Connection not secure, problem with Lets Encrypt - how to fix expired 09/30/2021 DST Root CA X3, remove it manually and install ISRG Root X1. Example on MS Windows 7

06.07.22 IT / Safety 9064

If a warning appears with a red icon when entering the site "The connection is not secure, the certificate has expired" - then the reason may be that the IdenTrust certificate is outdated DST Root CA X3 on your device. This is especially true for older devices, such as PCs running Windows XP or Windows 7.

Certificates are updated on newer devices or they don't need to be, and some older devices simply ignore certificate expiration checks, such as some versions of the Android system. Even fairly new smart TVs can encounter this error if their software developers have not taken care of updating the certificates - then a TV firmware update or manual replacement of certificates will be required. For example, on an LG smart TV, the standard browser may not open sites with certificates from Let's Encrypt for this reason.

Another problem can occur on systems that use a version of OpenSSL less than 1.1.0 - this is because all certificates are checked and the presence of an expired one will fail the connection security check. It is worth mentioning that some browsers have their own certificate store and therefore can open sites without errors, despite the expired certificate. For example, the Mozilla Firefox browser.

All of the above became relevant on 09/30/2021, when the IdenTrust DST Root CA X3 certificate expires. This is the root certificate that is used to form secure connections. This is especially important for sites using free Let's Encrypt certificates. These free certificates reference the IdenTrust DST Root CA X3 as it is present on most OSes. Although Let's Encrypt has its own ISRG Root X1 certificate, but while free Let's Encrypt gained popularity, it could not quickly get into all systems.

How to fix an expired certificate problem? To do this, you will need to remove the old certificate and install a new one. You can perform this operation on those devices that allow you to do this. For example, on a PC with MS Windows 7.

You will need to download a certificate called ISRG Root X1, preferably only from the official website letsencrypt.org. The certificate has the full name ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1) and is available at the following links:

- https://letsencrypt.org/certs/isrgrootx1.der, DER format ;

- https://letsencrypt.org/certs/isrgrootx1.pem, in PEM format .

You may also need a Let's Encrypt R3 (RSA 2048, O = Let's Encrypt, CN = R3) certificate, available from the links below:

- https://letsencrypt.org/certs/lets-encrypt-r3.der, in DER format;

- https://letsencrypt.org/certs/lets-encrypt-r3.pem, in PEM format.

Installing a certificate is quite simple:

1. Open the downloaded certificate and click "Install certificate".

2. In the certificate import wizard that opens, select "Place all certificates in the following store" and click the "Browse..." button, then select "Trusted Root Certification Authorities".

3. The last step is to click the "Finish" button, which will add the certificate to the device.

Certificate management in MS Windows is performed using a special program that can be launched as follows: press the Win + R key combination and write certmgr.msc, then press Enter .

You will need this in order to manually remove the expired IdenTrust DST Root CA X3 certificate, as well as to control the success of the operation of adding new certificates - they should appear in the "Trusted Root Certification Authorities" section, subsection " Certificates".

There you also need to find the old certificate and delete it.

After these procedures, you can restart your PC or immediately check the work of previously unopened sites with an SSL error. Sites should open, but opening times can get a little slow as each request looks for a new certificate in the store.

Thus, the problem with opening sites is solved by installing a new certificate.