• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Chromium Browsers Rejecting All Let's Encrypt Certificates as Expired or Not Yet Valid

Joined
Jan 23, 2012
Messages
306 (0.09/day)
Location
South Africa
I have this really weird issue that started yesterday, and affects all Let's Encrpyt websites on both Chrome and Edge - Firefox is unaffected.

"This certificate has expired or is not yet valid.

Issued to: [domain]
Issued by: R3
Valid from 2021/ 08/ 06 to 2021/ 11/ 04 (or 2021/ 09/ 03 to 2021/ 12/ 02 or whatever the case may be - they all cover today's date)

I have been through everything I can think of - double/triple/quadruple checked system time, date and timezone, added sites to trusted zones in Internet Properties, Clear SSL state, cleared cookies and cache, setup a new profile on Chrome, updated Chrome, installed Edge and started with a blank slate (I didn't have it installed until yesterday), deleted the Edge folder in AppData/Local/Microsoft to be 100% sure nothing was imported from Chrome, backed up and done a FULL reinstall on Chrome... and now I'm out of ideas.

Heeeeeeelp :(
 

Solaris17

Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
22,592 (3.80/day)
Location
Florida
System Name Stardust
Processor I9 7980XE
Motherboard MSI x299 Tomahawk Arctic
Cooling EK Custom
Memory 32GB Corsair DDR4 3000mhz
Video Card(s) Nvidia Titan RTX
Storage 1x 250GB 960 EVO | 1x 500gb Intel 720p | 32TB SAN
Display(s) 3x AOC Q2577PWQ (2k IPS)
Case Inwin 303 White (Thermaltake Ring 120mm Purple accent)
Audio Device(s) Schiit Fulla 3 on Beyerdynamic DT 990 Pros
Power Supply Seasonic 1050W Snow
Mouse Razer Deathadder Essential (White)
Keyboard Ducky Shine 6 Snow White
VR HMD HTC VIVE
Software Windows 11 x64 Pro
Joined
Jan 23, 2012
Messages
306 (0.09/day)
Location
South Africa
Joined
Jul 25, 2006
Messages
9,177 (1.64/day)
Location
Nebraska, USA
System Name Brightworks Systems BWS-6 E-IV
Processor Intel Core i5-6600 @ 3.9GHz
Motherboard Gigabyte GA-Z170-HD3 Rev 1.0
Cooling Quality case, 2 x Fractal Design 140mm fans, stock CPU HSF
Memory 32GB (4 x 8GB) DDR4 3000 Corsair Vengeance
Video Card(s) EVGA GEForce GTX 1050Ti 4Gb GDDR5
Storage Samsung 850 Pro 256GB SSD, Samsung 860 Evo 500GB SSD
Display(s) Samsung S24E650BW LED x 2
Case Fractal Design Define R4
Power Supply EVGA Supernova 550W G2 Gold
Mouse Logitech M190
Keyboard Microsoft Wireless Comfort 5050
Software W10 Pro 64-bit
It's weird that Firefox is unaffected.
Not sure "unaffected" (or "weird") is the correct way to look at this.

From a security standpoint, the Chromium based browsers are protecting their users by blocking potentially insecure sites. So, again, from a security standpoint, the questions should be, "why is the site not using a SSL certificate?" And, "why is Firefox not blocking it?"

It’s not a weird issue.
Or new. There are many examples going back years, like this: Why my site which uses "Let's Encrypt" is marked as "not safe" by Chrome? | DigitalOcean

See also: Certificate Compatibility - Let's Encrypt (letsencrypt.org)
 
