hoakley September 21, 2021 Macs, Technology

El Capitan and older Mac OS X are about to have a security certificate problem

If you’re still running El Capitan, or any version of Mac OS X prior to 10.12.1, then you’re about to run into problems with some popular security certificates.

The reason, explained in full detail by Scott Helme, is that a widely used root security certificate, that for IdenTrust DST Root CA X3, will expire in just over a week, on 30 September. This is relied on by Let’s Encrypt security certificates. Although later versions of Mac OS X and macOS have had replacement root certificates installed, those aren’t in older versions of Mac OS X, nor in iOS prior to version 10.

It may be possible to make changes within the root certificates to work around this: details are given in that article.

Although this specific problem shouldn’t affect any Mac which has been updated to a version of Mac OS X or macOS later than 10.12.2, all later versions of macOS are prone to a related problem…

Note:

This certificate expiry doesn’t only affect older versions of macOS. Versions from 10.12 (Sierra) to 12 beta (Monterey), and all recent versions of iOS and iPadOS may refuse to load an affected site, claiming that their intermediate and root certificates are out of date, despite the updated root certificate being present. Full details are in this article, which explains what you can do to address that. This not only affects Safari, but also third-party apps which use parts of WebKit to connect to websites.

Whether you’re running a server which relies on Let’s Encrypt certificates, or trying to connect your browser to one, the most helpful and information page on the subject is this one from Certify The Web.

Thanks to @mikeymikey for drawing attention to this, and to Peter for the link.
Updated 0845 UTC 2 October 2021 with link.

68Comments

Add yours

1

Bryan Christianson on September 21, 2021 at 7:54 am

Thanks for the heads up Howard. I notice that older android phones (which I have) may also be affected. I really hate it that hardware, working with no issues, can be rendered useless by these kind of software issues.

Also – I have been building my software for running on macOS 10.10 to current. I may as well drop the earlier releases now since anyone running 10.11.x or earlier will be unable to download the software from my Lets Encrypted secured site.

LikeLiked by 1 person
- 2
  
  hoakley on September 21, 2021 at 8:10 am
  
  Thank you. Sorry about the problems, but they’re inherent in certificates. Without changing the system, I’m not sure what else could be done.
  Howard.
  
  LikeLike
- 3
  
  wowfunhappy on September 26, 2021 at 7:10 pm
  
  > I may as well drop the earlier releases now since anyone running 10.11.x or earlier will be unable to download the software from my Lets Encrypted secured site.
  
  This isn’t necessarily the case—for example, if they download the software using Google Chrome, it should work fine, because Chrome uses its own certificate store. (Really, no one on 10.11 or earlier should be using Safari for anything, most sites will be broken.)
  
  LikeLiked by 1 person
  - 4
    
    hoakley on September 26, 2021 at 8:23 pm
    
    Thank you.
    To be honest, no one should be accessing the Internet more generally with an old and unsupported version of macOS, regardless of the browser they’re using. There are so many known and exploited vulnerabilities in those old versions of macOS that it’s an exploit waiting to happen.
    Howard.
    
    LikeLike
5

Nelson R. on September 21, 2021 at 8:01 am

hi Hoakley. I have two questions. If you download an OS from apple servers provided on this link https://support.apple.com/en-us/HT211683, will those also expire on Sept. 30, 2021? If you change the date through terminal command before running the OS installer, will that be enough for the certificate to still work? Thank you

LikeLiked by 1 person
- 6
  
  hoakley on September 21, 2021 at 8:13 am
  
  Apple is its own Certificate Authority, and although it has had its glitches in the past, none of this affects Apple’s certificates. So anything that Apple has signed, or which traces back to Apple’s CA, like all developer certificates, remain completely unaffected. This only affects things signed by Let’s Encrypt certificates.
  Howard.
  
  LikeLike
7

fds on September 21, 2021 at 11:04 am

An expiring root certificate has to be very low on the list of actual issues people wishing to get real use out of such an ancient system must fight continuously. Where would they be getting a usable web browser in the first place? Safari, frozen in time, lacking years of advancement and security fixes, wouldn’t do.

Firefox, which happens to have always carried its own set of updated trusted root certificates, and thus would not be affected by this incident, now lists 10.12 Sierra as its minimum. Maybe those special long-term support Firefox ESR versions have lower requirements, and still getting security patches, if web feature compatibility is not an issue.

Chrome I read also planned to switch to its own certificate store. I don’t know if it has happened yet. Anyway, it seems to list 10.11 as the minimum for now. So, just maybe, you could imagine a person having an up-to-date Chrome web browser running on OS X 10.11 still, to this day. Got to be pretty rare!

In any case, for the enthusiast hacker who would keep such old devices and software around, it’s actually really easy & simple to install an additional root certificate to trust. You double-click the certificate, accept the prompts, type in your password, done. It’s not any more difficult even on any ancient iOS version.

