Kadansky Logo

Personalized Computer Services

(617) 484-6657
Home

Services

How I Work

About

Contact

Resources

Newsletter

NEWSLETTER
Practical Computer Advice
from Martin Kadansky
Volume 15 Issue 10
October 2021
Older Macintosh: Are You Getting Strange Errors Loading Websites? Why It Started 10/1/2021, How to Fix It with an Updated Security Certificate
 
The problem

Starting 10/1/2021, did you suddenly start getting errors when you tried to visit a variety of websites with your older Macintosh, including ones that you had visited before with no problem?
 
You might see these errors while you’re using your web browser, or after you’ve clicked a link in an email, which then opens your browser for you.
 
If so, then keep reading for my advice on how to fix this problem.
 
This particular issue does not affect PCs running Windows 7 and later, but because straightforward information on how to solve this is so difficult to find, if you know someone who has an older Mac, please pass this along to them, or send them the link above.
 
A brief explanation of website security and security certificates
 
When you visit a website, it may be configured to establish a secure connection with your computer. Such a site will have a “security certificate” issued by a trusted Certificate Authority.
 
Your computer came with “root certificates” from many well-known Authorities, which your web browser uses to try to confirm (or reject) the identity of the secure websites that you visit.
 
One very popular nonprofit Certificate Authority is “Let’s Encrypt,” whose free security certificates are used by many websites. One estimate puts that number at 10.3% of all sites on the internet.
 
The problem
 
If you have an older Macintosh running MacOS 10.11.6 or older (i.e., if your Mac was manufactured in 2016 or earlier), one of your root certificates is called “DST Root CA X3” issued by Let’s Encrypt.
 
Unfortunately, that particular root certificate expired on 9/30/2021, which means that when you try to visit any website with a certificate from Let’s Encrypt, that might trigger a security error in your web browser, making it refuse to load that site, even if there’s nothing actually wrong with it. As a result, you may see very confusing errors like:
  • “Your clock is ahead - A private connection to xyz.com can’t be established because your computer’s date and time are incorrect.”
  • “Your connection is not private - Attackers might be trying to steal your information from xyz.com.”
  • “Your connection is not secure - The owner of xyz.com has configured their website improperly.”
  • “Warning: Potential Security Risk Ahead: Firefox detected an issue and did not continue to xyz.com. The website is either misconfigured or your computer clock is set to the wrong time.”
  • “This Connection Is Not Private - This website may be impersonating ‘xyz.com’ to steal your personal or financial information.”
Don’t take these error messages literally. While it’s possible that they’re correct, they could also be misleading and your Mac just needs a new Let’s Encrypt root certificate, especially if these errors began on 10/1/2021.
 
And since your older Mac operating system is no longer supported, Apple (as of this writing) has not released any updates to address this problem.
 
The best solution to try first
 
There is a new Let’s Encrypt root certificate “ISRG Root X1” (from the Internet Security Research Group) which expires on 6/4/2035 and which fixes this problem on MacOS 10.11.6 and older systems. Newer Macintoshes running MacOS 10.12 and later already have this certificate pre-installed.
 
Here’s how to install it into your Macintosh for free:
 
Step 1: Download the new Let’s Encrypt root certificate “ISRG Root X1” file (called “isrgrootx1.der”) using one of these 3 methods in your web browser - Safari, Google Chrome, Mozilla Firefox, Opera, etc.:
If you get an error when you try this, see the next section below for some work-arounds.
 
Step 2: Double-click the “ISRG Root X1.der” file that you just downloaded. You may be able to do that right in your web browser, or you may have to go to your Downloads folder first.
 
Step 3: The “Keychain Access” program should open. Use it to add that certificate to your keychain as follows:
  • On older systems (e.g., 10.6.8) Keychain Access will ask, “Do you want your computer to trust certificates signed by ‘ISRG Root X1’ from now on?” Click “Always Trust.” Then you’ll see “Type your password to make changes to your Certificate Trust Settings.” Enter your user (administrator) password and then click OK (or verify your fingerprint with Touch ID).
  • On somewhat newer systems (e.g., 10.11.6) Keychain Access will open. If it asks, “Do you want to add the certificate(s) from the file ‘isrgrootx1.der’ to a keychain?” then click “Add.” If it doesn’t ask, then it probably already added the certificate.
Step 4: Use Keychain Access to manually “trust” that new certificate:
  • Find that new certificate in your Keychain, either by clicking in the Search field at the top right and typing X1 (that’s the letter “x” plus the digit “1”), or by clicking the “Expires” column title to sort by increasing date and then you’ll see it on “Jun 4, 2035.”
  • Double-click the row with “ISRG Root X1” in the Name column.
  • In the “ISRG Root X1” window that opens, click the “triangle” icon to the left of the word “Trust.”
  • On the row that says, “When using this certificate,” click on “Use System Defaults” (or “Use Custom Settings”) and change it to “Always Trust.”
  • Close that window.
  • You’ll see “Type your password to make changes to your Certificate Trust Settings.” Enter your user password (or use Touch ID) and then click “OK” or “Update Settings.”
  • Click the “Keychain Access” menu at the top left and then click Quit.
Step 5: Go back to your web browser and reload the website giving you an error.
  • If it loads successfully, you’re done!
  • If it still gives you an error, close and reopen your browser and try again.
  • If that doesn’t work and your browser is Firefox version 48, try adding that new certificate into Firefox: Click Firefox->Preferences->Advanced->Certificates->View Certificates->Import..., choose the “ISRG Root X1.der” file that you downloaded, click OK, and then try reloading that website again.
  • If you still get an error, try closing and reopening your browser again.
Unable to download the newer security certificate in Step 1 above
 
If you get an error when you try to download that newer security certificate, here are some suggestions that might bypass that error:
  • Safari: If you see “Safari can’t verify the identity of the website ‘letsencrypt.org’.... Would you like to connect to the website anyway?” click “Continue,” then proceed as above.
  • Chrome: Click “Advanced.” If you see “Proceed to letsencrypt.org (unsafe)” then click that, and then proceed as above. If that doesn’t work, try Firefox if it’s already installed on your Mac.
  • Firefox: On the error screen, click “Advanced.” If you see “Add Exception...” then click that, then click “Confirm Security Exception,” and then proceed as above.
If none of these works, then you’ll probably need to use a newer computer to get that new certificate, or you could ask someone that you know and trust to help. They could download the newer “isrgrootx1.der” root certificate file for you using any of the links in Step 1 above, and then get it to you via email or a flash drive. It doesn’t matter whether they have a Macintosh, a Windows PC, or a Linux machine.
 
Other workarounds and solutions
 
In general, when you encounter a security certificate problem with a website on your older Mac, here are some suggestions to try:
  • Check your Mac’s current date and time. If the date somehow changed to too many years go (or too many years in the future), fix it right away. Otherwise, that wrong system date will probably cause many security certificates to appear to be expired.
  • Your web browser might let you create a “security exception” for that particular site.
  • Download and install a newer root certificate; see above for how to get the newer one from Let’s Encrypt that replaces a popular one that expired on 9/30/2021.
  • Consider upgrading to MacOS 10.12 or newer, but only if your Mac supports it and if you can do that without disrupting your use of your computer. Be sure to thoroughly back up your Mac first as well.
  • Consider getting a new Mac, which will come with the newest MacOS and security certificates.
All security certificates have expiration dates, so even after you install the newer Let’s Encrypt root certificate on your older Macintosh, some other important certificate could expire tomorrow.
 
Examples
 
As of this writing, here are some popular websites that use Let’s Encrypt security certificates:
And here are some sites that (as of this writing) don’t use Let’s Encrypt:
(*) Note that bbc.com and islandcreekoysters.com don’t use Let’s Encrypt on the main part of their secure websites. However, both use the very popular Shopify.com for their online sales, along with an estimated 1.7 million other online merchants in 2021. Since (as of this writing) Shopify uses Let’s Encrypt, many users of older Macintoshes will be unable to buy anything from any of those online merchants.
 
