# Chromium Browsers Rejecting All Let's Encrypt Certificates as Expired or Not Yet Valid



## [XC] Oj101 (Oct 1, 2021)

I have this really weird issue that started yesterday, and affects all Let's Encrpyt websites on both Chrome and Edge - Firefox is unaffected.

"This certificate has expired or is not yet valid.

Issued to: [domain]
Issued by: R3
Valid from 2021/ 08/ 06 to 2021/ 11/ 04 (or 2021/ 09/ 03 to 2021/ 12/ 02 or whatever the case may be - they all cover today's date)

I have been through everything I can think of - double/triple/quadruple checked system time, date and timezone, added sites to trusted zones in Internet Properties, Clear SSL state, cleared cookies and cache, setup a new profile on Chrome, updated Chrome, installed Edge and started with a blank slate (I didn't have it installed until yesterday), deleted the Edge folder in AppData/Local/Microsoft to be 100% sure nothing was imported from Chrome, backed up and done a FULL reinstall on Chrome... and now I'm out of ideas.

Heeeeeeelp


----------



## Solaris17 (Oct 1, 2021)

It’s not a weird issue.









						Let’s Encrypt Root Certificate Expiration: Will You Be Impacted? | Venafi
					

Explore the impact of Let’s Encrypt retiring its root certificate, and how organizations without automation or machine identity management could be affected.




					www.venafi.com


----------



## [XC] Oj101 (Oct 1, 2021)

Solaris17 said:


> It’s not a weird issue.
> 
> 
> 
> ...


I found that out two hours ago. Four hours of last night I will never get back, I guess  It's weird that Firefox is unaffected.


----------



## Bill_Bright (Oct 1, 2021)

[XC] Oj101 said:


> It's weird that Firefox is unaffected.


Not sure "unaffected" (or "weird") is the correct way to look at this. 

From a security standpoint, the Chromium based browsers are protecting their users by blocking potentially insecure sites. So, again, from a security standpoint, the questions should be, "why is the site not using a SSL certificate?" And, "why is Firefox not blocking it?"



Solaris17 said:


> It’s not a weird issue.


Or new. There are many examples going back years, like this: Why my site which uses "Let's Encrypt" is marked as "not safe" by Chrome? | DigitalOcean

See also: Certificate Compatibility - Let's Encrypt (letsencrypt.org)


----------



## Superzuber (Oct 1, 2021)

Bill_Bright said:


> "why is Firefox not blocking it?"


Firefox uses own certificate store by default so the new root certificate for Lets encrypt was downloaded with Firefox updates


----------



## Bill_Bright (Oct 1, 2021)

It was more or less a rhetorical question. That is, I was not asking why FF was not blocking that specific site at that specific point in time. But rather, why wasn't Firefox updated in a timely manner like Chromium browsers, and/or why aren't those sites being updated in a timely manner? 

The world knew several years ago that Google would start blocking these [mixed content and http) sites beginning in January 20*20*. Here it is in October 20*21*. There should be no more active sites that still use http and there should be no browsers that allow access to sites that do not support https. 

If the sites have not been updated, that's on the site administrators/owners for failing to properly do their jobs. If the Firefox/Mozilla certificates stores are not being updated on timely basis, then that is on the admins at Mozilla. 

Once a certificate is issued, it should only be a matter of a few hours before that information is propagated and updated worldwide.


----------



## Superzuber (Oct 1, 2021)

You are talking about completely different thing.
OP has checked that on those pages certificates are not expired but the system is missing part of the chain to the certificate - the new Lets Necrypt root certificate - ISRG Root X1 (which should came with windows update).
Firefox (having own certificate store) downloaded the root certificate during some update. That's why some ppl have issues with all browsers that are using Windows certificate store and the same sites work in Firefox.
This really all about missing one part of certificate chain in client OS and has nothing to do with blocking non SSL sites - ofc I am talking only about the client side.


----------



## Bill_Bright (Oct 1, 2021)

Superzuber said:


> You are talking about completely different thing.


No I'm not. I am generalizing. 


Superzuber said:


> OP has checked that SSL on those pages certificates are not expired but the system is missing part of the chain to the certificate


Which suggests something has not been properly updated in a timely manner - suggesting a human error, not a simple bug or corrupt file at a single location.  That's what I am talking about.

I note the OP said, "*all* Let's Encrpyt websites". So it is not just some one-off exception. 

@[XC] Oj101 - Are you still having the problem? And if so, please provide a link or two to affected sites so we can test from our sides.


----------



## [XC] Oj101 (Oct 18, 2021)

Bill_Bright said:


> No I'm not. I am generalizing.
> 
> Which suggests something has not been properly updated in a timely manner - suggesting a human error, not a simple bug or corrupt file at a single location.  That's what I am talking about.
> 
> ...


I actually managed to fix it by doing the following:

Start -> certmgr.msc
Trusted Root Certification Authorities
Delete "DST Root CA X3"
Download the new certificate from https://letsencrypt.org/certs/isrgrootx1.der
Install it (by double clicking) and make sure to select "Place all certificates in the following store: Trusted Root Certification Authorities"
I've since used this to fix the issue for many Windows 7 users. If you can think of a site, 95% chance it wasn't working - evening some big vendor sites such as msi.com.


----------



## Bill_Bright (Oct 18, 2021)

Hmmm, just checking that entry on this W10 system, it shows DST Root CA X3 expired 9/30/2021. It is not unusual to find expired certs there, but it does seem odd it expired on the same day you said your problem started. 

I wonder what would have happened had you simply deleted the old, and not installed the new one?

Oh well. 

Thanks for the update.