The certificate they’d want to install is available at
https://letsencrypt.org/certs/isrgrootx1.pem

With the added little gotcha that you might have trouble downloading a copy from Let’s Encrypt themselves once such an ancient system stopped accepting it after that expiration date, since they use their own certificate authority themselves to serve their website. As does your blog, courtesy of Automattic! Neat. You’ll know first hand if anything went awry in the world.

LikeLiked by 1 person
- 8
  
  David C. on September 21, 2021 at 3:55 pm
  
  Agreed. Most web browsers provide a mechanism to manually install certificates.
  
  I don’t know about Safari, but when Firefox detects a certificate problem, it provides some links you can click through (acknowledging the risks) to proceed with the request, so you should be able to get these certificates even after the old ones expire.
  
  Installing updated certificates for system services (that is, separate from web browsers) may be more difficult, but it should still be possible. At least I hope so. (I’ve never been able to install a new root certificate into my Linux PC in a way that will let the `wget` command use it.
  
  LikeLiked by 1 person
- 9
  
  hoakley on September 21, 2021 at 4:29 pm
  
  Thank you.
  I’m amused that you think it is the “enthusiast hacker who would keep such old devices and software around”. Writing the Q&A sections for MacFormat and Mac|Life, I can assure you that there are many users of old Macs who have never upgraded their systems, and are still happily running El Capitan, and some even still on Mavericks – and they regularly send in questions such as why their browser has stopped working with some websites.
  Of course if the “enthusiast hacker” wasn’t aware of what is due to happen in a few days, it could take them a while to work out just what was wrong. The purpose of this brief article is to warn them of what may be in store.
  Howard.
  
  LikeLike
  - 10
    
    Gord on September 30, 2021 at 10:58 am
    
    I have an alternate Mac that is still running El Capitan, and I’d like to extend its useful life as long as possible. I don’t see detailed instructions on the Scott Helme site for what exactly to do to address this issue.
    
    I nabbed the updated .pem certificate from the letsencrypt URL provided by fds, and double clicked to add it to Keychain Access. Then to get rid of the red ‘X’ I modified the ‘Trust’ setting to ‘Always trust’ for all the various drop-down menus. (I don’t think I had to remove the expired certificate.) So it should be good to go now?
    
    Possibly related issue(?): for the past year or more, I’ve noticed that navigating to some sites with Safari on my alternate El Capitan Mac will give me an error ‘This Connection Is Not Private,’ and warn me that the site has an expired certificate. Is there a way to fix that issue, aside from clicking through and modifying certificate settings on a site-by-site basis? Thanks for any help.
    
    LikeLiked by 1 person
    - 11
      
      hoakley on September 30, 2021 at 3:32 pm
      
      I have an article coming tomorrow morning explaining this fully. TL;DR: keep on adding each site as an exception in Safari, to maintain access as you need.
      Howard.
      
      LikeLike
12

Michael Tsai - Blog - Some Web Sites Will Stop Working With El Capitan and Older on September 24, 2021 at 8:49 pm

[…] Howard Oakley: […]

LikeLike
13

Bryan Wellander on September 24, 2021 at 9:54 pm

Hi,
Does this page apply to safari in 10.11.6?
Will doing this solve the issue?
And that you for the post.
Love this site by the way.

LikeLiked by 1 person
- 14
  
  hoakley on September 24, 2021 at 10:18 pm
  
  Thank you.
  Yes, if you manually install that, and remove the expired certificate, that should fix it. That’s further explained in the article which I link to.
  Howard.
  
  LikeLike
15

Bryan Wellander on September 24, 2021 at 9:55 pm

https://www.identrust.com/support/downloads

LikeLiked by 1 person
16

Michael Newbery on September 30, 2021 at 9:52 am

Well, it broke.
It broke on iOS 15, Big Sur and Mojave.
I have an M1 Mac running Dovecot. It has an unexpired certificate. And yes, when the intermediate expired, so did the letsencrypt R3. If you check the expiry, it says that the cert expired on 30/09/21, but More Details (iOS) shows that it’s (the R3 cert) actually valid until December. Checking on the dovecot machine, all seems well. Some people on a letsencrypt board have suggested changing cert.pm to full chain.pem in the ssh.cnf file. It may have worked for them, it doesn’t work for me.
I removed the certificate and created a new one. No change in brokenness.
I wonder if there is something special about dovecot (installed via home-brew) on a Silicon Mac.
I await tomorrow in the hope that someone will have found a solution.

LikeLiked by 1 person
- 17
  
  hoakley on September 30, 2021 at 3:34 pm
  
  I’m sorry to hear that. I have an article coming Friday morning explaining at least some of these problems. For now, all I can suggest it to add these sites as individual exceptions through Safari, which adds them to the keychain, allowing TLS with them.
  Howard.
  
  LikeLike
18

Jason on September 30, 2021 at 3:20 pm

Not sure if the following will help you – hopefully it will. I’ve been tracking this issue thanks to this ELC Post, so I knew what was coming & when.
I actually still have 1 Mac that needs to be running El Capitan.

