using chrome. Firefox is fine, not sure how many people are still using windows 7 but for them lets encrypt has broken the internet.
As suggested downloaded "ISRG Root X1" from https://letsencrypt.org/certs/isrgrootx1.der
and executed using below command
certutil -addstore Root isrgrootx1.der
Now its working with Windows 7 and Chrome