SSL Certificate Expired Warnings?

julio 2021-10-01 02:06:44 UTC #1

Are you, or are you not, having issues with expired SSL Certificate warnings when connecting to philliesphans?

Yes - on a Macintosh
Yes - on Windows
Yes - on a Linux machine
Yes - on iOS
Yes - on Android
No - on a Macintosh
No - on Windows
No - on a Linux machine
No - on iOS
No - on Android

0voters

Choose up to 5 options

Votes are public.

If you voted "Yes" on any of the above, it would help greatly if you post some system details below; e.g., operating system and version, browser or browsers having the problem, etc. Thanks! Don't be shy - the more info we have, the better!

flyers19rw 2021-10-01 02:19:22 UTC #2

Having issues on Safari since it’s latest update

julio 2021-10-01 02:28:56 UTC #3

OK... What version of Safari? What version of MacOS? What hardware? I'm using Version 15.0 (16612.1.29.41.4, 16612) without a problem, on MacOS 11.6 (Big Sur) on an M1 Mac Mini. (That's what I'm using right now, although I usually use Chrome.)

Also... is your computer date set correctly? I can easily force an "expired cert" message - if I manually force the computer to think it's November 30th.

flyers19rw 2021-10-01 02:44:33 UTC #4

OS 11.6. Safari 15 on a Macbook pro. (just updated to 11.6) I have no issues on my iPad or iPhone. My date is current.

julio 2021-10-01 03:44:35 UTC #5

Hmm. Same as mine. There should be a lock in the navigation bar, just to the left of "philliesphans.com."

Click on the lock, then click on "Show Certificate." You should see this:

What warning do you get - and when?

schillingfan 2021-10-01 03:55:58 UTC #6

I’m on Safari on an iPad. No problems.

Jeff05 2021-10-01 04:27:59 UTC #7

Yeah, no problems at my end with Windows 10 (using google) or Android (using Vivaldi). No problems, either, when I use Firefox / Duck Duck Go.

I'd read just before the issue broke that it would only affect pre-2017 machines - can't find or vouch for the accuracy of the article.

Sabin 2021-10-01 05:51:37 UTC #8

I'm getting the error messages. Using Chrome (Version 94.0.4606.71) on a MacBook Pro (Intel Core i7) running OS X El Capitan (Version 10.11.6).

But I've tried using Safari on this, and both Chrome and Safari on my iPad and get the same messages.

Sabin 2021-10-01 08:43:17 UTC #9

Think I found the fix - it worked for me at least. Seems Let's Encrypt's root certificate (DST Root CA X3) expired Thursday morning. While many newer computers/operating systems were pulling in updated certificates, those a little older (my MacBook and iPad, despite running just fine, are somehow five years old now) faced an increased chance these automatic updates would not be applied.

So after some rooting around of my own on the internet (made more extensive due to many links regarding the issue were themselves difficult to access with the expired certificate), I found one that concisely addresses the issue and provides the fix:

This was me after it worked:

[ ]()

julio 2021-10-01 16:09:01 UTC #10

Yeah, my researches late (relatively!) last evening said that MacOS versions prior to 10.12 would have the problem. Are you constrained to stay on 10.11.6?

Hmmm. We have an older (waaayy older) iMac in the family room. I'll have to check to see what OS version is running on it - I rarely use it any more (I used to use it occasionally, because that's where our scanner lives, and my wife uses it frequently for that purpose - but I've taken to just unplugging the scanner and plugging it in to my laptop when I need a scan).

So...If you have older hardware, running older system versions, you may have a problem. I found a site that provides a summary list:

Windows: versions older than Windows XP SP3
macOS: versions older than MacOS 10.12.1
Ubuntu Linux: versions older than 16.04
Debian Linux: versions older than 8
iOS: versions older than iOS 10 (iPhone 5 is the lowest model that can get to iOS 10)
Android: versions older than 7.1.1 (but 2.3.6 or newer will work if served ISRG Root X1 cross-sign - whatever that means!)

Thanks to Sabin for finding a patch for those of you with older systems! If you're running one of these older OS versions, and you can upgrade, you probably should (you'll have things crop up other than just philliesphans access); but if your hardware (or some essential legacy software) won't permit that, then patching in a cert may be your best option.

kikutaro 2021-10-01 17:13:38 UTC #11

Thanks for tracking this down Julio. I'm using a Raspberry Pi, so I should be able to get the GDT back running now

Sabin 2021-10-01 18:22:06 UTC #12

That actually appears to be a silver lining out of this. I 'assumed' that I would be pinged with MacOS updates that were compatible and ready for download, but never recall seeing any. After investigating, my laptop looks to easily clear the bar for requirements to the latest version, so I'll be updating to Big Sur this afternoon (Monterey still in beta).

julio 2021-10-01 23:00:06 UTC #13

I’ve been on Big Sur since February, after some initial trepidation about migrating to the Mac Mini’s ARM architecture. As it happens, I’ve had zero issues - a few things just run automatically in the Rosetta (x86 emulation) layer. No problems at all - and massively improved performance (I was using a 2012 MacBook Air with an external monitor and keyboard/mouse).

I won’t suggest that everybody should upgrade all the time to the latest and greatest… there’s a case to be made for waiting a bit, letting major upgrades shake off any bugs. But once it’s clear things are solid - and assuming one doesn’t have legacy software that doesn’t work in a newer OS - there’s little reason not to upgrade, and lots of benefits.

kikutaro - thanks for the kind words - but note that Sabin tracked down the patch solutions, not I. I’ve applied those patch certificates to our iMac (mid-2007 model) this afternoon, and they worked as advertised.

Sabin 2021-10-02 05:41:56 UTC #14

Yeah, sometimes it seems wise to upgrade to the latest and greatest... v1.3, perhaps even 2.0.

Good to hear about Big Sur. The upgrade mine is making is quite the step - installation completion is currently sitting at t minus 35 hours and change.

Sabin 2021-10-02 07:59:01 UTC #15

Well, that was a quick 35 hours. Thirty minutes or so after making the post above I got the message that the install was ready to complete. Clicked to proceed and twenty minutes and a few restarts later, we're good to go.

Would have been a nice feature for some of the more extreme offensive-slump games this year. "We head to the bottom of the fourth where it's... now time for the Comcast postgame report, let's send it back to the studio."