Joined
Jul 25, 2006
Messages
9,177 (1.64/day)
Location
Nebraska, USA
System Name Brightworks Systems BWS-6 E-IV
Processor Intel Core i5-6600 @ 3.9GHz
Motherboard Gigabyte GA-Z170-HD3 Rev 1.0
Cooling Quality case, 2 x Fractal Design 140mm fans, stock CPU HSF
Memory 32GB (4 x 8GB) DDR4 3000 Corsair Vengeance
Video Card(s) EVGA GEForce GTX 1050Ti 4Gb GDDR5
Storage Samsung 850 Pro 256GB SSD, Samsung 860 Evo 500GB SSD
Display(s) Samsung S24E650BW LED x 2
Case Fractal Design Define R4
Power Supply EVGA Supernova 550W G2 Gold
Mouse Logitech M190
Keyboard Microsoft Wireless Comfort 5050
Software W10 Pro 64-bit
It was more or less a rhetorical question. That is, I was not asking why FF was not blocking that specific site at that specific point in time. But rather, why wasn't Firefox updated in a timely manner like Chromium browsers, and/or why aren't those sites being updated in a timely manner?

The world knew several years ago that Google would start blocking these [mixed content and http) sites beginning in January 2020. Here it is in October 2021. There should be no more active sites that still use http and there should be no browsers that allow access to sites that do not support https.

If the sites have not been updated, that's on the site administrators/owners for failing to properly do their jobs. If the Firefox/Mozilla certificates stores are not being updated on timely basis, then that is on the admins at Mozilla.

Once a certificate is issued, it should only be a matter of a few hours before that information is propagated and updated worldwide.
 
Joined
Mar 15, 2021
Messages
30 (0.12/day)
You are talking about completely different thing.
OP has checked that on those pages certificates are not expired but the system is missing part of the chain to the certificate - the new Lets Necrypt root certificate - ISRG Root X1 (which should came with windows update).
Firefox (having own certificate store) downloaded the root certificate during some update. That's why some ppl have issues with all browsers that are using Windows certificate store and the same sites work in Firefox.
This really all about missing one part of certificate chain in client OS and has nothing to do with blocking non SSL sites - ofc I am talking only about the client side.
 
Last edited:
Joined
Jul 25, 2006
Messages
9,177 (1.64/day)
Location
Nebraska, USA
System Name Brightworks Systems BWS-6 E-IV
Processor Intel Core i5-6600 @ 3.9GHz
Motherboard Gigabyte GA-Z170-HD3 Rev 1.0
Cooling Quality case, 2 x Fractal Design 140mm fans, stock CPU HSF
Memory 32GB (4 x 8GB) DDR4 3000 Corsair Vengeance
Video Card(s) EVGA GEForce GTX 1050Ti 4Gb GDDR5
Storage Samsung 850 Pro 256GB SSD, Samsung 860 Evo 500GB SSD
Display(s) Samsung S24E650BW LED x 2
Case Fractal Design Define R4
Power Supply EVGA Supernova 550W G2 Gold
Mouse Logitech M190
Keyboard Microsoft Wireless Comfort 5050
Software W10 Pro 64-bit
You are talking about completely different thing.
No I'm not. I am generalizing.
OP has checked that SSL on those pages certificates are not expired but the system is missing part of the chain to the certificate
Which suggests something has not been properly updated in a timely manner - suggesting a human error, not a simple bug or corrupt file at a single location. That's what I am talking about.

I note the OP said, "all Let's Encrpyt websites". So it is not just some one-off exception.

@[XC] Oj101 - Are you still having the problem? And if so, please provide a link or two to affected sites so we can test from our sides.
 
Joined
Jan 23, 2012
Messages
306 (0.09/day)
Location
South Africa
No I'm not. I am generalizing.

Which suggests something has not been properly updated in a timely manner - suggesting a human error, not a simple bug or corrupt file at a single location. That's what I am talking about.

I note the OP said, "all Let's Encrpyt websites". So it is not just some one-off exception.