If you own a secure website
 
Here are some additional things to consider if you maintain a secure website, especially if your site uses a Let’s Encrypt certificate:
  • Unlike other types of website errors (page not found, etc.), you can’t help people visiting your site with this problem by creating a custom error page for certificate errors, nor can you look at a log of such failures. The whole point of certificate errors is to prevent users from visiting possibly malicious sites.
  • If your customers can’t load your website because of certificate errors, they might contact you in other ways (phone, email, etc.), but they’re more likely to simply move on. While you can make sure that your site’s certificate is up to date, you can’t directly fix expired root certificates on your customers’ computers.
  • If you have a list of registered users or customers, you could email them about this problem.
  • You could solve this on your end by replacing your Let’s Encrypt certificate with one from a different Certificate Authority that does not cause this problem on all older Macintoshes.
  • If one of your vendors uses Let’s Encrypt (like Shopify), contact them to see if they have a plan to solve this problem. If not, choose a different vendor.
Background
 
Computer security is complicated. The following is a simplified explanation.
 
On the internet, there are two types of websites:
  • Those that use a secure connection (called “HTTPS”) which encrypts the conversation between your computer and that site, and also verifies its identity,
  • And those that don’t, so that conversation is not secure or encrypted, nor does it verify that site’s identity.
HTTPS is a secure communication protocol that takes regular HTTP (Hypertext Transfer Protocol for websites) and combines it with an encryption protocol like SSL (Secure Sockets Layer) or the newer TLS (Transport Layer Security).
 
There are many reasons why a website owner might choose HTTPS:
  • That site may give access to sensitive or confidential information, including banking, investment, retirement accounts, medical records, and other services.
  • That site may ask for sensitive information from you, like your username and password, credit card number, home address, date of birth, Social Security number, etc., including online shopping, government agencies, and family histor.
  • Secure communication between your computer and a website protects your identity and privacy, preventing others from seeing the data that you’re sending to (or receiving from) that site, which could include products you’re viewing or buying, things you’re searching for, messages you’re sending or receiving, and more.
  • This secure connection also verifies the identity of that site, i.e., that it’s not a fake version put up by malicious people.
  • For many of these reasons, back in 2014 Google started giving slightly higher visibility in search results to sites with SSL, so many owners of websites that don’t handle sensitive information have added HTTPS to get that benefit.
  • Recent versions of some web browsers warn you when you load a site that does not have HTTPS.
If you look closely in your web browser, you can tell whether a website is secure by looking for the “https://” prefix, also indicated by a “padlock” icon.
 
In order to make all of this work:
  • Each secure website carries a “security certificate” (or “SSL certificate”) which is a small piece of data issued by a trusted Certificate Authority.
  • Your computer came with many corresponding “root” security certificates from well-known and trusted Certificate Authorities, and more may have been installed later from various updates. Your web browser uses them to validate (or reject) the secure websites that you visit.
  • Every security certificate has both a start date and an expiration date. For security reasons, over the past few years the durations of website certificates have gotten shorter in order to make site owners renew them more often.
Where to go from here
 
To learn more about this topic:
How to contact me:
phone: (617) 484-6657

On a regular basis I write about real issues faced by typical computer users. To subscribe to this newsletter, please send an email to martin@kadansky.com and I'll add you to the list, or visit http://www.kadansky.com/newsletter

Did you miss a previous issue? You can find it in my newsletter archive: http://www.kadansky.com/newsletter

Your privacy is important to me. I do not share my newsletter mailing list with anyone else, nor do I rent it out.

Copyright (C) 2021 Kadansky Consulting, Inc. All rights reserved.

I love helping people learn how to use their computers better! Like a "computer driving instructor," I work 1-on-1 with small business owners and individuals to help them find a more productive and successful relationship with their computers and other high-tech gadgets.

Printer-friendly version

Subscribe to this free newsletter

Go to the Newsletter Archive

 

 

To the Top


All original content copyright © 2002 - 2019 Martin Kadansky

Site designed and developed by and copyright © 2002 - 2007 ozbarron