Chromium Browsers Rejecting All Let's Encrypt Certificates as Expired or Not Yet Valid

[[XC] Oj101]

I have this really weird issue that started yesterday, and affects all Let's Encrpyt websites on both Chrome and Edge - Firefox is unaffected.

"This certificate has expired or is not yet valid.

Issued to: [domain]
Issued by: R3
Valid from 2021/ 08/ 06 to 2021/ 11/ 04 (or 2021/ 09/ 03 to 2021/ 12/ 02 or whatever the case may be - they all cover today's date)

I have been through everything I can think of - double/triple/quadruple checked system time, date and timezone, added sites to trusted zones in Internet Properties, Clear SSL state, cleared cookies and cache, setup a new profile on Chrome, updated Chrome, installed Edge and started with a blank slate (I didn't have it installed until yesterday), deleted the Edge folder in AppData/Local/Microsoft to be 100% sure nothing was imported from Chrome, backed up and done a FULL reinstall on Chrome... and now I'm out of ideas.

Heeeeeeelp

 

[Solaris17]

It’s not a weird issue.

Machine Identity Security

Manage and protect all machine identities, including secrets, certificates and workload identities, with identity security solutions.

www.venafi.com

 

[[XC] Oj101]

It’s not a weird issue.

Machine Identity Security

Manage and protect all machine identities, including secrets, certificates and workload identities, with identity security solutions.

www.venafi.com

I found that out two hours ago. Four hours of last night I will never get back, I guess It's weird that Firefox is unaffected.

 

[Bill_Bright]

It's weird that Firefox is unaffected.

Not sure "unaffected" (or "weird") is the correct way to look at this.

From a security standpoint, the Chromium based browsers are protecting their users by blocking potentially insecure sites. So, again, from a security standpoint, the questions should be, "why is the site not using a SSL certificate?" And, "why is Firefox not blocking it?"

It’s not a weird issue.

Or new. There are many examples going back years, like this: Why my site which uses "Let's Encrypt" is marked as "not safe" by Chrome? | DigitalOcean

See also: Certificate Compatibility - Let's Encrypt (letsencrypt.org)

 

[Superzuber]

"why is Firefox not blocking it?"

Firefox uses own certificate store by default so the new root certificate for Lets encrypt was downloaded with Firefox updates

 

[Bill_Bright]

It was more or less a rhetorical question. That is, I was not asking why FF was not blocking that specific site at that specific point in time. But rather, why wasn't Firefox updated in a timely manner like Chromium browsers, and/or why aren't those sites being updated in a timely manner?

The world knew several years ago that Google would start blocking these [mixed content and http) sites beginning in January 2020. Here it is in October 2021. There should be no more active sites that still use http and there should be no browsers that allow access to sites that do not support https.

If the sites have not been updated, that's on the site administrators/owners for failing to properly do their jobs. If the Firefox/Mozilla certificates stores are not being updated on timely basis, then that is on the admins at Mozilla.

Once a certificate is issued, it should only be a matter of a few hours before that information is propagated and updated worldwide.

 

[Superzuber]

You are talking about completely different thing.
OP has checked that on those pages certificates are not expired but the system is missing part of the chain to the certificate - the new Lets Necrypt root certificate - ISRG Root X1 (which should came with windows update).
Firefox (having own certificate store) downloaded the root certificate during some update. That's why some ppl have issues with all browsers that are using Windows certificate store and the same sites work in Firefox.
This really all about missing one part of certificate chain in client OS and has nothing to do with blocking non SSL sites - ofc I am talking only about the client side.

 

[Bill_Bright]

You are talking about completely different thing.

No I'm not. I am generalizing.

OP has checked that SSL on those pages certificates are not expired but the system is missing part of the chain to the certificate

Which suggests something has not been properly updated in a timely manner - suggesting a human error, not a simple bug or corrupt file at a single location. That's what I am talking about.

I note the OP said, "all Let's Encrpyt websites". So it is not just some one-off exception.

@[XC] Oj101 - Are you still having the problem? And if so, please provide a link or two to affected sites so we can test from our sides.

 

[[XC] Oj101]

No I'm not. I am generalizing.

Which suggests something has not been properly updated in a timely manner - suggesting a human error, not a simple bug or corrupt file at a single location. That's what I am talking about.

I note the OP said, "all Let's Encrpyt websites". So it is not just some one-off exception.

@[XC] Oj101 - Are you still having the problem? And if so, please provide a link or two to affected sites so we can test from our sides.

I actually managed to fix it by doing the following:

• Start -> certmgr.msc
• Trusted Root Certification Authorities
• Delete "DST Root CA X3"
• Download the new certificate from https://letsencrypt.org/certs/isrgrootx1.der
• Install it (by double clicking) and make sure to select "Place all certificates in the following store: Trusted Root Certification Authorities"

I've since used this to fix the issue for many Windows 7 users. If you can think of a site, 95% chance it wasn't working - evening some big vendor sites such as msi.com.

 

[Bill_Bright]

Hmmm, just checking that entry on this W10 system, it shows DST Root CA X3 expired 9/30/2021. It is not unusual to find expired certs there, but it does seem odd it expired on the same day you said your problem started.

I wonder what would have happened had you simply deleted the old, and not installed the new one?

Oh well.

Thanks for the update.

 

[seth1911]

Same like on my Blackberry, block DST

 

[eidairaman1]

Switch to firefox, Chrome is like internet explorer anymore...

 

[R-T-B]

Switch to firefox, Chrome is like internet explorer anymore...

And internet explorer is now edge which is literally based on chrome... so worlds crazy now.

 

[eidairaman1]

And internet explorer is now edge which is literally based on chrome... so worlds crazy now.

Yeah chrome is bloatware now.

 

[Jozy]

I actually managed to fix it by doing the following:

• Start -> certmgr.msc
• Trusted Root Certification Authorities
• Delete "DST Root CA X3"
• Download the new certificate from https://letsencrypt.org/certs/isrgrootx1.der
• Install it (by double clicking) and make sure to select "Place all certificates in the following store: Trusted Root Certification Authorities"

I've since used this to fix the issue for many Windows 7 users. If you can think of a site, 95% chance it wasn't working - evening some big vendor sites such as msi.com.

Thank you for your post. I had the same problem and I managed to solve it following your instructions

 

[[XC] Oj101]

Switch to firefox, Chrome is like internet explorer anymore...

Firefox has a massive memory leak, and has had for quite a while. Once you've had more than +/- 200 tabs open (I run an online IT retail company full-time, between following tickets, orders, vendor product pages to get specs for stock being added, WhatsApp Web, social media (), supplier stock feeds, monitoring surveillance, and my personal browsing in my free time (such as this, following the news, playing music on YouTube, etc), 200 tabs isn't uncommon) it just falls apart.

Right now I have Chrome running across 7 windows with up to 28 tabs per window - memory usage is insane but everything is responsive. With Firefox, everything starts lagging badly and mouse clicks can take 5+ seconds to register or fail to register at all. Closing all tabs but one leaves CPU usage at 50% and memory usage over 10GB, meaning that when things slow down I literally have to close everything and reopen. Restoring a session is an option, but when I'm busy I don't have time to do that every 3-5 minutes.

Chrome isn't free of leaks (if I close everything but one tab, memory usage will stay at 4GB+), but it never slows down and becomes unusable the way Firefox does.

I would love to free myself of Chrome, but it's not feasible for my workload.

I would also love to move to Windows 7 which would have avoided this entire issue, but some archaic hardware and software I use doesn't work (either doesn't work properly, or at all) on anything newer. Some of the software was custom developed and I no longer have contact with the dev or access to the source code, so it would need to be rewritten which is an expense I'm not ready to face right now - not with the economy the way it is.

On another note, I miss Opera (before it became another skinned Chrome).

Never more than 3GB memory used, even with over 1,000 tabs open. Don't ask how I used to find anything, I just "did"

 

[chrcoluk]

I think the original LE root cert is planned to expire, they made a new one a while back which everyone should be switched to now.

Those of you who have browsers that dont trust the new root, have you not been installing windows updates or something?

All my sites I switched to the new root over a year ago.

 

[R-T-B]

On another note, I miss Opera

God, yes. A travesty, that switch.

 

[Superzuber]

I think the original LE root cert is planned to expire, they made a new one a while back which everyone should be switched to now.

Those of you who have browsers that dont trust the new root, have you not been installing windows updates or something?

All my sites I switched to the new root over a year ago.

He said it was on Windows 7 machines so that explains it.

 

[Bill_Bright]

And internet explorer is now edge which is literally based on chrome... so worlds crazy now.

Based on Chromium - that is not the same as based on Chrome, which is also based on Chromium. They are certainly similar, but more different than alike, IMO. But that's for a different discussion.

 

[R-T-B]

Based on Chromium - that is not the same as based on Chrome, which is also based on Chromium. They are certainly similar, but more different than alike, IMO. But that's for a different discussion.

Yeah. Same render engine.

 

[Solaris17]

Not sure "unaffected" (or "weird") is the correct way to look at this.

From a security standpoint, the Chromium based browsers are protecting their users by blocking potentially insecure sites. So, again, from a security standpoint, the questions should be, "why is the site not using a SSL certificate?" And, "why is Firefox not blocking it?"


Or new. There are many examples going back years, like this: Why my site which uses "Let's Encrypt" is marked as "not safe" by Chrome? | DigitalOcean

See also: Certificate Compatibility - Let's Encrypt (letsencrypt.org)

Its not even just a lets encrypt issue.

https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020

This literally just happens. The whole chain authority incident is because of old OS compatibility. Apple had this issue in 2019 as well and it broke safari on some sites and they corrected it.

Letsencrypt didn't do anything wrong, this is only hot because they are used the most for securing websites because they are free.

 

[Aquinus]

Letsencrypt didn't do anything wrong, this is only hot because they are used the most for securing websites because they are free.

If only people realized that you get what you pay for.

 

[[XC] Oj101]

If only people realized that you get what you pay for.

I'm not sure there is actually any more encryption with my GeoTrust EV cert than a free Let's Encrypt cert. They both use 256-bit encryption. For me it's more about customer ease of mind, as fly-by-nights and scammers are a dime a dozen in South Africa since Covid. Anyone can get domain validation, extended validation has a fairly in-depth vetting process.

Hell, I didn't even need to do domain validation for my first (Let's Encrypt) cert. GeoTrust included domain validation via email, a letter from my attorneys, a phone call from DigiCert and who knows what else they did. I even had an issue where my business is listed under its "trading as" name on Google and not under its registered name, it's not listed correctly on BBB (which appears to be blocked from SA (it just displays 403 Forbidden), and Dun & Bradstreet had my location listed simply as "South Africa."