Let’s Encrypt is a an open Certificate Authority that provides free automated SSL/TLS certificates for over 260 million websites. It is run by the nonprofit Internet Security Research Group (ISRG). When Let’s Encrypt was first launched in 2015 they used a cross signed root certificate named DST Root CA X3. That original DST Root CA X3 certificate expired on September 30, 2021. Newer devices and operating systems include Let’s Encrypt’s newer ISRG Root X1 root certificate and will automatically trust it. Older devices and operating systems, such as Mac OS X 10.11 El Capitan, which no longer receives security updates, may not include the newer ISRG Root X1 root certificate and may display an erroneous warning that the website is not secure or not private. For instance, Safari on Mac OS X 10.11 El Capitan gives the following warning when visiting any of the over 260 million websites that use the Let’s Encrypt SSL/TLS certificates.
This Connection Is Not Private This website may be impersonating “dreamlight.com” to steal your personal or financial information. You should go back to the previous page.
Clicking on the Show Details button, then clicking on the view the certificate link shows the SSL/TLS certificate chain indicating that the root certificate, DST Root CA X3, expired on September 30, 2021.
As can be seen by testing the website through an SSL tester, such as on SSLLabs.com, the website is indeed secure and the root certificate on the actual website is not in fact expired.
What is expired, is the old root certificate that is stored in the obsolete operating system rather than the website server.
Four Solutions to View Let’s Encrypt Protected Websites on Older Systems Such as Mac OS X 10.11 El Capitan
Here are four solutions to enable you to view the 260 million + Let’s Encrypt protected websites from older systems such as Mac OS X 10.11 El Capitan. [NOTE: Using obsolete versions of operating systems or applications online may expose you to security risks because such systems or applications no longer receive the latest security updates. SO USE AT YOUR OWN RISK.]
- The simplest solution to view a Let’s Encrypt protected website from Mac OS X El Capitan, is to simply tell the browser to trust the certificate on a website that you know and trust. In Safari this is done by clicking the Show Details button and then clicking on the “visit this website” link. This should only need to be done once for each trusted website and then the certificate should be trusted. While this is the simplest approach, it may not be the best approach if this computer is used to visit many websites because you need to manually trust each site which could lead to trusting an untrustworthy site if a mistake is made.
- Another relatively simple and slightly safer solution to view a Let’s Encrypt protected website from Mac OS X El Capitan is to install and use the FireFox browser. FireFox has its own built-in root certificate store which includes the newer Let’s Encrypt root certificate and will work with the 260 million + Let’s Encrypt protected websites automatically. Unfortunately the latest FireFox no longer runs on the older operating systems. Mozilla provides easy links to install their latest FireFox browser, but it is much more difficult to find the download link for an older version of FireFox. So, I have included a link to the last version of FireFox that runs on Mac OS X 10.11 El Capitan.
Download FireFox 78.15.0 ESR for Mac OS X 10.11 El Capitan.
- The safest solution would be to upgrade the Mac to the latest version of Mac OS, or at least the highest version of Mac OS that is compatible with the Mac. Mac OS X version 10.12 Sierra or later are all compatible with Let’s Encrypt’s newer root certificate automatically.
Download Mac OS X 10.12 Sierra from the Mac App Store.
- If you are the administrator of the website in question and have access to install SSL/TLS certificates, you could change from the free Let’s Encrypt SSL/TLS certificate to the free Cloudflare SSL/TLS certificate instead. You can set up a free Cloudflare account and set the SSL/TLS encryption mode to Full (strict). Then generate a Cloudflare Origin CA certificate and copy/paste it into your web host’s server SSL/TLS certificate settings.