Our users are getting error NET::ERR_CERT_DATE_INVALID while accessing our portal with a valid letsencrypt certificate in Chrome, Chromiun and IE. But its working with Firefox as reported by other users.

1 Like

Which O/S are those systems using?

I'm sorry but I don't take anything for granted.
And, again, if this thread should get moved from this topic, it must stand on its' own two feet.
[yes, I can read the topic, read my posts]

1 Like


1 Like

There are many reasons Win7 can be failing.
But it is likely due to an outdated trust root store.
You may need to manually add the "ISRG Root X1" cert for them to trust the new (short pathed) LE certs.


Just posted a similar, I cannot access sites using lets encrypt on my windows 7 PC using chrome. Firefox is fine, not sure how many people are still using windows 7 but for them lets encrypt has broken the internet.

1 Like

As suggested downloaded "ISRG Root X1" from
and executed using below command
certutil -addstore Root isrgrootx1.der

Now its working with Windows 7 and Chrome

Thank you


Possibly. That's why I posted the order I did things in, in case visiting the sites in IE first is what "fixed" things. But I find it quite likely that the systems with problems are configured differently in some way than the VM image I downloaded.


that's obviously not a solution. You can't possibly ask a random visitor to manually install BLABLA because they are not technical experts. Also, even if you wanted to tell them what to do (not an option) you can't contact them, the website doesn't load in the first place due to the failure.


@lggr, this forum has an interesting mix of end-users wanting to fix their own computers and web site administrators wanting to improve/maintain compatibility of their web sites. This solution has already helped a number of end-users who were actively trying to diagnose and fix their own problems accessing web sites.

I hope we'll find better solutions that work for all web sites, but it's also possible that Let's Encrypt certificates simply won't be able to support certain clients in the future, especially client platforms that are no longer supported by their vendors. The web PKI model does depend on having software vendors maintain root certificate stores over time, which also means eventually pushing out new roots to replace old ones as the old roots go out of use.

Unfortunately, that problem isn't specific to Let's Encrypt in any way. All root certificates expire and are eventually withdrawn from use at some point. As @jsha pointed out in another thread, there seems to be an industry-wide mismatch or failure on this point; unfortunately, Let's Encrypt users are those happening to experience this at this moment, but users of other CAs will also experience it (or have already experienced it) at other times.

It's also a concern that so many people continue to use software that no longer receives security updates. I think @jsha's post suggested laying blame more with software (and sometimes hardware) vendors than with end users, but however we want to explain the problem, it's a really concerning issue; it's one of the ways that bot herders have been able to incorporate so many devices into their botnets. The increased use of cryptography makes this problem more directly visible because security updates for cryptographic systems are often not backwards-compatible.


I m not an expert, but it works for me (win7 - Chrome - Brave) :

I think i install these 3 files in what you call trusted store
In fact, the exact path in my french version is :
"Placer tous les certificats dans le magasin suivant / Autorités de certification racine de confiance"

1 Like

Installing intermediate certificates (R3) into a trust store is not recommended. Installing the roots is fine.


All my sites can’t show in windows 7 on chrome
This is big problems
And all sites in world also if use let’s Encrypt ssl.
See photo

I’m hope them solve this ASAP
If don’t I’m need change ssl certification company for a lot of sites

Have you tried any of the solutions provided for Win7?

Yes I’m tried all
And if can write explain step by step for upload files isrgootx x2 and etc . but I’m sure is don’t help to many use windows 7 with chrome .

All sites in worlds don’t work ssl lets encryption ssl
In chrome on windows 7 . I’m hope them solve this ASAP

All the LE roots can be found at:
Chain of Trust - Let's Encrypt (

Once installed into your trusted roots folder, you may also need to reboot.

This article very hard to understand
Do you know how install this in plesk? Update some
For all user on windows 7 can show ssl in chrome ?
And fix


You have Plesk on Windows 7?

1 Like

One of my clients had issues with older windows 7 machines not accepting the certificate.

I switched to the X1-only chain with --preferred-chain "ISRG Root X1" and have not heard back from them. So that might be worth giving a try if ppl cannot reach your website from win7.

this problem doesn't exist on xp and firefox/mypal browsers, so why mention stopped support for 7?

and it affects all chromium based browsers, so culprit is obvious.

also, this page

lists xp sp3 as minimum, but there's no difference between sp2 and sp3.

(checked across few platforms/browsers on website, which chromium dislikes on 7)

There is, because the crypto library in Windows XP SP2 does not support SHA-2 algorithms, so apps using that won't be able to validate any Let's Encrypt certificate.

Windows 7 should have loaded ISRG Root X1 (Microsoft does provide the root store update), but not all systems have done this. The exact reason why is largely unknown, but it sometimes boils down to disabled services, proxy/firewall settings or DNS blackholing.

Chromium-based browsers usually use the Microsoft certificate manager/platform verifier (CAPI2), that's why they're affected on some systems. Firefox (and derivatives) ship their own verifier and root store, and don't care what the OS does.