Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Software - Troubleshooting and Discussion > macOS > Expired SSL Certificates on OS X 10.11.6 -- Please Help

Expired SSL Certificates on OS X 10.11.6 -- Please Help
Thread Tools
maccistential
Fresh-Faced Recruit
Join Date: Jun 2015
Status: Offline
Reply With Quote
Oct 3, 2021, 04:15 PM
 
Hello,

I'll start by saying that I hope I am posting this in the correct thread. I believe I am, as from what I am reading, it affects macOS < 10.12.1.

I am running 10.11.6, as that is the latest version of OS X that my Power Mac with Processor 2 x 2.8 GHz Quad-Core Intel Xeon, can support.

The machine is about 15 years old. It's one of my first loves, and until this current problem, I have no complaints. Only Apple products are this reliable!

In short, I am wondering if someone can provide actionable instructions for a layperson (i.e. a lay mac user) for how to do the following (different solutions are also welcome), which I elaborate on below::

"Remove the IdenTrust DST Root CA X3 root certificate and manually install the ISRG Root X1 root certificate (not the cross-signed one).

or

If you're using OpenSSL commands like verify or s_client you can add the --trusted_first flag if possible."


I'd be ever so obliged!

P.S. This issue detailed below only occurs when using the Google Chrome browser, which sadly I depend on, after eons of stockpiling bookmarks and extensions there.

--------------------------------

PROBLEM

Since 30 September, 2021, While using Google Chrome and trying to log on to various websites whose URL begins with HTTPS, I receive the following error:

"Your connection is not private
Attackers might be trying to steal your information from mail.protonmail.com (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_DATE_INVALID"

POSSIBLE SOLUTION

A little digging on the internet brought me to the following article:

https://scotthelme.co.uk/lets-encrypt-old-root-expiration/

I should say that I understand little of what this blogger is writing about. My literacy of things 'under the hood' is eons less advanced. I guess that's why I am writing...so that some savior can hopefully break down his suggested remedies into actionable steps. I've excerpted from that post the content below:

"On 30th September 2021, the root certificate that Let's Encrypt are currently using, the IdentTrust DST Root CA X3 certificate, will expire....

This Let's Encrypt docs page contains a list of clients that only trust the IdenTrust DST Root CA X3 certificate and after that is the list of platforms that trust ISRG Root X1. I've blended these two lists together to produce the following list of clients that will break after the IdenTrust DST Root CA X3 expires.

OpenSSL <= 1.0.2
Windows < XP SP3
macOS < 10.12.1

Affected Clients

One of the notable clients that will still be affected by this expiration is anything depending on the OpenSSL 1.0.2 or earlier library, release 22nd January 2015 and last update as OpenSSL 1.0.2u on 20th December 2019. OpenSSL have released a blog post detailing what action those affected can take, but they all require manual intervention to prevent breakage, full details are here. The brief overview of options is:

Remove the IdenTrust DST Root CA X3 root certificate and manually install the ISRG Root X1 root certificate (not the cross-signed one).

If you're using OpenSSL commands like verify or s_client you can add the --trusted_first flag if possible
     
Thorzdad
Moderator
Join Date: Aug 2001
Location: Nobletucky
Status: Offline
Reply With Quote
Oct 3, 2021, 04:40 PM
 
Have you tried switching to Firefox? Firefox utilizes its own certificate store, and not the OS’s. I run FF on a very out-of-date iMac and have not run into any certificate issues.
     
subego
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Online
Reply With Quote
Oct 3, 2021, 04:55 PM
 
This page has instructions on how to actually replace the certificate. I can’t vouch for it, but lots of people said it worked. The instructions are in the comments, so you’ll want to scroll down until you find the comment by a person named “a”.

https://mjtsai.com/blog/2021/09/24/s...tan-and-older/
     
reader50
Administrator
Join Date: Jun 2000
Location: California
Status: Offline
Reply With Quote
Oct 3, 2021, 05:36 PM
 
From your specs, I believe you have a Mac Pro 3,1 (early 2008) with dual 2.8 GHz.

While Apple only supports it through El Capitan, later OSs can unofficially be installed. Preferably on a separate drive or partition, so your existing install remains available. Use Migration Assistant to import user accounts, apps, and data from your existing install. That way, if anything goes wrong, you can revert to your El Cap instantly.

Sierra patched installation
High Sierra patched installation
Mojave patched installation (requires metal-compatible graphics card, or certain earlier cards)

Read instructions completely before trying, and as usual, be sure you're backed up. Just in case.
     
maccistential  (op)
Fresh-Faced Recruit
Join Date: Jun 2015
Status: Offline
Reply With Quote
Oct 3, 2021, 05:38 PM
 
@Thorzdad, I had indeed been forced to switch to FF the past few days. Despite having now fixed the issue, it's not lost on me that I should consider making such a switch permanently.

Google's lack of privacy -- and just being a monolith unlike any other, scares the hell out of me.

@subego, bless your heart. It worked straight away. Absolutely amazing.

Many years ago, I was a frequent visitor to MacWorld Forums, where I learned so much. I found there was quick turn-around after I would post, and I found the forum interface to be enticing (arguably even more so than the Macnn ones).

Having said that, I am so impressed by how quickly and generously the two of you have responded, and how effective have been both solutions.

It's hard to describe how much I appreciate it. To this day, I'm yet to interact with another tech community that even mildly approaches the helpfulness of the Mac community.
     
maccistential  (op)
Fresh-Faced Recruit
Join Date: Jun 2015
Status: Offline
Reply With Quote
Oct 3, 2021, 06:02 PM
 
@reader50 -- thank you!
     
subego
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Online
Reply With Quote
Oct 3, 2021, 06:42 PM
 
Originally Posted by maccistential View Post
@subego, bless your heart. It worked straight away. Absolutely amazing.
Fantastic! Glad it worked!
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 11:38 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,