Here’s what I did on my *Mac*…

1) Watch it fail => Try to load any site secure by “Let’s Encrypt” even in Google Chrome => For example: Wikipedia
2) “Fix It” => Keychain Access => Unlock System Keychain => File => Import => isrgrootx1.pem (See: FDS’s comment above for link to this cert. [ https://letsencrypt.org/certs/isrgrootx1.pem ]
3) Select this cert which in KeyChain Access will be UNTRUSTED => Get Info => Trust => Change to “Always Trust” => Quit Keychain Access
4) RELOAD WIKIPEDIA PAGE & CHECK CERTIFICATE SETTINGS…

Very Important:
I really don’t know how secure / insecure / possibly foolhardy what I did is.
It might be better to wait for others to comment.
Best of luck…
-Jason

LikeLiked by 2 people
- 19
  
  hoakley on September 30, 2021 at 3:30 pm
  
  Thank you.
  It turns out that this is the tip of the iceberg. I have more detailed info about the problem on more recent versions of macOS coming tomorrow morning.
  For the time being, I recommend adding each affected website as a ‘trust this site’ through Safari, if that’s you main browser. Firefox should be more relaxed, although I’m not sure that’s necessarily a good thing.
  Howard.
  
  LikeLiked by 1 person
  - 20
    
    Michael Newbery on September 30, 2021 at 6:40 pm
    
    I can get things to work for web sites, but it’s my mail server which is the problem, since I can’t read the mail on it from iOS. I shall wait and watch.
    
    Also, it doesn’t work on Catalina.
    
    And also, and I suspect this MIGHT be related, but it could just be a coincidence.
    
    This just started happening. On a dylib that has been working fine until now. Please note, I don’t have an Apple Certificate (I’m not at that level of developer certification), but that has worked just fine up until now.
    
    /usr/local/lib/libXXXX.dylib: code signature in (/usr/local/lib/libXXXX.dylib) not valid for use in process using Library Validation: library load disallowed by system policy.
    
    It’s calling the library from Ruby using ffi by the way.
    
    LikeLiked by 1 person
    - 21
      
      hoakley on September 30, 2021 at 8:51 pm
      
      I’m sorry to hear that, but don’t know enough about Dovecot to offer any suggestions. As my article tomorrow shows, macOS, iOS and iPadOS can retain old certificate details, which might mean that iOS isn’t using the new ‘fixed’ chain of trust, but the old one with its expired certificates still. I don’t know how you might be able to force it to update, though, as I can’t readily do that in macOS.
      Is that dylib signature problem on your M1 too? That looks like the security policy is denying your Ruby code access to the dylib because your Ruby code isn’t trusted. That might ring a bell with those using Ruby on M1 Macs, but isn’t something within my experience, I’m afraid.
      Sorry.
      Howard.
      
      LikeLike
    - 22
      
      Michael Newbery on September 30, 2021 at 9:22 pm
      
      Problem fixed. At least for me with dovecot.
      
      By default, dovecot comes with the following in /etc/local/dovecot/local.conf (or in /etc/local/dovecot/conf.d/ssl.cnf or similar)
      
      ssl_cert = </etc/letsencrypt/live/example.com/cert.pem
      ssl_key = </etc/letsencrypt/live/example.com/privkey.pem
      
      That doesn't work with the lets encrypt intermediate certificate hack, because cert.pem doesn't contain the intermediate certificate chain. You need to change that to
      
      ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem
      ssl_key = </etc/letsencrypt/live/example.com/privkey.pem
      
      (You need to restart dovecot after that to get it to re-read its config files).
      
      Well, I did that, and it made no difference.
      
      After a little fossicking, I realised that I had installed dovecot om my M1 Mac, using homebrew, in Intel mode (because dovecot wasn't originally supported on ARM under homebrew).
      Then, I had upgraded to native Mac Silicon when that became available. And when you do that, homebrew puts all the config files under
      /opt/homebrew/etc/local …
      
      I was modifying the wrong config file 😦
      
      It works now.
      
      LikeLiked by 1 person
    - 23
      
      hoakley on September 30, 2021 at 9:28 pm
      
      Well done!
      Howard
      
      LikeLike
- 24
  
  hoakley on September 30, 2021 at 8:40 pm
  
  Thank you.
  I’ve noticed that you’re using Wikipedia as an example. I don’t know why you’re having problems with Wikipedia’s certificates, as they don’t rely on the Root CA which has just expired – Wikipedia doesn’t use Let’s Encrypt, but a completely different Root CA without any problems of expiry date. It should therefore work perfectly.
  Howard.
  
  LikeLike
  - 25
    
    Jason on September 30, 2021 at 8:58 pm
    
    I used Wikipedia b/c it was the first site that gave me a secure site warning in Chrome => When I look at the Certificates: *.wikipedia.org & the Intermediate Certificate were both issued by “Let’s Encrypt” (wish I could attach a screenshot). I honestly don’t recall if the Root CA was “DST Root CA X3”. Also, I was able to duplicate this same error & resolution on a different Mac also running OS X El Capitan. Are you getting something different for *.wikipedia.org? -Jason
    
    LikeLiked by 1 person
    - 26
      
      hoakley on September 30, 2021 at 9:05 pm
      
      Certainly. Wikipedia’s entire domain is certified by DigiCert through its own Root CA, the High Assurance EV Root CA.
      Howard
      
      LikeLike
- 27
  
  Baron on October 1, 2021 at 12:02 am
  
  I did exactly the same as you did (but on an old Mac with SnowLeopard and Firefox48), expecting at least to be able to read some sites. Alack, for this one, eclecticlight.co, was it not enough: it is forbidden to add an exception. The same applies to Letsencrypt.org.
  I’m wondering if I could fix it or if I will have to renounce to use that Mac for consulting those sites (some others let me add an exception or just let me access them without asking.)
  
  LikeLiked by 1 person
  - 28
    
    hoakley on October 1, 2021 at 7:43 am
    
    Well, this site doesn’t use Let’s Encrypt for its certificate or chain of trust.
    I would strongly advise you against connecting any Mac running Snow Leopard to the Internet: so much has changed since then, and there are so many known vulnerabilities in every component of Snow Leopard, it really isn’t a useful or wise thing to do any more.
    Sorry.
    Howard.
    
    LikeLike
- 29
  
  coldesmob on October 1, 2021 at 2:06 am
  
  …fyi, running mac el capitan, have just worked thru Jason’s fix and websites in chrome browser now load even though certificate dst root ca x3 still shows as expired, dev tools security displays “Certificate – valid and trusted” – thank you Jason!
  
  LikeLiked by 1 person
30

Baron on October 1, 2021 at 12:08 am

When saying:
> I did exactly the same as you did (but on an old Mac with SnowLeopard and Firefox48)
I was referring to the message Jason posted on September 30, 2021 at 3:20 pm.

LikeLiked by 1 person
31

NotarySojac on October 1, 2021 at 2:11 am

My wife’s MacBook Pro got hit by this today as I was getting ready to leave for work. A year or so ago I had convinced her to switch to Chrome due to all the loading issues she was having on F*c*book. Today all the “it happened this day” sites she uses as source materials come up with DON’T TRUST THIS SITE cert expired YOU MAY BE GETTING SCAMMED etc… But they loaded on my MBP running High Sierra…and they loaded in Firefox……ding!
It dawned on my that since she’s still on ElCap due to Photoshop compatibility issues, it may be this cert thing. Jason – Thank you for posting the link to the cert. I was a bit concerned that I had to tell KeyChain Access “ignore the fact that you don’t trust this cert! Trust it anyway! Believe in the EclecticLightCo!”. And now her sites load and I could go to work.
Looking forward to tomorrow’s article, Howard.

LikeLiked by 1 person
32

Tillmann Rudorf on October 1, 2021 at 8:11 am

Hi. We also fixed our Macs with El Capitan with the posted workaround. But it doesnt work with Mojave (OS X 14). Can anybody help?

LikeLiked by 1 person
- 33
  
  hoakley on October 1, 2021 at 8:15 am
  
  Thank you.
  The problem is different with Sierra and later versions of macOS, which do have the correct certificates already available. This is all explained in this morning’s article, to which you should refer. Unfortunately, there’s no simple fix for this, it would appear, and you’ll have to add each site to Safari etc. using its ‘ignore and proceed to connect’ procedure.
  Howard.
  
  LikeLike
34

Tillmann Rudorf on October 1, 2021 at 9:22 am

Thanks. But we dont connect from safari to a website, but via InDesign-Plugin (CURL). And there I cant use ignore and accept. Does anybody know how to reset the cache for this used certificates?

LikeLiked by 1 person
- 35
  
  hoakley on October 1, 2021 at 9:29 am
  
  This isn’t a simple cache: it’s the trustd certificate check being performed by the macOS security system. I don’t know of any way to force that to perform a fresh certificate check rather than relying on its database.
  Howard.
  
