Windows 7 Chrome - NET::ERR_CERT_DATE_INVALID

devidasm · October 1, 2021, 8:27am

Hey, @lggr Thanks for reporting this.

I also have the same issue. Some of my clients reported the same issue.

They are using windows 7
Chrome ver 94

I confirmed that the issue still exists even after I installed a new SSL certificate.

Guys, there are some serious issues are happening behind.

Please report this to senior letsencrypt devs , I think they didn't notice this issue.

green234828 · October 1, 2021, 9:02am

Hi, this sound like the exact issue we are having too. Multiple clients report the same issue, Chrome on Win 7. They don't have the new root cert in the windows cert store. But normally they should fetch it automatically (if i understand the process correctly) but they dont. Even navigating to https://valid-isrgrootx1.letsencrypt.org/ with IE did not work. Manually installing a root cert is, of course, not a realistic option. Please help!

uzthegeek · October 1, 2021, 11:54am

I am facing the same issue all of my users reporting the same problem, a quick fix by the team appreciated

green234828 · October 1, 2021, 12:01pm

So i guess these clients need a software update or manual install of the root cert: How does an old client get the new Root-Cert?

tofy · October 1, 2021, 12:20pm

As a webhost, many of our clients have users and potential website visitors who run windows7 and google chrome. It is beyond anyone's control to contact a potential visitor to a website and educate him in updating Windows. This has to be a bug that needs to be fixed ASAP.

petercooperjr · October 1, 2021, 1:11pm

The only "bug" is that Windows 7 is too old to get security updates. Let's Encrypt may be the most well-known issuer of certificates, but it's really nothing specific to them. As roots expire, old systems that aren't getting security (including trust store) updates will have less and less access to the Internet. The only possible "fix" is to update to a supported platform. If Firefox still runs on Windows 7, you could try that since it uses its own trust store. Or, you can try using another CA, but that will just defer the problem until whichever root that CA has in the old trust store also expires.

In terms of specific steps to install the root (though this is from memory so I might be missing a step):

Download https://letsencrypt.org/certs/isrgrootx1.pem (which may involve clicking through warnings, I guess, as you don't currently trust the root)
Rename the file from isrgrootx1.pem to isrgrootx1.crt.
Double-click the file.
It should ask you to confirm that you want to add the certificate to the root store. You probably should check the thumbprint against some known-good source first here, too, but I'm not sure what a good source for that would be that you could reliably trust from such an old system.

I'm guessing somebody could put together a Powershell or batch file to simplify that somewhat. But again, you're just masking the problem of not getting security updates, and shouldn't actually consider any such system secure for anything.

Nummer378 · October 1, 2021, 2:28pm

Windows 7 should have loaded ISRG Root X1 though, as Microsoft still provides root store updates even to Windows XP:

Systems not having ISRG Root X1 probably suffer from some lazy-loading issue, or have updates disabled.

petercooperjr · October 1, 2021, 2:48pm

Hmm. I was probably reading too much into someone above saying that visiting https://valid-isrgrootx1.letsencrypt.org/ on Windows 7 in IE also didn't work, and I assumed that it meant that Windows 7 didn't have it in the trust store. Perhaps it's just some configurations, or based on whether it had been lazy-loaded correctly in the past? Do we have confirmation that 7 does the same lazy-loading thing, or is it something they added in one of the versions of 10?

Osiris · October 1, 2021, 3:42pm

This is not a bug from Let's Encrypts side, but just a normal flow of how the PKI infrastructure works. Sysops have a choice between two different certificate chains, so sysops can make a difference there.

lggr · October 1, 2021, 3:55pm

what do you mean by a sysop? the website owner? if so, what can a sysop do? because end users (website visitors) cannot do or expected to do ANYTHING.

green234828 · October 1, 2021, 3:56pm

I am still confused about this, i am sry if this is a stupid question: Would changing the certificate chain help a client that doesn't have ISRG Root X1? E.g. a client with Windows 7 that has never been updated via windows update and is out of date?
Also this "lazy-loading" that has been mentioned: Is this possible and how does it work? This Post (Microsoft windows lazy-loading root certificate) does talk about visiting https://valid-isrgrootx1.letsencrypt.org/ and lazy-Loading the cert but from my testing this does nothing and the page does not load on a client that does not have the current root.

Osiris · October 1, 2021, 4:21pm

Correct.

