Closed. This question does not meet
UPDATE
Through certlm.msc
I put into the untrusted ones both "R3" (expired yesterday) and "DST Root CA X3" (expiring today), rebooted the server, but the problem in Chrome on Windows 7 still persists
CodePudding user response:
There are many posts from today on community.letsencrypt.org for this topic.
From my side, I can confirm, that me personally, I also do own a chrome on windows 7 device and it's broken , as of this moment. Meaning, when trying to access any website, which uses let's encrypt certificates (stackoverflow.com uses them, but there are many many such websites), a big red banner "not secure" is displayed instead by your web browser, preventing you from visiting all such sites. I do not have the device with me at this moment to doublecheck, but I did try other browsers few hours ago and it is a possibility, that all web browsers on windows 7 are broken , starting today. I saw some info in mass media from the past days, but none of them mentioned windows 7, they only mentioned windows xp gets broken. (Example: https://techcrunch.com/2021/09/21/lets-encrypt-root-expiry , I found many more, but none mentioning windows 7.)
stackoverflow.com uses let's encrypt certificates as well. If you are able to see this (or stackoverflow.com homepage) with your old device, without somehow working around a big red "not secure" banner shown by your browser, then I guess your old device is fine and not affected.
I am not sure, how many chrome on windows 7 people are still there in the world (it would certainly be nice to find some relatively reliable info on this, I did not find anything so far, dare I guess millions?). But I guess it is a no go for all of them to go and use, what was suggested already by Nils Hamerlinck. Also, chrome on windows 7 might be a big group I guess, but certainly not the only one affected.
aa) Are you aware of any other options to solve this, than what Nils Hamerlinck already suggested?
bb) Are you aware of any (reasonably reliable) info sources on which different devices/device groups are broken/affected?
cc) Are you aware of any (reasonably reliable) sources for guessing how many people are still actively using such devices?
Edit:
For aa) - options to solve:
As mentioned by some sources (for example https://community.letsencrypt.org/t/help-thread-for-dst-root-ca-x3-expiration-september-2021/149190/537) , 'if you are on windows 7, then use firefox instead of chrome' might possibly be a solution for some people. (My layman guess is, that significant part of those up-to-40-million affected people might go this way in the long term.)
I did not check this myself yet, but some sites, for example this one
https://docs.microsoft.com/en-us/answers/questions/202270/how-to-enable-the-34automatic-root-certificates-up.html ,
seem to suggest, that some 'automatic root certificates update' feature is supposed to exist on windows 7. I am not sure yet how it works, or how to turn it on. Might also be too complicated for a non-technical person, but I don't know yet, I'll try to check this later.
One version of the future is, that many people will just notice, like, 'ah, this old device somehow got broken eventually' , and will throw the old device away to trash. (Assuming, those do own some newer device as an alternative. Dare I say, that this might be the preferred version of the future for some stakeholders?)
For bb) - affected device groups:
There is one source from let's encrypt on this,
https://letsencrypt.org/docs/certificate-compatibility/ .
On the windows 7 topic, it does say, that with 'automatic root certificates update' feature enabled is supposed to not be broken (I am not sure yet what to think about this).
There are some sights on apple support forum (for example https://discussions.apple.com/thread/253203934 ) . It might be, that, in addition to 'chrome on windows 7' group, devices with older macos versions might be another significant affected group.
For cc) - people count:
One source,
https://analytics.wikimedia.org/dashboards/browsers/#all-sites-by-os ,
says, that 2.3% of wikipedia.org (and sister sites) visitors use windows 7, as of the day 19-sep-2021. (For comparison: windows 10 is listed there as 23%, in other words, 1 in every 10 windows machines is still on windows 7 as of today, sep-2021.) Other source, https://stats.wikimedia.org/#/all-wikipedia-projects/reading/unique-devices/normal|line|2-year|(access-site)~mobile-site*desktop-site|monthly , says, that 1.7 billion unique devices visited wikipedia.org in aug-2021 . Multiplying those two numbers gives cca 40 millions of windows 7 devices being actively used as of today (sep-2021). (Funny, if all those really got broken today, suddenly, and noone cares.)
There is a yahoo article, https://www.yahoo.com/news/internet-goes-down-millions-tech-021400230.html . This is the first mass media article I am aware of, which is openly and publicly stating, that 'millions of people were affected' .
Also, the topic is at this moment #5 on news.google.com in tech section (01-oct-2021 15:30 utc).
CodePudding user response:
On Windows 7 or 10, you need to both:
- first remove the expired certs manually:
Windows > Run > certmgr.msc
- Find: "DST Root CA X3"
- Remove the 3 expired ones
- manually install the new one cert: