Older versions of Mac OS have hit a snag in the last month or so, because they’ve failed to update expired root certificates.
The way SSL certificates work is that an organisation that issues them per site, will have a master, or root, certificate. In this case, the issue is with Let’s Encrypt, who look after thousands upon thousands of SSL certificates.
Their root certificate known as DST Root CA X3 expired at the end of September. And was replaced by ISRG Root X1.
Not an issue, the core certificate just updates right? Well, not if you’re on an older version of Mac OS it doesn’t.
Although this change has been known about for years, and ISRG Root X1 is widely adopted, Apple failed to include it in any build before 10.12.1 so any certificates issued by Let’s Encrypt, will automatically be untrusted. Way to go Apple.
1 – The simplest workaround is to use Firefox. Firefox ignores the OS key directory and has it’s own internal one, whereas Safari and Chrome both rely on the OS level keychain.
2 – Update your OS. 10.12.1 is out of support now, so you should probably look at updating anyway if your hardware supports it.
3 – Install the new Root certificate, detailed below
Installing ISRG Root X1
- Download the ISRG certificate from here: http://x1.i.lencr.org/
- Open the Keychain Access app and drag that file into the System folder of that app.
- Find the ISRG Root X1 certificate in System and double click on it, open the Trust menu and change “Use System Defaults” to “Always Trust”, then close that and enter your password to confirm the change (if prompted).
Afraid I can’t supply screenshots, because I don’t have any Apple machines! But if someone follows the process above and sends me screenshots then I’d be happy to include them in the blog
Can the website owner fix this?
Sadly not, it’s purely an OS issue (and specifically, an unsupported OS issue) all supported versions should already have the key installed. There’s nothing the website owners can do about this since the certificates rely on the valid root certificate being installed.
Hope that helps!