----------



## seth1911 (Oct 18, 2021)

Same like on my Blackberry, block DST


----------



## eidairaman1 (Oct 19, 2021)

Switch to firefox, Chrome is like internet explorer anymore...


----------



## R-T-B (Oct 19, 2021)

eidairaman1 said:


> Switch to firefox, Chrome is like internet explorer anymore...


And internet explorer is now edge which is literally based on chrome...  so worlds crazy now.


----------



## eidairaman1 (Oct 19, 2021)

R-T-B said:


> And internet explorer is now edge which is literally based on chrome...  so worlds crazy now.


Yeah chrome is bloatware now.


----------



## Jozy (Oct 19, 2021)

[XC] Oj101 said:


> I actually managed to fix it by doing the following:
> 
> Start -> certmgr.msc
> Trusted Root Certification Authorities
> ...


Thank you for your post.  I had the same problem and I managed to solve it following your instructions


----------



## [XC] Oj101 (Oct 19, 2021)

eidairaman1 said:


> Switch to firefox, Chrome is like internet explorer anymore...


Firefox has a massive memory leak, and has had for quite a while. Once you've had more than +/- 200 tabs open (I run an online IT retail company full-time, between following tickets, orders, vendor product pages to get specs for stock being added, WhatsApp Web, social media (), supplier stock feeds, monitoring surveillance, and my personal browsing in my free time (such as this, following the news, playing music on YouTube, etc), 200 tabs isn't uncommon) it just falls apart.

Right now I have Chrome running across 7 windows with up to 28 tabs per window - memory usage is insane but everything is responsive. With Firefox, everything starts lagging badly and mouse clicks can take 5+ seconds to register or fail to register at all. Closing all tabs but one leaves CPU usage at 50% and memory usage over 10GB, meaning that when things slow down I literally have to close everything and reopen. Restoring a session is an option, but when I'm busy I don't have time to do that every 3-5 minutes.

Chrome isn't free of leaks (if I close everything but one tab, memory usage will stay at 4GB+), but it never slows down and becomes unusable the way Firefox does.

I would love to free myself of Chrome, but it's not feasible for my workload.

I would also love to move to Windows 7 which would have avoided this entire issue, but some archaic hardware and software I use doesn't work (either doesn't work properly, or at all) on anything newer. Some of the software was custom developed and I no longer have contact with the dev or access to the source code, so it would need to be rewritten which is an expense I'm not ready to face right now - not with the economy the way it is.

On another note, I miss Opera (before it became another skinned Chrome).






Never more than 3GB memory used, even with over 1,000 tabs open. Don't ask how I used to find anything, I just "did"


----------



## chrcoluk (Oct 19, 2021)

I think the original LE root cert is planned to expire, they made a new one a while back which everyone should be switched to now.

Those of you who have browsers that dont trust the new root, have you not been installing windows updates or something?

All my sites I switched to the new root over a year ago.


----------



## R-T-B (Oct 19, 2021)

[XC] Oj101 said:


> On another note, I miss Opera


God, yes.  A travesty, that switch.


----------



## Superzuber (Oct 19, 2021)

chrcoluk said:


> I think the original LE root cert is planned to expire, they made a new one a while back which everyone should be switched to now.
> 
> Those of you who have browsers that dont trust the new root, have you not been installing windows updates or something?
> 
> All my sites I switched to the new root over a year ago.


He said it was on Windows 7 machines so that explains it.


----------



## Bill_Bright (Oct 19, 2021)

R-T-B said:


> And internet explorer is now edge which is literally based on chrome... so worlds crazy now.


Based on Chromium - that is not the same as based on Chrome, which is also based on Chromium. They are certainly similar, but more different than alike, IMO. But that's for a different discussion.


----------



## R-T-B (Oct 19, 2021)

Bill_Bright said:


> Based on Chromium - that is not the same as based on Chrome, which is also based on Chromium. They are certainly similar, but more different than alike, IMO. But that's for a different discussion.


Yeah.  Same render engine.


----------



## Solaris17 (Oct 19, 2021)

Bill_Bright said:


> Not sure "unaffected" (or "weird") is the correct way to look at this.
> 
> From a security standpoint, the Chromium based browsers are protecting their users by blocking potentially insecure sites. So, again, from a security standpoint, the questions should be, "why is the site not using a SSL certificate?" And, "why is Firefox not blocking it?"
> 
> ...



Its not even just a lets encrypt issue.



			https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020
		


This literally just happens. The whole chain authority incident is because of old OS compatibility. Apple had this issue in 2019 as well and it broke safari on some sites and they corrected it.

Letsencrypt didn't do anything wrong, this is only hot because they are used the most for securing websites because they are free.


----------



## Aquinus (Oct 19, 2021)

Solaris17 said:


> Letsencrypt didn't do anything wrong, this is only hot because they are used the most for securing websites *because they are free*.


If only people realized that you get what you pay for.


----------



## [XC] Oj101 (Oct 21, 2021)

Aquinus said:


> If only people realized that you get what you pay for.


I'm not sure there is actually any more encryption with my GeoTrust EV cert than a free Let's Encrypt cert. They both use 256-bit encryption. For me it's more about customer ease of mind, as fly-by-nights and scammers are a dime a dozen in South Africa since Covid. Anyone can get domain validation, extended validation has a fairly in-depth vetting process.

Hell, I didn't even need to do domain validation for my first (Let's Encrypt) cert. GeoTrust included domain validation via email, a letter from my attorneys, a phone call from DigiCert and who knows what else they did. I even had an issue where my business is listed under its "trading as" name on Google and not under its registered name, it's not listed correctly on BBB (which appears to be blocked from SA (it just displays 403 Forbidden), and Dun & Bradstreet had my location listed simply as "South Africa."


----------

