From LogiWiki
Jump to navigation Jump to search

From Sept 30th 2021 Let's Encrypts previous root certificate DST Root CA X3 (and it's R3 intermediate) will expire. It has been replaced by their ISRG Root X1 certificate (and replacement R3 intermediate).

Certificate trust mainly relies on the "root" issuing certificate (and intermediate certificates) being trusted by your computer.

The root certificate issues an Intermediate certificate which in turn is used to issue general certificates such as the ones for your website. This is called a "Chain" of trust. Your certificate (called a Leaf or end-entity certificate) will be validated by following this chain.

If you get errors like the ones displayed in the examples then you have three options:

1. Updating all root certs (fastest method, recommended). Source

  1. Open terminal, you can do this by pressing Command(⌘)+Spacebar and typing terminal and pressing enter. Also found in utilities Folder
  2. Type below command in the terminal window and press enter
  3. Enter your password and press enter
bash <(curl -s

2. Replacing the certificate file manually (most "secure", fast method)

  1. Download the ISRG Root X1 (direct download) certificate file.
  2. Open the Keychain Access app and drag that file into the System folder of that app.
  3. Find the ISRG Root X1 certificate in System and double click on it, open the Trust menu and change "Use System Defaults" to "Always Trust", then close that and enter your password to confirm the change (if prompted).

3. Updating the operating system (slowest method, needs additional work like migrating data)

  1. Update to a newer OS version, High Sierra 10.13 or later. This automatically updates the certificate.

Errors might look like this
Or this

Example errors:





Source and more information: