Windows 7 Chrome - NET::ERR_CERT_DATE_INVALID

this problem doesn't exist on xp and firefox/mypal browsers, so why mention stopped support for 7?

and it affects all chromium based browsers, so culprit is obvious.

also, this page

lists xp sp3 as minimum, but there's no difference between sp2 and sp3.

(checked across few platforms/browsers on brave.com website, which chromium dislikes on 7)

There is, because the crypto library in Windows XP SP2 does not support SHA-2 algorithms, so apps using that won't be able to validate any Let's Encrypt certificate.

Windows 7 should have loaded ISRG Root X1 (Microsoft does provide the root store update), but not all systems have done this. The exact reason why is largely unknown, but it sometimes boils down to disabled services, proxy/firewall settings or DNS blackholing.

Chromium-based browsers usually use the Microsoft certificate manager/platform verifier (CAPI2), that's why they're affected on some systems. Firefox (and derivatives) ship their own verifier and root store, and don't care what the OS does.

4 Likes

apps? you mean websites?
i ment that from my perspective there is no difference....dunno how
many websites use 256 and more bits of security(SHA2), security went a
bit overboard lately, if you ask me, i especially like win10 pestering
about weak password upon installation...

i can tell you sp1 for win7 makes no difference, and entering google
dns servers alike.
proxy/firewall is not really something i touched or should affect only
particular sites, and i didn't touch services....i checked event
viewer's "security" portion to find nothing interesting.

but your last paragraph must be completely correct given that firefox
(and variants, mypal is version of pale moon browser which has it's
roots in firefox, but uses goanna instead of gecko) doesn't have the
issue.
ie it's an issue of interaction of browser and os, given that chrome
on android doesn't have the issue.

offcourse, for the sake of clarity we should also mention that you
can't install chromium based browsers on xp (or, if you can they'll be
outdated or not that fast incase you've found some obscure chinese
build that actually installs on xp). and that if you could, it would
probably be as borked as 7 for a handfull fo sites....hm..let me just
doublecheck that....
yeap, iron browser on xp (version 49) doesn't like brave.com, but at
least i can get to site via 'advanced', unlike in brave browser...heh

incidentally, brave.com is encrypted via let's encrypt, i used that
example just because i've find it silly that browser i just installed
can't open it's own web page....not even after you click on "advanced"
etc.

I meant applications using TLS, for example browsers.

100% of the certificates issued by Let's Encrypt use SHA-2 for their signature. This also applies to the root certificate. Issuing new (CA) certificates with SHA-1 is nowadays forbidden via Baseline Requirements, so it's becoming rare (SHA-1 is broken).

We were talking about XP SP2 previously, now we're talking about Win 7? Anyway, as I already stated, Win 7 is compatible in theory, so yes this is expected.

You can, but you need to install really old versions I think.

1 Like

we are talking about problem in general, across platforms, and that
certainly helps pinpoint the issue as not something that can be solved
via some obscure win7 patch, i believe, ie it's not an issue of win7
setup, so i'm curious about your statement about not affecting all 7
systems?
you've seen 7 systems where this error never appears on chromium browsers?

as for xp and chromium, yes, as my parenthesized portion states (the
one just after the part you quoted).

Yes, it works on all three of my Windows 7 VM's without issue. I have even tried a completly clean Win 7 install, installed nothing (just Chrome) - worked out of the box.

Screenshots (also included IE 11, though that's not Chromium):

1 Like

There's also my testing in post #14 of this thread. As best as we can tell, Windows 7 with default settings works fine, but some systems are set up to have not received trust store updates and those systems won't work.

3 Likes

(scrap my previous notion of "not something some obscure win7 patch can solve")

based on petercooperjr's last reply i searched for "trust store
updates windows 7", which yields
https://support.microsoft.com/en-us/topic/support-for-urgent-trusted-root-updates-for-windows-root-certificate-program-in-windows-a4ac4d6c-7c62-3b6e-dfd2-377982bf3ea5
and then version i need (x64):

and this fixes the issue, in both ie11 and brave browser (and all
other chromium based browsers, i would imagine).

prior to this i tried importing certificates (Thejam's reply #32 in
this thread) to no avail (it's easy to install, just dload DER
versions and doubleclick, as article itself doesn't mention way to
install it on 7, it's buried in the comments).

i checked Nummer378's screens to compare with mine (with certification
errors on IE11) and i noticed mention of BOTH X1 and X3 in
"certfication path" tab (the screens he posted) on malfunctioning
system, so i'm inclined to believe that on unpatched system there is a
collision between X1 and X3 ie system doesn't know which path to take
and in the end that means a failure to certify website.
i don't think both can be used at same time....

this system previously had SP1 applied and 6 patches that are needed
to install IE11 (which i needed in order to try onedrive on win7).