Depends on what issue the clients have and what certificate chain the server is sending.

No, except for Android versions prior to 7.1.1. See Extending Android Device Compatibility for Let's Encrypt Certificates - Let's Encrypt for that. For all other clients, ISRG Root X1 needs to be present in the trust store.

That would be a problem bigger than just an expired iot certificate.

I don't have experience nor knowledge with/about Windows, so maybe someone else may chime in.

petercooperjr · October 1, 2021, 5:03pm

Time for some SCIENCE! (By which I mean, of course, that I tried writing down what I did, since that's the key difference between "science" and "just messing around with stuff".)

I went to Virtual Machines - Microsoft Edge Developer and downloaded the VM for "IE11 on Win7 (x86)" for "HyperV (Windows)" and imported it into Hyper-V
In the VM, opened up Internet Explorer [in its about dialog, it says Version: 11.0.9600.18860; Update Versions: 11.0.49 (KB4052978)]
I confirmed the date and time in the VM was correct.
In IE, visited https://helloworld.letsencrypt.org (which uses the "default" DST Root CA X3 rooted chain), and it opened fine.
In IE, visited https://valid-isrgrootx1.letsencrypt.org (which uses the "alternate" chain rooted in ISRG Root X1, and it opened fine.
In IE, visited https://www.google.com/chrome, unchecked the two boxes, and downloaded Chrome for Windows 10/8.1/7 32-bit
In Chrome, went to Menu / Help / About and got version number: Version 94.0.4606.71 (Official Build) (32-bit)
In Chrome, visited https://helloworld.letsencrypt.org and it worked fine.
In Chrome, visited https://valid-isrgrootx1.letsencrypt.org and it also worked fine.

Now, I don't know how similar that VM image (which lists a "created date" of 1/9/2018 in Hyper-V) is to a "real-world" Windows 7 instance which has who-knows-what installed and has been who-knows-where on the Internet to populate caches and whatnot, but it's at least some evidence that it's possible to have a Windows 7 computer that works for going to sites using Let's Encrypt's certificates. It makes me think that those computers that it's not working on must have had automatic updates turned off many years ago in order to not get the ISRG Root X1 certificate in its trust store, but maybe there's something else going on if people are seeing a high level of Windows 7 issues.

I don't know if this post is actually helpful information, but maybe other people can do their own controlled experiments to figure out what the difference is between Windows 7 systems that work and those that don't.

katul45 · October 2, 2021, 5:23am

I'm having the same problem here. Google chrome windows 7 both 32bit and 64bit shows NET::ERR_CERT_DATE_INVALID error. I'm just a single guy manage around 100 computers. All those users don't know the admin password except my boss so they can't install firefox. I don't want to install all those 100 computers one by one. Please fix this ASAP =(

iale · October 2, 2021, 5:35am

Same issue experiencing this on all chrome and chromium based browsers, firefox doesnt seem to have the same issue.

webprofusion · October 2, 2021, 5:37am

This is definitely something you need to fix yourself. Microsoft stopped supporting Windows 7 almost 2 years ago.

Assuming you have a domain admin account which can access all of the computers you need to script a group policy startup script that installs the ISRG Root X1 (self signed) certificate into the local computer or applies this registry method: Fixing Windows installs that don't receive updates to their trusted roots - #29 by rmbolger

Somehow your automatic CA root updates are not enabled, you should figure that out as well. Check your group policy to ensure automatic updates in not disabled: How to enable the "automatic root certificates update" on Windows Server 2016 - Microsoft Q&A

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn789196(v=ws.11)

schoen · October 2, 2021, 5:43am

@petercooperjr, could the results of your experiments be related to the observations in this thread?

If I understood that thread properly, it can matter somehow how a user accessed an X1-using site, but I don't quite follow the upshot.

safak.kayhan · October 2, 2021, 10:32am

Hi all. I'm not sure what is going on but all R3, LetsEncrypt certified websites on my IExplorer, Opera and Chrome browsers are giving your clock is wrong error. Check error message from my forum help post:

I reinstalled long unused Mozilla Firefox and can resume to access those unaccessible websites but I think this is simply dissaster.
Regards all.
Safak

lggr · October 2, 2021, 10:33am

we had some visitors with this problem too

proemtech · October 2, 2021, 10:40am

We are also facing the same problem