Some Mac and Android users are having website connection issues caused by expired Let’s Encrypt certificates
Reports are coming in that internet users who are running Mac devices or older Android devices are having connection issues on some sites they visit in most web browsers.
Mac users who experience the problem receive “your connection is not private” error messages with the error code NET :: ERR_CERT_DATE_INVALID.
Most web browsers on Mac devices, including Google Chrome and other Chromium web browsers, return error messages when users sign in to certain sites.
The issue is related to the expiration of the root certificate of Let’s Encrypt on September 30, 2021. Let’s Encrypt is a non-profit organization that has issued more than 2 billion certificates since its founding.
Certificates issued by an expired root certificate will no longer be trusted by clients. Let’s Encrypt tries to mitigate issues caused by root certificate expiration through a new cross-signed root certificate valid until September 30, 2024.
Let’s Encrypt has published lists of platforms that may be experiencing issues as of September 30, 2021, and which should not.
Older versions of Mac OS and iOS are on non-compatible lists along with older Linux distributions and some other older devices such as Android devices running Android 2.3.6 or earlier.
- Nintendo 3DS
- Windows XP before SP3
- cannot handle SHA-2 signed certificates
- Java 7
- Java 8
- Windows Live Mail (2012 email client, no webmail)
- cannot handle certificates without CRL
- ps3 game console
- PS4 game console with firmware
Platforms that will no longer validate Let’s Encrypt certificates
- Mozilla Firefox
- Ubuntu> = precise / 12.04 and
- Debian> = squeeze / 6 and
- Java 8> = 8u101 and
- Java 7> = 7u111 and
- NSS> = v3.11.9 and
- Amazon FireOS (Silk Browser) (version range unknown)
- Cyanogen> v10 (version which added unknown ISRG X1 root)
- Jolla Sailfish OS> v220.127.116.11 (version which added unknown ISRG X1 root)
- Kindle> v3.4.1 (version which added unknown ISRG X1 root)
- Blackberry> = 10.3.3 (version which added unknown ISRG X1 root)
- PS4 game console with firmware> = 5.00 (version which added ISRG Root X1 unknown)
Newer versions of iOS or Mac OS should not be affected according to Let’s Encrypt, but it seems that the issue occurs on some newer versions as well.
Scott Helmes confirms that he is having issues on iOS 11, 13 and 14, and several versions of Mac OS that are “just a few minor versions behind” the current.
There are also numerous reports of iOS and macOS versions newer than expected, reporting issues at sites serving the expired R3 intermediary. I have seen errors on iOS 11, 13 and 14 as well as several versions of macOS with only a few minor versions late. No client side patch yet.
– Scott Helme (@Scott_Helme) September 29, 2021
Helme created a test site for clients to test if the client is affected.
It is not clear at this time if there is anything users can do about the issue on their end. One option that users have is to use Firefox, as it uses its own certificate store. Interrupted connections in the default browser used on the system should work in Firefox on the same system.
Now you: Have you experienced website connection issues related to certificates since September 30, 2021?