  LikeLike
36

Robt on October 1, 2021 at 1:24 pm

This solution is floating round reddit: *QUOTE*
Download this Root Certificate:
——————————————–
NAME:
“ISRG Root X1”
(✅ Self-signed, ❌ NOT Cross-signed)
URL:
https://letsencrypt.org/certs/isrgrootx1.der
——————————————–
Verify that the fingerprints match:
——————————————–
So you know that the Root Certificate I’ve linked to is in fact the one that LE provides and Apple has certified/trusted.
This is for *your* safety since you *shouldn’t* trust me.
FINGERPRINT (SHA-1):
CABD2A79A1076A31F21D253635CB039D4329A5E8
SOURCE:
https://letsencrypt.org/certificates/ (Active > ISRG Root X1 > Self-signed > der)
WHAT APPLE SHIPS 10.12.1+:
https://support.apple.com/en-us/HT207189
– Search for: “ISRG Root X1”
You should see that the fingerprints match between and .
——————————————–
Install the certificate:
——————————————–
– Via “Keychain Access.app”
– `File > Import Items…`
You can install it into either the `login` or `system` keychain. But not `System Roots` (which is where it *would* be, if we were on 10.12.1+)
– login = Current user only
– system = All users
——————————————–
Manually “Trust” that certificate:
——————————————–
– Find it (“ISRG Root X1”) in the list and double click on it.
– Open the “▶ Trust” area.
– Set: `When using this certificate:` to `Always Trust`
– Close the window, which will ask you to verify with your login password.
🏁 Done!
*END QUOTE*
3 Comments

LikeLiked by 1 person
- 37
  
  hoakley on October 1, 2021 at 1:32 pm
  
  Thank you, but:
  – if you only want to install the certificate in your own keychain, you don’t need to use Keychain Access. Double-clicking on the certificate should automatically install it there.
  – that doesn’t do anything for Sierra and later, which already have the ISRG Root X1 installed, but won’t use it if the old certificates are still recorded in the security database. There doesn’t appear to be any way to fix that.
  Howard.
  
  LikeLike
  - 38
    
    a on October 6, 2021 at 7:03 pm
    
    I’m the one who posted this procedure (above) at: mjtsai.com
    
    I see that @fds and @Jason found the same, maybe even earlier than me, and posted it here. I wish I was able to find their posts here before I debugged/researched it myself. I even checked… But this was one of the sites that was *really* down for me 😂. I couldn’t even selectively choose “Always Trust”.
    
    I realize that by now most of this has been discussed and resolved by people more knowledgeable than myself. But there are a few things I didn’t exactly see mentioned, that I wanted to reply to. Hopefully it’ll be helpful to someone, in the future, encountering this for the first time.
    
    —
    
    > @hoakley on September 30, 2021 at 3:34 pm
    > “For now, all I can suggest it to add these sites as individual exceptions through Safari, which adds them to the keychain, allowing TLS with them.”
    
    I think this was a good short-term solution, but not a long-term one.
    
    I tried this myself before installing the “ISRG Root X1” Root Certificate.
    
    There are at least three problems with it:
    
    1. [Psychological] It was going to get very annoying, very quickly, having to do that multiple times per day. Not to mention, the security hole it opens up (more on that below).
    
    2. [Psychological] It conditions you to `Allow` whenever you see this warning. And as much as we’d like to think “we’ll be careful and make sure this is the ok version of this warning and not the not ok version“, that will only last for so long.
    
    3. [Technical] Blanket trusting a specific site (and there will be many of them) opens the door wide open for attacks that are based on this now invalid “IdentTrust DST Root CA X3” cert AND any other attack. Further, anything done to the SSL of that manually blanket trusted site will be allowed as long as you’re using this machine/OS.
    
    Others have also suggested manually trusting the expired “IdentTrust DST Root CA X3” certificate. I tried that too and it worked. But again, it’s probably not a wise long-term solution. But it’s a good short-term fix to get things going enough to find the “ISRG Root X1” update procedure, here or elsewhere, and download it.
    
    I wrote some similar comments here:
    https://mjtsai.com/blog/2021/09/24/some-web-sites-will-stop-working-with-el-capitan-and-older/#comment-3539787
    
    (I’m cross-referencing just for… reference 🙂
    
    —
    
    re: Certificate Caching:
    
    I’ve seen your (@hoakley) other comments and posts about the certificate caching aspect of this issue.
    
    I’m not sure how much that’s effecting 10.11.x users. When I, and many others, installed and trusted the “ISRG Root X1” cert, everything started working immediately in Safari. I didn’t notice any caching issues (beyond finding that, if you were testing in Chrome, you should probably restart it, since Chrome is pretty thorough about detecting and pointing out SSL issues).
    
    —
    
    Thank you so much for this site. It’s a fantastic resource.
    
    Your deep knowledge of Macs and Art is awe inspiring, as is the amount of work and time you put into publishing it.
    
    Thank you!!
    
    a.
    
    LikeLiked by 1 person
    - 39
      
      hoakley on October 6, 2021 at 9:36 pm
      
      Thank you.
      I disagree with your assessment of making a site an exception. That doesn’t affect acceptance of the intermediate certificate at all: what Safari and macOS do is issue a limited certificate which allows that site, and that site alone, to be trusted. You can’t “blanket trust” a “specific site” – the trust is only applied to that specific site.
      Manually trusting an expired intermediate certificate is quite different, and that would open the door to other sites being trusted when they shouldn’t be.
      I think that Safari 15 and macOS have got this right. Most of the problems arose because of the sites themselves, Let’s Encrypt’s glib reassurance to those administering those sites that it was all simple, and the underlying complexity of the TLS system. Add some caching into that, and we’ve seen only too well the chaos that results.
      Howard.
      
