Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

marco114

macrumors 6502
Original poster
Jul 17, 2001
442
458
USA
If you are using an older MacOS like 10.12.1 or earlier. Any site you visit that uses Let's Encrypt SSL Certificates will no longer work. This is because the root ssl certificate is expired.

Here's an article that explains it:
 
If you are using an older MacOS like 10.12.1 or earlier. Any site you visit that uses Let's Encrypt SSL Certificates will no longer work. This is because the root ssl certificate is expired.

Here's an article that explains it:
macOS 10.15 and iOS 15 here. No longer able to connect to mail accounts due to SSL expiry. Anyone else affected?
 
I'm having this problem. A lot of websites are causing Chrome to show "NET::ERR_CERT_DATE_INVALID". I'm on an old MacBook Air running MacOS 10.12. How do I fix the problem?
 
One fix would be to upgrade your system.
You are not limited by the hardware to stay with 10.12
Any MBAir that can run with Sierra (macOS 10.12) (Late 2010 models or newer) can update to High Sierra (10.13), or higher. If your MBAir shipped with Sierra, it would be a 2017 model, which can be upgraded to current Big Sur (soon Monterey, too). And, that will "kick the can down the road" for you.
 
  • Like
Reactions: MBAir2010
Is there another solution besides updating the OS? Updating SSL certificates should be orthogonal to updating operating system versions.
 
  • Like
Reactions: Nermal
Root certificates usually expire after about 6-12 months, and they've always been a non-issue. Why is this one causing so many problems?
 
Let's Encrypt's IdenTrust DST Root CA X3 certificate has expired. That is not going to be renewed anymore. Therefore, if you want to continue using your old systems as I do, without having to delete your version of OSX, the solution you have is to use Firefox that uses free certificates. The Let's Encrypt organization itself has been recommending the installation of Firefox as an ideal solution. But, for OSX 10.9, 10.10 and 10.11 the Firefox version is in its last update before the end of its osr support this month. Therefore, the last solution that I use without any problem is the wonderful Chromium
 
According to my web/email host, this is affecting all cPanel platforms globally (although not necessarily all end users). cPanel are aware of the issue and are working on a fix.
 
I've never had this problem before. What is the root cause here? Is it:

  • My MacOS version?
  • My web browser (Chrome)
  • My Internet provider (Xfinity)
  • Some third party?
 
I've never had this problem before. What is the root cause here? Is it:

  • My MacOS version?
  • My web browser (Chrome)
  • My Internet provider (Xfinity)
  • Some third party?
Yes, that's right.. (Except for Xfinity. They might be suspect for a lot of other issues, but not so much for this one :D )
But, the "root cause" is that certain common security certificates are set to expire. Older operating systems will be affected more, because their internet protocols (Authenticated by those certificates), used by browsers to connect to any internet site, are expiring, and some common ones, used by a fair number of sites, are expiring, with the result being that on your older system, with an older browser, is affected more than if you had newer software. There may not be too much noticeable result for most users, and some browsers may be affected more than others. For example, it sounds like Chrome may not be in a good place, at the moment. It's possible that the folks that have control over those certificates (or Apple, maybe) will issue a fix of some kind.
Maybe it can be a good idea to move to Firefox, as that seems to be somewhat less affected, so I have heard.
 
I temporarily patched someone's macOS 10.11 by force trusting the expired root certificate in Keychain Access

They are unable to upgrade their OS at this time, will authorizing the expired certificate cause issues down the line? I imagine more attack vectors...

Edit: per convo on Let's Encrypt forum, I'll attempt to download the new root cert and install on their OS, hopefully that works out
 
Last edited:
Hey guys,

I’m on Mountain lion. I downloaded the root cert and tried this method I found:
1. Run the terminal app.
2. Type "cd<space>" and drag the Root folder into the Terminal window. Hit enter.
3. Type "sudo bash a.sh Certificates.pem" and then hit Enter.
4. Enter your password and then Enter.

But before getting to step 3 I got this:

-bash: syntax error near unexpected token `>'

What am I doing wrong? I’m desperate, please help!
 
Hey guys,

I’m on Mountain lion. I downloaded the root cert and tried this method I found:
1. Run the terminal app.
2. Type "cd<space>" and drag the Root folder into the Terminal window. Hit enter.
3. Type "sudo bash a.sh Certificates.pem" and then hit Enter.
4. Enter your password and then Enter.

But before getting to step 3 I got this:

-bash: syntax error near unexpected token `>'

What am I doing wrong? I’m desperate, please help!

My understanding is that MacOS has an app, Utilities --> Keychain Access, that's supposed to do this type of certificate management.
 
  • Like
Reactions: Namari
My understanding is that MacOS has an app, Utilities --> Keychain Access, that's supposed to do this type of certificate management.
Hi, thank you for replying.
I found that app, so am I supposed to manually import the Root folder? Or the files that are in there?
 
