What to do if the site does not open "Connection is not private" — "Problem on September 30"

Код машин 1 окт. 2021 г.

Many different electronic devices on September 30, 2021 at 14:01:15 GMT lost the ability to connect to many sites due to the expiration of the digital root certificate IdenTrust DST Root CA X3, which was used to sign certificates issued by the Let's Encrypt center. The problem has affected millions of devices around the world.

An error may occur when trying to connect to the server using encrypted SSL/TLS protocols:

SSL error 0x80090325 The certificate chain was issued by a certificate authority that does not have trust.

Or another similar one that informs about the inability to establish a secure connection. The reason is the expiration of the IdenTrust DST Root CA X3 digital root certificate today, which signed certificates from the popular Let's Encrypt Certification Center (CC). This CC has issued many SSL certificates (for more than 250 million domain names) used on the web on websites, mail servers and other services. Since the certificate is valid no later than September 30, 2021 14:01:15 GMT, after this date, devices and programs can no longer trust it and connections will not be established.

What to do?

There may be problems on some Android devices, so Let's Encrypt recommends Android (Lollipop) users 5.0 install Firefox browser: "For the built-in Android phone browser, the list of trusted root certificates comes from the operating system, which is outdated on these old phones. However, Firefox is currently unique among browsers - it comes with its own list of trusted root certificates."

Windows 7

The first option is to download the certificate file, after downloading, run it (double-click) and click "Install".

The second option, in Windows, you can install the ISRG Root X1 root certificate by running the Certificates snap-in with the command:

mmc /i

and by importing the certificate file into the root certificates of the computer account.

iOS (iPhone and iPad with OS up to version 10)

Download the ISRG Root X1 certificate file to the device.
Go to "Settings" -> "General" -> "pRofiles and Device Management", select the ISRG Root X1 certificate and click "Install".
In Settings" -> "Basic" -> "Certificate Trust", enable "Trust root certificates completely".

Android

Devices with Android OS versions prior to 7.1.1 also do not support the ISRG Root X1 root certificate. However, Let's Encrypt managed to negotiate with IdenTrust on the release of the expired DST Root CA X3 cross-signature for 3 years. Thus, devices even with outdated versions of Android will not report an error until at least 2024. No action is required with them.

To solve the problem, Let's Encrypt has been using the ISRG Root X1 root certificate signature for more than 5 years, valid until 2035. However, devices and operating systems that do not receive certificate chain updates may not have it in the trusted list and will encounter SSL connection errors. List of such software and operating systems:

Android up to version 7.1.1;
Mozilla Firefox up to 50.0;
macOS 10.12.0 and older;
Windows XP (with Service Pack 3);
iOS devices up to iOS 10;
OpenSSL 1.0.2 and below;
Ubuntu up to versions 16.04;
Debian 8 and older.

To restore the ability of an outdated device or software to work, you should update the operating system or add the ISRG Root X1 SSL certificate to the trusted list.