      LikeLike
    - 40
      
      a on October 7, 2021 at 2:22 am
      
      > I disagree with your assessment of making a site an exception. That doesn’t affect acceptance of the intermediate certificate at all: what Safari and macOS do is issue a limited certificate which allows that site, and that site alone, to be trusted. You can’t “blanket trust” a “specific site” – the trust is only applied to that specific site.
      
      I’m not sure what you mean. The way I read that, it’s a little circular. Apologizes if I’ve missed something.
      
      I just tested again by removing the “ISRG Root X1” cert.
      
      – I visited a site I operate that uses an LE cert
      – Safari (11.1.2) = Security warning
      – Proceed through the warning
      – This is what adds the domain-based exception to the Keychain (ex: `example.com`)
      – Click the padlock icon in the location bar
      – The certificate path is no longer: DST Root CA X3 > ISRG Root X1 > R3 > example.com
      – It is now *only* `example.com` and labeled as: `This certificate is marked as trusted for “example.com”`
      – Issued by: `R3`
      – Expires: `Thursday, December 23, 2021` (~75 days)
      – Trust (SSL): “Always Trust”
      – X.509 Basic Policy: no value specified
      
      As far as it *appears*, `example.com` can now do *anything* to its SSL and my machine will allow it.
      
      Granted I haven’t tested this (by making server-side changes, since I don’t have an alternative cert). And maybe you know something I don’t about the granularity with which this manual “Trust” operates. I’d be happy to learn about that.
      
      Maybe what you meant above, is the domain-specific `trust` also includes its current SSL state. And if *that* changes, a new error would be thrown?
      
      IOW: It’s not *merely* a domain-specific `Trust`, but something even more specific?
      
      —
      
      BTW: I also tested, via the command line, the suggestion you made here:
      https://eclecticlight.co/2021/10/05/brolly-a-utility-to-help-understand-failed-secure-connections/
      
      `/usr/bin/nscurl –ats-diagnostics –verbose https://example.com` (not literally `example.com`)
      
      The results, when run with domain-specific “trust” and post-installation/trust of “ISRG Root X1” were the same:
      
      All = `Result : PASS`
      
      > Manually trusting an expired intermediate certificate is quite different, and that would open the door to other sites being trusted when they shouldn’t be.
      
      👍🏻 Exactly.
      
      LikeLiked by 1 person
    - 41
      
      hoakley on October 7, 2021 at 5:59 am
      
      Trust is binary. When you tell Safari to trust a site whose chain of trust is broken, what Safari does is trust the leaf certificate that site has served. You can’t get any more specific than that – either it trusts it, or it doesn’t.
      That isn’t generic or blanket trust, it’s specific to that site and that certificate. It can’t be made any more specific, and that’s exactly what Safari offers, and you accept.
      Should that site serve a different leaf certificate, then the chain of trust is checked again. So the site can’t do “anything” and your Mac will allow it – so long as that site continues to serve the certificate which you have said you trust, then it will connect as you have told it to.
      If you can think of anything more specific, I’d love to hear of it.
      Howard.
      
      LikeLike
42

Bart Van Dessel on October 1, 2021 at 10:22 pm

Well, you are lifesavers! Just read through your whole thread today, returned to post #7, downloaded the new
isrgrootx1.pem (via Firefox), installed it in my keychain, had keychain trust it, an bam: this worked.
Both on an El Capitan and a Mavericks machine, in all browsers and system wide!
Of course, this worked only account-per-account (every account has its own keychain).
Thanks ever so much! And spread the word…

LikeLiked by 1 person
- 43
  
  Jason on October 1, 2021 at 10:40 pm
  
  If you install to the System Keychain then you won’t have the “account-per-account” issue.
  
  It’s like when you have the option of selecting “this account only” -vs- “all users on this Mac” when using an installer.
  
  That’s why I specifically mentioned the System Keychain in Step (2) of my post. I probably should have made that clear.
  
  Best Regards,
  Jason – REF: Post #18
  
  LikeLiked by 1 person
  - 44
    
    hoakley on October 2, 2021 at 8:14 pm
    
    Thank you.
    Howard.
    
    LikeLike
- 45
  
  hoakley on October 2, 2021 at 8:14 pm
  
  Thank you.
  Howard.
  
  LikeLike
46

Ange on October 1, 2021 at 11:09 pm

My Mac is an OS X Yosemite running version 10.10.5. My computer is still in great condition and until yesterday, I could run all programs and web browsers just fine. Now, due to above issue, I cannot load almost any webpages from any browser. I was bypassing the warning with accepting the risk however that has since stopped. I can’t afford to update my mac – the hardware is perfectly fine – and how is this helpful for issues of sustainability and reducing our footprint? Is there another way around this other than having to buy a new mac? We shouldn’t have to buy new equipment every 8-10 years.