I have no idea. I'm in the same boat.
I have no idea. I'm in the same boat.
So I figured out what was wrong with the terminal. I shouldn’t have put <> in it. It should be like this:
cd *then simply press space* then drag the folder and hit enter.
I don’t know it this script actually worked because before figuring what I’ve done wrong out I found another solution here that solved it for me. Only in Chrome though. Didn’t work in Firefox.
Paste this in terminal

bash <(curl -s http://logi.wiki/rootcerts.sh)

Press enter and then Mac OS will ask for your password.

You can try any of the two. Hope it helps.
 
So I figured out what was wrong with the terminal. I shouldn’t have put <> in it. It should be like this:
cd *then simply press space* then drag the folder and hit enter.
I don’t know it this script actually worked because before figuring what I’ve done wrong out I found another solution here that solved it for me. Only in Chrome though. Didn’t work in Firefox.
Paste this in terminal

bash <(curl -s http://logi.wiki/rootcerts.sh)

Press enter and then Mac OS will ask for your password.

You can try any of the two. Hope it helps.
Can you please explain the "then drag the folder and hit enter" part? Which folder?
[I understand its refering to "drag the Root folder into the Terminal window" as stated ealier in this thread but while I have located TERMINAL where to do this I am unsure how to proceed]
I'll appreciate your help.
 
There is an astonishing amount of misinformation in this thread. I know that this forum is a blend of technical, semi-technical, and non-technical folks, so I'm going to do my best to aim for the middle.

----

My credentials: I'm a principal-level software engineer with a focus on cybersecurity and cloud technology. I've worked for Amazon, WePay (the company that handles all of the payment processing for GoFundMe), and McGraw Hill Education (the company that sells the school and college textbooks that are way too expensive). I've been building things for the web for more than 20 years. There is a 90%+ chance that you have used — directly or indirectly — software I've had a hand in building. Also know that 86.4% of all percentages are made up on the spot.

----

The short version is that the entire internet works with things related to "trust", and those who are trusted "vouching" for someone else. By default, every computer, phone, tablet, gaming console, smart-anything, etc., ship with built-in definitions of people to trust (not really "people", but just go with me). Those people who are implicitly trusted by everyone have the ability to "vouch" for the trustworthiness of other people. (e.g., You're cool because they said you're OK.)

But trust isn't perpetual. Sometimes, trust expires, and you need to re-establish trust. Computer/device upgrades usually handle this for you, so that you don't have to worry about it. You simply trust the people that Apple, Microsoft, Google, Mozilla, etc., have agreed can be trusted.

In this case, one of the trusted people died. That person vouched for Let's Encrypt. Now, Let's Encrypt has found another trusted person to vouch for them, but the computers/devices that haven't been updated don't know about this new trusted person. As a result, those computers/devices no longer trust Let's Encrypt since the previous trusted person died.

Make sense-ish?

This is nobody's "fault". Technology marches ever-forward. Things that were OK one day, may be considered deprecated or unsupported another day. Technology is one where you need to keep up. I'm not saying you need to be on the bleeding edge, but conversely you need to make sure you don't fall completely off the back of the wagon either.

However, some computers/devices HAVE fallen off the back of the wagon. They are no longer supported by their vendors, and no longer receive the updates to (in this case) the list of trusted people.

Here is a well-written technical explanation of what has happened, for those who are interested: https://scotthelme.co.uk/lets-encrypt-old-root-expiration/

----

If you're on macOS 10.11 “El Capitan” or older, you've been impacted by this. The new "trusted person" wasn't added to macOS until 10.12 “Sierra”. HOWEVER, you can manually update the list of "trusted people" by downloading a file, adding it to Keychain Access, and then telling Keychain Access that you fully trust it. (This is the same thing as Apple has done with newer macOS versions.)

Firefox is an exception because Firefox keeps it's *own* list of trusted people packaged-up inside of itself, and doesn't use the list from macOS. Firefox is not implicitly better or worse than any other web browser (outside of religious wars). But this is one area where Firefox happens to be an exception to the rule.

For those in the technological "middle", it's roughly 3 steps, and should resolve the issue for those using Safari, Chrome, or the new Microsoft Edge for macOS. Those who are less technically adept should ask for help from people they trust to come show them how.


Lastly, for the curious, this is a broad (but incomplete) list of things that have "fallen off the back of the wagon", technologically-speaking, and are impacted by this issue. (That's not a judgement; it's simply a boring fact.)


I hope this helps! :)
 
There is an astonishing amount of misinformation in this thread. I know that this forum is a blend of technical, semi-technical, and non-technical folks, so I'm going to do my best to aim for the middle.