@[XC] Oj101 - Are you still having the problem? And if so, please provide a link or two to affected sites so we can test from our sides.
I actually managed to fix it by doing the following:
  • Start -> certmgr.msc
  • Trusted Root Certification Authorities
  • Delete "DST Root CA X3"
  • Download the new certificate from https://letsencrypt.org/certs/isrgrootx1.der
  • Install it (by double clicking) and make sure to select "Place all certificates in the following store: Trusted Root Certification Authorities"
I've since used this to fix the issue for many Windows 7 users. If you can think of a site, 95% chance it wasn't working - evening some big vendor sites such as msi.com.
 
Joined
Jul 25, 2006
Messages
9,177 (1.64/day)
Location
Nebraska, USA
System Name Brightworks Systems BWS-6 E-IV
Processor Intel Core i5-6600 @ 3.9GHz
Motherboard Gigabyte GA-Z170-HD3 Rev 1.0
Cooling Quality case, 2 x Fractal Design 140mm fans, stock CPU HSF
Memory 32GB (4 x 8GB) DDR4 3000 Corsair Vengeance
Video Card(s) EVGA GEForce GTX 1050Ti 4Gb GDDR5
Storage Samsung 850 Pro 256GB SSD, Samsung 860 Evo 500GB SSD
Display(s) Samsung S24E650BW LED x 2
Case Fractal Design Define R4
Power Supply EVGA Supernova 550W G2 Gold
Mouse Logitech M190
Keyboard Microsoft Wireless Comfort 5050
Software W10 Pro 64-bit
Hmmm, just checking that entry on this W10 system, it shows DST Root CA X3 expired 9/30/2021. It is not unusual to find expired certs there, but it does seem odd it expired on the same day you said your problem started.

I wonder what would have happened had you simply deleted the old, and not installed the new one?

Oh well.

Thanks for the update.
 
Joined
Oct 23, 2020
Messages
351 (0.87/day)
Location
Austria
System Name Old but Gold
Processor A8 5500 3,84GHz with 1,18V
Motherboard Biostar A68H
Cooling ZeroTherm BTF95 Full Copper
Memory Gskill 16GB DDR3 1939 MHz
Video Card(s) GT 710 2GB GDDR5 massive OC
Storage 480GB SSD, 500GB HDD
Display(s) Nec EA 241 WM
Case Nanoxia DS4
Audio Device(s) Onkyo ......
Power Supply Super Flower Leadx 550W
Mouse Steelseries Rival 3 Wireless
Keyboard Logitech K270 Wireless
Software Deepin, BSD and 10 LTSC
Same like on my Blackberry, block DST :toast:
 

eidairaman1

The Exiled Airman
Joined
Jul 2, 2007
Messages
33,200 (6.31/day)
Location
Republic of Texas (True Patriot)
System Name PCGOD
Processor AMD FX 8350@ 5.0GHz
Motherboard Asus TUF 990FX Sabertooth R2 2901 Bios
Cooling Scythe Ashura, 2×BitFenix 230mm Spectre Pro LED (Blue,Green), 2x BitFenix 140mm Spectre Pro LED
Memory 16 GB Gskill Ripjaws X 2133 (2400 OC, 10-10-12-20-20, 1T, 1.65V)
Video Card(s) AMD Radeon 290 Sapphire Vapor-X
Storage Samsung 840 Pro 256GB, WD Velociraptor 1TB
Display(s) NEC Multisync LCD 1700V (Display Port Adapter)
Case AeroCool Xpredator Evil Blue Edition
Audio Device(s) Creative Labs Sound Blaster ZxR
Power Supply Seasonic 1250 XM2 Series (XP3)
Mouse Roccat Kone XTD
Keyboard Roccat Ryos MK Pro
Software Windows 7 Pro 64
Switch to firefox, Chrome is like internet explorer anymore...
 
