SSL expired root certificate for one client, on some computers but not others

Jeremy L.

1/9/24, 4:40 PM

I'm a non-network pro who has a situation with one of our largest clients. They get the red Certificate Invalid icon, because of an outdated, expired root certificate, even though our certificate is up to date.

It happens only on about half of their computers and not others, despite having the same network, the same computers, and using the same browser as all their coworkers for whom the site does work. They don't have any extensions installed, and they claim to have whitelisted everything we need. Looking at the networking panel, the error does seem to be coming from their connection with our site, and not any third-parties.

This company is known to have really strict security.

Any thoughts about why similar computers on this same network might not be renewing certificates?

154

1 + 4

networking

ssl

Steffen Ullrich

1/9/24, 4:49 PM

Look at the detailed information presented instead of only the "certificate invalid icon" - this will get you a better base for debugging and useful information to google. Look at the certificate trust chain shown for your site and compare it with what you expect it to be - maybe there is some corporate SSL interception w/o properly setting up the clients to trust the firewalls certificate. Check for any extension installed in the clients browsers which might infer. Check if they have the problem only with your site or also with others.

Jeremy L.

1/9/24, 5:23 PM

Thanks @SteffenUllrich. Will do. They have no extensions installed, and say it doesn't happen on any other websites. Unfortunately, we also don't have any other clients with the issue. I'll get the full chain information today.

Steffen Ullrich

1/9/24, 6:15 PM

Also check your own site with [SSLLabs](https://www.ssllabs.com/ssltest/analyze.html) and see if there are any problems reported.

Jeremy L.

1/9/24, 7:34 PM

It is an expired certificate at the root level, for just the affected computers. The certificate is correct on the other computers. I'm going to update the title and details of this ticket.

Score:0

Server

Jeremy L.

1/30/24, 4:22 PM

Half of the computers had an old OS - Yosemite - which has problems w/ Let's Encrypt certificates.

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

+ 1

Greg Askew

1/30/24, 11:08 PM

"Strict security" <> OS X Yosemite. That was end of life five years ago.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: SSL expired root certificate for one client, on some computers but not others

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.