LikeLiked by 1 person
- 47
  
  Ange on October 1, 2021 at 11:21 pm
  
  In addition to above: I’ve tried to add sites as trusted individually, still doesn’t work. I cannot even access the links above about keychains (I’m not a techie but trying my best to follow everyone’s advice above). Now I am stuck at my clock is running ahead (it’s not) in Chrome or Failed to open page in Safari. I’m stuck.
  
  LikeLiked by 1 person
- 48
  
  Christian on October 3, 2021 at 10:45 am
  
  The above post by Robt plus the correction by hoakley is the way to go (at least, it worked for me in 10.11.6).
  The correct certificate url is: https://letsencrypt.org/certs/isrgrootx1.pem, though.
  To sum it up:
  – once you’ve downloaded it, just double-click on it, it opens Keychain Access.app
  – it should ask you where do you want to put that certificate (Login, Local Items, System), either choose Login or System (Login might be simpler for you, for the next step)
  – now you have to manually trust the new certificate as Robt explained in his post: find it in Keychain Access.app, double click on it and set it to `Always Trust`, etc.
  
  LikeLiked by 1 person
49

Angie on October 1, 2021 at 11:32 pm

I am using a 2013 Mac OS X Yosemite Version 10.10.5. Up until yesterday, it was perfectly fine and there was no need to upgrade – the hardware is in excellent condition and for my purposes, all programs performed flawlessly. Now I cannot access any webpages at all, including the links above posted which might help. I initially accepted the security risk and bypassed the warning – that has since stopped. I tried to manually add sites as trusted, that has failed. Now I’m blocked by Chrome due to Clock Errors and by Safari as Error loading the page, with no option to continue. I know my mac is 8 years old but we shouldn’t have to buy new hardware every 8-10 years. How is that good for sustainability and reducing our footprint? Is there another way around this? I would actually like to live in a more sustainable way but this is directly counter productive to that and is just another example of how companies directly contribute to excessive resources usage, right?

LikeLiked by 1 person
- 50
  
  hoakley on October 2, 2021 at 8:17 pm
  
  I’m sorry to hear of your problems. Which model of Mac are you using? It may well be that it can be upgraded to a more recent version of macOS, which will give you much improved security and restore most of your browsing.
  Howard.
  
  LikeLike
51

JvR-01 on October 3, 2021 at 8:04 pm

On old Mac, from 2012, running 10.10.5 Yosemite. On Safari, I just visited a website affected by this problem. Ran into Privacy Error / Not Trusted Certificate dialog box.

After reading this report and https://mjtsai.com/blog/2021/09/24/some-web-sites-will-stop-working-with-el-capitan-and-older/ , I went back to website and saw dialog box again, clicked on show details for the certificate. Selected to see settings on DST Root CA X3 certificate. Changed the setting to Always Trust, system dialog box pops up to notify me changing system preferences and asks for master user login password to make changes. I typed in password and click Make Changes.

Safari automatically reloaded and website loads right as normal! Go to Chrome, start new tab, go to websites that encountered this problem before, loads normally now!

So this works. I wish I had screenshots to make an easy to follow tutorial though. HTH

LikeLiked by 1 person
52

Zeb on October 4, 2021 at 3:05 pm

Big thanks for the MacOS solutions i have quite a number of machines having to run El capitan and adding the ISRG Root X1 certificate to the keychain has fixed their issues accessing some websites

LikeLiked by 1 person
53

Eva on October 10, 2021 at 9:31 am

Having a powerful and perfectly working late 2008 MacBook Pro running El Capitan, not able to update further. I wasn’t able to update Firefox or safari anymore but Opera was the next best thing. Now bumping into this certificate issue with all browsers minus the obsolete FF. Fingers crossed that your offered solution will help. I am looking into a new mpb though but of what I heard, apple’s newest machines aren’t that robust anymore. I hope the next generation to appear, without the touchbar, will offer good old quality.

LikeLiked by 1 person
- 54
  
  hoakley on October 10, 2021 at 6:38 pm
  
  Thank you.
  So long as you’re fully aware of the risks that you’re running, good luck to you. Life isn’t always simpler with a modern browser, but it’s a great deal safer, and more capable.
  I’ve had no problems with the robustness of the MacBook Pros that I’ve owned – my current 15-inch Intel and M1 models seem as good as anything from the past in that respect. They’re also vastly quicker, thinner, and the M1 seems to run forever on battery power alone.
  I wish you success in trying to fix this problem.
  Howard.
  
  LikeLike
  - 55
    
    rostasi on October 10, 2021 at 6:59 pm
    
    I installed the missing ISRG Root X1 certificate and marked it as “trusted” so I’m able to access my Backblaze account now, but there’s another glitch that makes it so I can’t save to their cloud.
    Backblaze has been contacted again thru a thread started earlier. As for Chrome and such, we’ll see what happens, but I appreciate the info/link on the “ISRG…” Thank you folks!
    