Joined
Aug 20, 2007
Messages
16,504 (3.16/day)
System Name Pioneer
Processor Ryzen R9 5950X
Motherboard GIGABYTE Aorus Elite X570
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ 32GB (4 x 8GB) @ DDR4-3600 (Samsung B-Die)
Video Card(s) EVGA GeForce RTX 3070 FTW3
Storage 2x Mushkin Pilot-E 2TB NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) VGA HDMI->LG B9 OLED/Schiit Modi MB/Asgard 2 DAC/Amp to AKG Pro K712 Headphones
Power Supply EVGA SuperNova T2 Titanium 850W
Mouse Razer Deathadder v2
Keyboard 1991 IBM Model M (Second Generation White Label Part #1391401)
Software Windows 11 Enterprise (yes, it's legit)
Switch to firefox, Chrome is like internet explorer anymore...
And internet explorer is now edge which is literally based on chrome... so worlds crazy now.
 

eidairaman1

The Exiled Airman
Joined
Jul 2, 2007
Messages
33,200 (6.31/day)
Location
Republic of Texas (True Patriot)
System Name PCGOD
Processor AMD FX 8350@ 5.0GHz
Motherboard Asus TUF 990FX Sabertooth R2 2901 Bios
Cooling Scythe Ashura, 2×BitFenix 230mm Spectre Pro LED (Blue,Green), 2x BitFenix 140mm Spectre Pro LED
Memory 16 GB Gskill Ripjaws X 2133 (2400 OC, 10-10-12-20-20, 1T, 1.65V)
Video Card(s) AMD Radeon 290 Sapphire Vapor-X
Storage Samsung 840 Pro 256GB, WD Velociraptor 1TB
Display(s) NEC Multisync LCD 1700V (Display Port Adapter)
Case AeroCool Xpredator Evil Blue Edition
Audio Device(s) Creative Labs Sound Blaster ZxR
Power Supply Seasonic 1250 XM2 Series (XP3)
Mouse Roccat Kone XTD
Keyboard Roccat Ryos MK Pro
Software Windows 7 Pro 64
And internet explorer is now edge which is literally based on chrome... so worlds crazy now.
Yeah chrome is bloatware now.
 

Jozy

New Member
Joined
Oct 19, 2021
Messages
1 (0.02/day)
I actually managed to fix it by doing the following:
  • Start -> certmgr.msc
  • Trusted Root Certification Authorities
  • Delete "DST Root CA X3"
  • Download the new certificate from https://letsencrypt.org/certs/isrgrootx1.der
  • Install it (by double clicking) and make sure to select "Place all certificates in the following store: Trusted Root Certification Authorities"
I've since used this to fix the issue for many Windows 7 users. If you can think of a site, 95% chance it wasn't working - evening some big vendor sites such as msi.com.
Thank you for your post. I had the same problem and I managed to solve it following your instructions :)
 
Joined
Jan 23, 2012
Messages
306 (0.09/day)
Location
South Africa
Switch to firefox, Chrome is like internet explorer anymore...
Firefox has a massive memory leak, and has had for quite a while. Once you've had more than +/- 200 tabs open (I run an online IT retail company full-time, between following tickets, orders, vendor product pages to get specs for stock being added, WhatsApp Web, social media :)(), supplier stock feeds, monitoring surveillance, and my personal browsing in my free time (such as this, following the news, playing music on YouTube, etc), 200 tabs isn't uncommon) it just falls apart.

Right now I have Chrome running across 7 windows with up to 28 tabs per window - memory usage is insane but everything is responsive. With Firefox, everything starts lagging badly and mouse clicks can take 5+ seconds to register or fail to register at all. Closing all tabs but one leaves CPU usage at 50% and memory usage over 10GB, meaning that when things slow down I literally have to close everything and reopen. Restoring a session is an option, but when I'm busy I don't have time to do that every 3-5 minutes.

Chrome isn't free of leaks (if I close everything but one tab, memory usage will stay at 4GB+), but it never slows down and becomes unusable the way Firefox does.

I would love to free myself of Chrome, but it's not feasible for my workload.

I would also love to move to Windows 7 which would have avoided this entire issue, but some archaic hardware and software I use doesn't work (either doesn't work properly, or at all) on anything newer. Some of the software was custom developed and I no longer have contact with the dev or access to the source code, so it would need to be rewritten which is an expense I'm not ready to face right now - not with the economy the way it is.