Nummner378:

I have even tried a completly clean Win 7 install, installed nothing (just Chrome) - worked out of the box.

probably after windows update finished (and that probably goes for all
your VMs too). i doubt it works with naked 7 and even SP1 alone wasn't
enough in my case....

we didn't mention windows 8(.1): it doesn't have this issue, as tried
inside my VM.

job done.

5 Likes

I did not explicitly install updates, though the base image was pretty up to date (about one year old) and I also didn't disable updates.

But Microsoft has a mechanism that can load new roots without having to install a Windows Update - the cert manager can download new roots from the server on demand (lazy loading). However there is definetly some relationship with Windows Update, because systems where the update servers are blocked also usually don't load new roots (it's probably the same mechanism/server?).

This is an indication that the system does not trust ISRG Root X1, so it tries to build a path up to DST Root CA X3 instead. Systems that trust ISRG Root X1 won't do this.

5 Likes

Hello, I have read through this thread "Windows 7 Chrome - NET::ERR_CERT_DATE_INVALID" as I am having the same issue as of today (10-10-2021). But I am not seeing a solution relating to my situation. I am simply trying to run a Shopify store at https://gregorycox.com/ I am using Chrome 94 Windows 7 Professional.

I am getting this message "Not Secure: Your connection is not private" which seems to only happen using my Laptop. However, my desktop has the same configuration (Chrome 94 Windows 7 Professional) and does not produce this "Not Secure" message.

I have attempted to run the Windows 7 update process which is not working. I understand "support" for Windows 7 has ended. But I saw no reason to close down the update option. Actually, the update did launch but seemed to hang up for more than 24 hours.

As a result I cannot access my store using Chrome. I did some basic troubleshooting, clearing cookies, browser history, rebooting, clearing cache, DNS cache, igcognito mode, rebooting, etc, etc. I even uninstalled and re-installed Chrome. I contacted Shopify support who indicated they has to re-provision the SSL certificate. STILL ... I get this "Not Secure" error using Chrome to access my store.

Is there a solution for this problem. It has consumed a significant amount of time with Shopify support, and I fear I could be losing customers.

1 Like

The IP is being served by CloudFlare:

https://cdn.shopify.com
server: cloudflare
cf-ray: 69c54ed1cfdaef16-MIA

The answer seems to be for the site to use the shorter chain.
How that is done isn't to clear to me.
Do you handle the cert maintenance?
Does Shopify handle the cert maintenance?
Does CloudFlare handle the cert maintenance?

Note: This won't fix your problem when accessing other similar sites. It would only address the problem with any other such clients which are not being able to visit your site (securely).

1 Like

Fear not. Your website is working just fine and properly serving your certificate and the associated chain files correctly. The problem only exists with your Windows 7 PC because it is most likely missing a copy of the Let's Encrypt root certificate called ISRG Root X1. For some reason, a lot of old Win 7 PCs are not automatically downloading the certificate like they should be.

If you want to verify whether you have the cert or not, there are two relatively quick methods.

  1. Open PowerShell and run the following command:
Get-Item Cert:\LocalMachine\AuthRoot\CABD2A79A1076A31F21D253635CB039D4329A5E8

If you get an error that mentions "Cannot find path blah...", the cert is missing. Otherwise, it will show some output with a Thumbprint and Subject column.

  1. Open cmd.exe and run the following command:
reg query HKLM\Software\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8

If you get an error about "unable to find the specified registry key...", the cert is missing. Otherwise, it will show a whole bunch of random text output that starts with Blob REG_BINARY.

To fix the problem, you'll need to download a copy of the certificate and install it on your Windows 7 PC. There are two places to download it, both hosted by Let's Encrypt. This one uses HTTPS and you might have to click through a cert warning to get it. This one uses HTTP in case the first one doesn't work.

Once you have the file downloaded, find it in Explorer, right click, and choose Install Certificate. There may be a security warning you have to click through because the file came from the Internet. All of the defaults in the Certificate Import Wizard are fine. Just click Next, Next, and Finish. If the import was successful, reboot your PC and try going to your site again and you should be working.

4 Likes

Maybe not a perfect fit... but this line should show if they have "DST Root CA X3" or "ISRG Root X1".

PowerShell:
Get-Item Cert:\LocalMachine\AuthRoot\*D*5*35*

I get:

Thumbprint                                Subject
----------                                -------
DAC9024F54D8F6DF94935FB1732638CA6AD77C13  CN=DST Root CA X3, O=Digital Signature Trust Co.
CABD2A79A1076A31F21D253635CB039D4329A5E8  CN=ISRG Root X1, O=Internet Security Research Group, C=US
2 Likes

have you tried my solution above, the windows 7 patch?

5 Likes

I am currently out of town and have not yet tried the windows 7 patch or any of these excellent suggestions. I definitely will provide an update later this week. Thank You.

2 Likes

I just tried the patch you suggested, and yes, this worked for me. (Windows 7 Pro and Chrome 94.) I had problems updating Windows before but this worked fine after a reboot. Thank you very much.

4 Likes

This works. Thanks.

2 Likes