The root certificate previously used to sign SSL certificates issued by Let's Encrypt just expired. (Ask.MeFi uses them for SSL). I am seeing similar things happen to other people and sites as well. Try updating your browser to make sure it has the new root they are using.
posted by CyberSlug Labs at 3:13 PM on September 30, 2021 [7 favorites]

Hi I am an academic librarian and this expired certificate issue is a huge freaking problem for many of our users. If you cannot update, we have recommended: using Firefox as it has fewer issues; use a private window in whatever browser you have; clear the cache and cookies. These all seem to work for a few windows/sites then you’ll have the issue again and need to do it again.
posted by holyrood at 3:29 PM on September 30, 2021 [9 favorites]

Whenever I have encountered the "Danger Privacy Error" type of screen there has always been a way to disregard the error and proceed.

However, in the past five years or so they have made the bypass very, very un-obvious. Like it doesn't say "CLICK HERE RIGHT NOW TO BYPASS THIS PROTECTION!!!!! THIS IS WHAT YOU WANT TO DO 99.9999% OF THE TIME IN THIS SITUATION!!!!!!".

Instead it has a little non-obvious like something like "More information" or "Details" and then a sub-link of that somewhere allows you to disregard the expired certificate.

I'm all for security and all, but a certificate that expired a day or two ago is 99.9999% of the time just someone who forgot to renew their SSL certificate. In reality the certificate is just as valid as it was yesterday, and proceeding to use it is going to be just as safe.

(Security gurus, please fill me in on the extreme danger of doing so. But I have thought about this quite a bit and haven't been able to come up with even one scenario where trusting the certificate that expired less than 48 hours previous is going to lead to any security issue whatsoever.)

Now, a certificate that expired 6 months or a year ago, or even a few months or a few weeks ago - that's something of a problem because it indicates a site that is no longer being maintained. Still I don't know that it is dangerous at all to go and look at it but I wouldn't be very comfortable putting personal info, credit card numbers, etc, into that kind of system.

But the one that expired a day or two ago? It's undoubtedly a minor screw-up and will be fixed soon enough, but in the meanwhile you can just click around to find the extremely obscure "ignore this error" button and proceed.

Here is an article about the situation. Based on that, it might be something affecting your device (with older operating system etc) rather than the web sites per se.
posted by flug at 3:45 PM on September 30, 2021 [4 favorites]

flug, the chain of Let's Encrypt certificates on this old Chrome/Safari has expired. It needs to be replaced.

lpsguy, you can download the replacement Let's Encrypt root certificates to a phone and then transfer to install on your computer.

Here is where Let's Encrypt's certificates can be downloaded in .per archives, which you can copy from a phone and install on macOS.

Other unpatched vulnerabilities exist in Mac OSX Yosemite which mean I'd suggest adding a newer internet-facing installation and only using your older Yosemite setup unplugged when you're drawing.
posted by k3ninho at 3:51 PM on September 30, 2021 [9 favorites]

Thanks for the update, k3ninho. It looks like it is indeed that a security certificate built into various operating systems dating to 2017 and older has expired, that is the root cause of the problem.

There is a fairly long list of affected systems: Windows < XP SP3, iOS < 10, Android < 7.1.1, macOS < 10.12.1, etc.

• Here is a short summary article.
• A longer summary article.
• All the tech details.

None of those articles have a specific solution for macOS, so thanks for providing that.

One suggestion they do give is to try running FireFox, which apparently has its own certificates and doesn't rely on the OS certificates (that is true for Android but I'm not sure if true for macOS . . . nevertheless something simple you can try).
posted by flug at 4:04 PM on September 30, 2021 [2 favorites]

I just came in here on my phone to ask the same thing and found your question. I did update Chrome and still have the problem. I’m running OS X 10.11.6 and Firefox requires 10.12 or later. So I guess I have to update my OS? Or am I truly fucked since it’s a 2014 MacBook Pro? I am finding this confusing.
posted by HotToddy at 4:14 PM on September 30, 2021

I had the same problem all of a sudden today on my Macbook Pro from early 2015 running OS El Capitan. Updated OS to Big Sur, which took hours, but all is well now.
posted by the_dusty at 4:52 PM on September 30, 2021

HotToddy, try to follow k3ninho's directions.

Your apps and OS share a "root certificate" for each of the major publishers of security certificates. Until you update that, the apps and OS still will be trying to use an expired one. Those directions should get you the new Let's Encrypt "root CA certificate" and that should help.
posted by wenestvedt at 6:45 PM on September 30, 2021 [1 favorite]

HotToddy, the copy of OS X 10.11.6 I have in a virtual machine checked just this week is currently on Firefox 78.14.0esr, it looks like https://www.mozilla.org/en-US/firefox/78.14.0/releasenotes/ will allow you to download a diskimage for installation. lpsguy, another of my virtual machines says that Firefox 78.14.0esr will run on Yosemite, too.
posted by channaher at 7:14 PM on September 30, 2021 [1 favorite]

Thank you both, wenestvedt and channaher, and I apologize if I have threadjacked! I will give your suggestions a try tomorrow (Knob Creek has won the evening) and report back in the hope that it might help someone else.
posted by HotToddy at 7:19 PM on September 30, 2021 [1 favorite]

Data point: this happened to both myself and a work colleague today; I was on Microsoft Edge, he was on Safari on his Mac. Sites which we previously could visit without any issues were getting privacy errors today (a number of museums and art sites for him, and...Metafilter for me). I further learned that I could access Metafilter in an "incognito mode" still, and the problem cleared p altogether by the afternoon.

Mentioning this to reinforce that a) you're not alone, b) it is weird and c) there's at least a couple instances of the problem going away on its own.
posted by EmpressCallipygos at 8:01 PM on September 30, 2021 [1 favorite]

Here are the exact steps needed to install the replacement cert in OS X Yosemite or El Capitan:

1. Download the "ISRG Root X1" isrgrootx1.der replacement Let's Encrypt cert. You'll have to do this on a device other than the one running Yosemite / El Capitan, since the updated cert is on a site that is inaccessible to browsers that rely on the old cert.
2. Copy isrgrootx1.der to the Mac running the old version of Mac OS.
3. Open the "Keychain Access" application. It is in the Utilities folder inside the Applications folder.
4. From the "File" menu choose "Import Items".
5. Navigate to the isrgrootx1.der file and select it. In the "Destination Keychain" pop-up menu, choose the "System" keychain, then click "Open". Enter your administrator password if prompted.
6. Select the "System" keychain in the "Keychains" section of the Keychain Access window.
7. Find the "ISRG Root X1" cert in the "System" keychain list and double-click on it.
8. Click the disclosure triangle to expand the "Trust" section. Under "When using this certificate" select "Always Trust". Close the window. You may need to enter your administrator password.
9. Safari should immediately start working, although you may need to reload open pages. You may need to quit and re-open other browsers. It's probably best to just restart.

posted by RichardP at 8:03 PM on September 30, 2021 [14 favorites]

This thread is closed to new comments.