Your favourite app suddenly failed to log you in, or refused to connect? Or a website you are visiting regularly is throwing a warning message that your connection is not private? Of course, your system or device was not updated recently, and you didn’t change any settings. Well, you are not alone, and it is much easier than expected to fix these issues!
Common errors and messages:
- On most browsers (except Firefox v50 and later):
Your connection is not private
Attackers might be trying to steal your information from mybeautifulwebsite.com (for example, passwords, messages, or credit cards).
NET::ERR_CERT_DATE_INVALID
- On desktop or mobile applications (native, or wrapping a web application):
Login failed try again...
- Looking at the web console, you may see this errorGET https:// mybeautifulapp.com/ Failed to load resource: net::ERR_INSECURE_RESPONSE
How to test and confirm the issue
- Opening the web console in a desktop app should be the first thing to do. It is like when I develop and debug a website, I will remember that from now on!! Usually the same keyboard shortcut than a browser, like Cmd-Alt i on Firefox and Chrome for Mac.
- “ Browsers (Chrome, Safari, Edge, Opera) generally trust the same root certificates as the operating system they are running on. Firefox is the exception: it has its own root store. Soon, new versions of Chrome will also have their own root store. ” states Let’s Encrypt page.
So for a quick test and confirmation, any Firefox version 50 or later should not have this issue, so it will save lots of time to check, for any user, and to compare the same website using another browser on the device.
An expired Root certificate is the root cause
The IdenTrust DST Root CA X3 expired on 30th September 2021. From October 2021 onwards, only those platforms that trust ISRG Root X1 will validate Let’s Encrypt certificates.
Short explanation and list of affected platforms:
https://letsencrypt.org/docs/certificate-compatibility/
For a well documented and detailed explanation, please read Scott Helme post Let's Encrypt's Root Certificate is expiring!
Solutions and tips
The solutions and most of the issues and tips are in this large Let’s Encrypt community forum, just search the thread or browse the split topics title to find your situation:
https://community.letsencrypt.org/t/help-thread-for-dst-root-ca-x3-expiration-september-2021/149190/1
For the case I tested when the issue started, I just followed what was relevant on this thread by Sean McBride: installing and trusting the new ISRG root X1 cert
https://community.letsencrypt.org/t/connection-errors-on-apple-devices/161107/25
I have updated the root certificate from the Let's Encrypt website. There are many other blog posts on the web, with other URLs to download a new certificate, but I prefer to be sure, and going to a reliable source on such a sensitive issue.
https://letsencrypt.org/certs/isrgrootx1.der
If, like me, you have different versions of systems / devices, for testing and developing software, it would be worth checking if they are lacking the certificate update (thanks to Apple, Google, Microsoft, and co. for NOT taking care of customers with older "legacy" systems).
Credits and thanks
Thanks Alex, with the PomoDone App team! I summarised my findings with them, please share their blog post with any other person facing the issue!
If you need a great application to help your Pomodoro Technique ® daily, look no further! https://pomodoneapp.com/
Thank you to the people who posted well in advanced this issue. Unfortunately they were overlooked or unknown for non security experts, including me, humble and happy user of Let’s Encrypt certificates. And indirectly, including many users of apps and free software relying on security certificates.
Thanks to Scott Helme for the expertise and to hoakley @ The Eclectic Light Company for posting about the issue.
Finally, Thank you to the Let’s Encrypt team and community, for supporting a more secure and privacy-respecting Web!