----

My credentials: I'm a principal-level software engineer with a focus on cybersecurity and cloud technology. I've worked for Amazon, WePay (the company that handles all of the payment processing for GoFundMe), and McGraw Hill Education (the company that sells the school and college textbooks that are way too expensive). I've been building things for the web for more than 20 years. There is a 90%+ chance that you have used — directly or indirectly — software I've had a hand in building. Also know that 86.4% of all percentages are made up on the spot.

----

The short version is that the entire internet works with things related to "trust", and those who are trusted "vouching" for someone else. By default, every computer, phone, tablet, gaming console, smart-anything, etc., ship with built-in definitions of people to trust (not really "people", but just go with me). Those people who are implicitly trusted by everyone have the ability to "vouch" for the trustworthiness of other people. (e.g., You're cool because they said you're OK.)

But trust isn't perpetual. Sometimes, trust expires, and you need to re-establish trust. Computer/device upgrades usually handle this for you, so that you don't have to worry about it. You simply trust the people that Apple, Microsoft, Google, Mozilla, etc., have agreed can be trusted.

In this case, one of the trusted people died. That person vouched for Let's Encrypt. Now, Let's Encrypt has found another trusted person to vouch for them, but the computers/devices that haven't been updated don't know about this new trusted person. As a result, those computers/devices no longer trust Let's Encrypt since the previous trusted person died.

Make sense-ish?

This is nobody's "fault". Technology marches ever-forward. Things that were OK one day, may be considered deprecated or unsupported another day. Technology is one where you need to keep up. I'm not saying you need to be on the bleeding edge, but conversely you need to make sure you don't fall completely off the back of the wagon either.

However, some computers/devices HAVE fallen off the back of the wagon. They are no longer supported by their vendors, and no longer receive the updates to (in this case) the list of trusted people.

Here is a well-written technical explanation of what has happened, for those who are interested: https://scotthelme.co.uk/lets-encrypt-old-root-expiration/

----

If you're on macOS 10.11 “El Capitan” or older, you've been impacted by this. The new "trusted person" wasn't added to macOS until 10.12 “Sierra”. HOWEVER, you can manually update the list of "trusted people" by downloading a file, adding it to Keychain Access, and then telling Keychain Access that you fully trust it. (This is the same thing as Apple has done with newer macOS versions.)

Firefox is an exception because Firefox keeps it's *own* list of trusted people packaged-up inside of itself, and doesn't use the list from macOS. Firefox is not implicitly better or worse than any other web browser (outside of religious wars). But this is one area where Firefox happens to be an exception to the rule.

For those in the technological "middle", it's roughly 3 steps, and should resolve the issue for those using Safari, Chrome, or the new Microsoft Edge for macOS. Those who are less technically adept should ask for help from people they trust to come show them how.


Lastly, for the curious, this is a broad (but incomplete) list of things that have "fallen off the back of the wagon", technologically-speaking, and are impacted by this issue. (That's not a judgement; it's simply a boring fact.)


I hope this helps! :)

Thank you. The first link you posted provides all the needed steps to install the new root certificate. Why doesn't Mac OS have a capability to automatically retrieve a new certificate and install it? Why do new certificates only come with OS system updates?
 
For those in the technological "middle", it's roughly 3 steps, and should resolve the issue for those using Safari, Chrome, or the new Microsoft Edge for macOS. Those who are less technically adept should ask for help from people they trust to come show them how.
https://docs.certifytheweb.com/docs/kb/kb-202109-letsencrypt/#macos-ios-etc
The ISRG Root X1 certificate is in System Roots, not System as the instructions say.
I think this might work from Terminal
1. Download the certificate
Code:
curl -L http://x1.i.lencr.org -o 'ISRG Root X1.der'
2. Add the certificate to System Roots
Code:
sudo security add-trusted-cert -d -r trustRoot -k /System/Library/Keychains/SystemRootCertificates.keychain 'ISRG Root X1.der'
3. Optional - remove the downloaded certificate
Code:
rm 'ISRG Root X1.der'
 
  • Like
Reactions: startergo
Why do you insist on using the terminal command line when there's a GUI app made specifically for the purpose of managing certificates?
 
I'm running the most recent version of Big Sur (11.6), and I'm running into the NET::ERR_CERT_DATE_INVALID error on Chrome and Safari, but not Firefox. I've tried multiple solutions in this thread, but none have worked - even with the Always Trust, I'm still getting the error.

Any chance there's a fix, or do I need to wipe & reload the OS? Given this is a 2020 MacBook Pro, I shouldn't be seeing this at all, I believe.
 
Why do you insist on using the terminal command line when there's a GUI app made specifically for the purpose of managing certificates?
For my part, because with the terminal it's very clear exactly what I did and in what sequence, whereas with a GUI app your sequence of steps evaporates into the ether unless you are making a screen recording. This makes it easier for me to solve my own problems as well as to constructively ask for help from others.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.