On another note, I miss Opera (before it became another skinned Chrome).

tabs.png


Never more than 3GB memory used, even with over 1,000 tabs open. Don't ask how I used to find anything, I just "did" :p
 
Joined
Feb 1, 2019
Messages
308 (0.30/day)
Location
UK, Leicester
System Name Main PC
Processor 9900k@4.8ghz
Motherboard Asrock Fatality K6 Z370
Cooling Noctua NH-D15S
Memory 32 Gig 3200CL14
Video Card(s) 3080 RTX FE
Storage 970 EVO 1TB
Display(s) LG 27GL850
Case Fractal Define R4
Audio Device(s) Asus Xonar D2X
Power Supply Antec HCG 750
I think the original LE root cert is planned to expire, they made a new one a while back which everyone should be switched to now.

Those of you who have browsers that dont trust the new root, have you not been installing windows updates or something?

All my sites I switched to the new root over a year ago.
 
Joined
Aug 20, 2007
Messages
16,504 (3.16/day)
System Name Pioneer
Processor Ryzen R9 5950X
Motherboard GIGABYTE Aorus Elite X570
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ 32GB (4 x 8GB) @ DDR4-3600 (Samsung B-Die)
Video Card(s) EVGA GeForce RTX 3070 FTW3
Storage 2x Mushkin Pilot-E 2TB NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) VGA HDMI->LG B9 OLED/Schiit Modi MB/Asgard 2 DAC/Amp to AKG Pro K712 Headphones
Power Supply EVGA SuperNova T2 Titanium 850W
Mouse Razer Deathadder v2
Keyboard 1991 IBM Model M (Second Generation White Label Part #1391401)
Software Windows 11 Enterprise (yes, it's legit)
Joined
Mar 15, 2021
Messages
30 (0.12/day)
I think the original LE root cert is planned to expire, they made a new one a while back which everyone should be switched to now.

Those of you who have browsers that dont trust the new root, have you not been installing windows updates or something?

All my sites I switched to the new root over a year ago.
He said it was on Windows 7 machines so that explains it.
 
Joined
Jul 25, 2006
Messages
9,177 (1.64/day)
Location
Nebraska, USA
System Name Brightworks Systems BWS-6 E-IV
Processor Intel Core i5-6600 @ 3.9GHz
Motherboard Gigabyte GA-Z170-HD3 Rev 1.0
Cooling Quality case, 2 x Fractal Design 140mm fans, stock CPU HSF
Memory 32GB (4 x 8GB) DDR4 3000 Corsair Vengeance
Video Card(s) EVGA GEForce GTX 1050Ti 4Gb GDDR5
Storage Samsung 850 Pro 256GB SSD, Samsung 860 Evo 500GB SSD
Display(s) Samsung S24E650BW LED x 2
Case Fractal Design Define R4
Power Supply EVGA Supernova 550W G2 Gold
Mouse Logitech M190
Keyboard Microsoft Wireless Comfort 5050
Software W10 Pro 64-bit
And internet explorer is now edge which is literally based on chrome... so worlds crazy now.
Based on Chromium - that is not the same as based on Chrome, which is also based on Chromium. They are certainly similar, but more different than alike, IMO. But that's for a different discussion.
 
Joined
Aug 20, 2007
Messages
16,504 (3.16/day)
System Name Pioneer
Processor Ryzen R9 5950X
Motherboard GIGABYTE Aorus Elite X570
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ 32GB (4 x 8GB) @ DDR4-3600 (Samsung B-Die)
Video Card(s) EVGA GeForce RTX 3070 FTW3
Storage 2x Mushkin Pilot-E 2TB NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) VGA HDMI->LG B9 OLED/Schiit Modi MB/Asgard 2 DAC/Amp to AKG Pro K712 Headphones
Power Supply EVGA SuperNova T2 Titanium 850W
Mouse Razer Deathadder v2
Keyboard 1991 IBM Model M (Second Generation White Label Part #1391401)
Software Windows 11 Enterprise (yes, it's legit)
Based on Chromium - that is not the same as based on Chrome, which is also based on Chromium. They are certainly similar, but more different than alike, IMO. But that's for a different discussion.
Yeah. Same render engine.
 