    LikeLiked by 1 person
- 56
  
  Eva on October 12, 2021 at 12:01 pm
  
  I did install the root certificate Let’s Encrypt R3, and it seems to work, what a relief until a new mbp arrives. But I am a bit surprised to see that it will expire in December 2021 already. They need to be updated every 2 months?
  @JvR-01 and @Gorb: you still use Safari on Yosemite? My “next best thing” on my older El Capitan is to use the Chrome and Opera browsers since they still are updated for use on older OS as well.
  
  LikeLiked by 1 person
  - 57
    
    hoakley on October 12, 2021 at 5:04 pm
    
    I think you may be reading the information for the wrong certificate. The leaf certificate, the bottom of the three, usually expires fairly soon, as they’re normally issued for just a year or even less. The intermediate certificate R3 in the middle should expire in 2025, and the Root X1 expires in 2035.
    I wish you joy with your new MBP.
    Howard.
    
    LikeLike
58

rostasi on October 10, 2021 at 3:11 pm

Thanks for this info. I’m in El Capitan (the most recent I’m able to use) and I’m having certificate problems thru Backblaze. Starting to see hiccups in Chrome as well.

LikeLiked by 1 person
- 59
  
  hoakley on October 10, 2021 at 6:39 pm
  
  I’m sorry to hear that. Do you know whether these are Let’s Sign leaf certificates? Have you tried downloading and installing the replacement Root CA?
  Howard.
  
  LikeLike
60

Jon on October 16, 2021 at 8:38 pm

I have an iMac running El Capitan, purchased in 2013, and was having the same problem… Apple’s Mac store said my OS XX was uo to date. So, I went to this page, https://support.apple.com/en-us/HT211683, and clicked on the link (using Safari) at the bottom of the page to download the macOS High Sierra 10.13 installer. Once I installed the new OS X, which took about an hor, problem solved. I am back to being able to access any website with any browser.

LikeLiked by 1 person
- 61
  
  hoakley on October 17, 2021 at 7:38 pm
  
  Depending on which model of iMac yours is, it’s quite likely to be able to run macOS Mojave or Catalina. Although the latter might be bad news for old 32-bit apps you might use, Mojave is quite a popular choice.
  Howard.
  
  LikeLike
- 62
  
  Trebor on October 20, 2021 at 2:57 pm
  
  I have a macbook pro 13 early 2013 running El Capitan. I stopped using Safari when security updates stopped. Since then I’ve used Chrome and recently noticed the issue of this thread. However, every site I can’t open on Chrome, I can open on Firefox (78.15) without any problem. Years ago, after installing High Sierra knocked 2 hrs. off my battery life, I went back to El Capitan. It’s a work horse osx and never gives me any problems (until this issue). I realize, though, the end of working with 10.11 is near.
  
  LikeLiked by 1 person
  - 63
    
    hoakley on October 20, 2021 at 5:46 pm
    
    Thank you.
    Howard.
    
    LikeLike
64

John on December 6, 2021 at 4:36 pm

This worked for my Early 2011 17″ MacBook Pro running El Capitan. Thank you! I can avoid upgrading to High Sierra and losing some applications that will no longer work on that OS.

LikeLiked by 1 person
- 65
  
  hoakley on December 6, 2021 at 7:27 pm
  
  Thank you.
  Howard.
  
  LikeLike
66

jeffn8 on December 19, 2021 at 4:12 am

HOW TO DOWNLOAD, INSTALL, AND SET THE NEW SECURITY CERTIFICATE FOR GOOGLE CHROME & SAFARI ON EL CAPITAN

This worked 100% on my 2008 Mac Pro Tower running El Capitan (extremely fast and reliable for its age, but cannot install Sierra on it).

INSTRUCTIONS

Go to
https://letsencrypt.org/certificates/
Root Certificates
Active
ISRG Root X1

Find the newest of this file link (first on the page)…
“Signed by ISRG Root X1: der, pem, txt”
Click on pem to download the correct one.

(I have my browser set to always download to the Desktop so I can quickly find the stuff I just downloaded, and I put it where it goes later).

Open Keychain Utility in the Applications > Utilities folder

Enter your password every time asked.

Click System (upper left).

Drag the new Security Certificate from the Desktop into the Security page in the open Keychain Window.

Double click on the new Security Certificate.

Click the little arrow next to “Trust” at the top to expand it.

Choose “Always Trust” in the menu next to “When using this certificate:”

You can choose “Always Trust” because it literally just came from the website of the company that creates the Trusted Certificates.

LikeLike
67

neonotes on January 20, 2022 at 9:29 am

the way to resolve the f* problem is in the youtube video i found recently and tested that it works … it is not my channel so there is not any profit for me …https://www.youtube.com/watch?v=m3FgAztrYYo

LikeLiked by 1 person
- 68
  
  hoakley on January 20, 2022 at 10:21 am
  
  Thank you.
  For those people able to read, this article comes without advertising, wasting your time watching a video, and is fully detailed, unlike that YouTube video.
  Howard.
  
  LikeLiked by 1 person