Solaris17

Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
22,592 (3.80/day)
Location
Florida
System Name Stardust
Processor I9 7980XE
Motherboard MSI x299 Tomahawk Arctic
Cooling EK Custom
Memory 32GB Corsair DDR4 3000mhz
Video Card(s) Nvidia Titan RTX
Storage 1x 250GB 960 EVO | 1x 500gb Intel 720p | 32TB SAN
Display(s) 3x AOC Q2577PWQ (2k IPS)
Case Inwin 303 White (Thermaltake Ring 120mm Purple accent)
Audio Device(s) Schiit Fulla 3 on Beyerdynamic DT 990 Pros
Power Supply Seasonic 1050W Snow
Mouse Razer Deathadder Essential (White)
Keyboard Ducky Shine 6 Snow White
VR HMD HTC VIVE
Software Windows 11 x64 Pro
Not sure "unaffected" (or "weird") is the correct way to look at this.

From a security standpoint, the Chromium based browsers are protecting their users by blocking potentially insecure sites. So, again, from a security standpoint, the questions should be, "why is the site not using a SSL certificate?" And, "why is Firefox not blocking it?"


Or new. There are many examples going back years, like this: Why my site which uses "Let's Encrypt" is marked as "not safe" by Chrome? | DigitalOcean

See also: Certificate Compatibility - Let's Encrypt (letsencrypt.org)

Its not even just a lets encrypt issue.


This literally just happens. The whole chain authority incident is because of old OS compatibility. Apple had this issue in 2019 as well and it broke safari on some sites and they corrected it.

Letsencrypt didn't do anything wrong, this is only hot because they are used the most for securing websites because they are free.
 

Aquinus

Resident Wat-man
Joined
Jan 28, 2012
Messages
12,424 (3.46/day)
Location
Concord, NH
System Name Apollo
Processor Intel Core i9 9880H
Memory 64GB DDR4-2667
Video Card(s) AMD Radeon Pro 5600M, 8GB HBM2
Storage 1TB Apple NVMe, 4TB External
Display(s) Laptop @ 3072x1920 + 2x LG 5k Ultrafine TB3 displays
Case MacBook Pro (16", 2019)
Audio Device(s) AirPods Pro, Sennheiser HD 380s w/ FIIO Alpen 2, or Logitech 2.1 Speakers
Power Supply 96w Power Adapter
Mouse Logitech MX Master 3
Keyboard Full Size Wireless Apple Magic Keyboard
Software MacOS 10.15.7
Letsencrypt didn't do anything wrong, this is only hot because they are used the most for securing websites because they are free.
If only people realized that you get what you pay for. :laugh:
 
Joined
Jan 23, 2012
Messages
306 (0.09/day)
Location
South Africa
If only people realized that you get what you pay for. :laugh:
I'm not sure there is actually any more encryption with my GeoTrust EV cert than a free Let's Encrypt cert. They both use 256-bit encryption. For me it's more about customer ease of mind, as fly-by-nights and scammers are a dime a dozen in South Africa since Covid. Anyone can get domain validation, extended validation has a fairly in-depth vetting process.

Hell, I didn't even need to do domain validation for my first (Let's Encrypt) cert. GeoTrust included domain validation via email, a letter from my attorneys, a phone call from DigiCert and who knows what else they did. I even had an issue where my business is listed under its "trading as" name on Google and not under its registered name, it's not listed correctly on BBB (which appears to be blocked from SA (it just displays 403 Forbidden), and Dun & Bradstreet had my location listed simply as "South Africa."
 
Top