Google Chrome browser - "Your Clock is Ahead" error message

googler

debitcardmayhem said:

Maybe this https://community.letsencrypt.org/t/production-chain-changes/150739 or this https://www.theregister.com/2021/09/30/lets_encrypt_xero_slack_outages/

You probably have an expired root certificate in your certificate store

For info for anyone following in my footsteps; the story so far 
From the link above;
"Let's Encrypt warned "older devices" will need 'a prod' to catch up with and trust the latest foundational certs."
The 'prod' links to https://community.letsencrypt.org/t/help-thread-for-dst-root-ca-x3-expiration-september-2021/149190/703 , which is a "Help thread for DST Root CA X3 expiration (September 2021)", albeit with a focus on Android.
""IdenTrust has agreed to issue a 3-year cross-sign for our ISRG Root X1 from their DST Root CA X3.", if that root is expiring in Sep 2021."
If I understand this, then I should select/install ISRG Root X1 to be OK for the next  3 years.,,
I then found, by googling; https://superuser.com/questions/1679135/dst-root-ca-x3-expiration-on-windows7-which-update-i-need-to-install-are-there , which discusses "DST Root CA X3 expiration on Windows7. Which update I need to install? Are there workarounds?"
Therein - "Press Win+R, open inetcpl.cpl, select the "Content" tab, select the "Certificates" button, select "Trusted Root Certification Authorities" tab, select "DST Root CA X3" certificate and view its expiration date. On my system, it is September 30, 2021."
and 

"How to fix it
For most users this will likely happen automatically, through the "Automatic Root Certificates Update" feature, as soon as they visit an affected website for the first time. (For example, I just booted up a Windows 7 VM and visited one such site – while the first visit displayed an expiration error, the second did not, and "ISRG Root X1" appeared in certmgr.msc on its own.)
As of Windows 7 (or Vista?), this feature isn't part of Windows Update (the roots are downloaded on demand, they are not distributed as a standard update package), but I'm guessing you may have disabled it as well. In that case, download the ISRG Root X1 certificate from LE's website and manually import it to the machine-wide Trusted Roots store."

A CMD line method is shown - "certutil -ent -addstore Root isrgrootx1.der" which fails due to the absence of certutil on my machine. Attempts to download this from Microsoft suggest that it can only be installed in Windows Servers, not on Windows Home.

The download page lists;


    Self-signed: der, pem, txt    Cross-signed by DST Root CA X3: der, pem, txt
I click on the self-signed "der" and it brings up a dialog box "Already Installed"
The cross-signed brings up a dialog box asking me if I'm SURE I want to download it, I go ahead, and it appears to download, with no indication of where it has downloaded to.....

I try to download it again, and get the Already Installed msg.

The GUI equivalent of the CMD above shows the Certificate Import Wizard, and I've found my way to this on my machine with "Win+R, open inetcpl.cpl"; so I try to import the certificate with filename "isrgrootx1.der" and get "File not Found" .....

Grrrr ...

googler

OnlyTheBestWillDo said:

Try navigating to https://valid-isrgrootx1.letsencrypt.org/ via Google Chrome to see if that helps.

All that gets me is the "Your Clock is Ahead" message.... will try with FF

googler

GDB2222 said:

googler said:

steviebabes said:

I think you will find the problem is Win XP!

... yet all was fine until a few days ago. Something changed about Win XP a few days ago?

No, nothing was fine a few days ago! You were  running an out of date, insecure computer. 

Which worked. Until the expiry date of something that someone else set to expire on that date. On the face of it, without announcement or forewarning

debitcardmayhem

googler said:

GDB2222 said:

googler said:

steviebabes said:

I think you will find the problem is Win XP!

... yet all was fine until a few days ago. Something changed about Win XP a few days ago?

No, nothing was fine a few days ago! You were  running an out of date, insecure computer. 

Which worked. Until the expiry date of something that someone else set to expire on that date. On the face of it, without announcement or forewarning

Certificates are meant to expire, and hopefully get  re-issued, but hey good luck when you come across sites that use revoked certificates

AstonSmith

Technology and computers are always changing. When you stand still by using old, unsupported software, you end up with problems like this.

The longer you stay put, the more problems you'll have as time moves forward.

Anyway. I have checked in a Windows XP virtual machine with the final XP-compatible Google Chrome. I installed the self-signed certificate (isrgrootx1.der), opened the testing URL mentioned by @OnlyTheBestWillDo and it successfully loaded. In other words, it is possible to make this work in Windows XP.

googler said:

I click on the self-signed "der" and it brings up a dialog box "Already Installed"
The cross-signed brings up a dialog box asking me if I'm SURE I want to download it, I go ahead, and it appears to download, with no indication of where it has downloaded to.....

I try to download it again, and get the Already Installed msg.

The GUI equivalent of the CMD above shows the Certificate Import Wizard, and I've found my way to this on my machine with "Win+R, open inetcpl.cpl"; so I try to import the certificate with filename "isrgrootx1.der" and get "File not Found" ....

I don't know what you are doing, but even if you already had the certificate installed (which I don't think you do), it won't say "already installed" when you double-click it. It'll say something along the lines of, "this certificate is a root certificate for signing (things)", etc. So let's start from the top.

Visit the Let's Encrypt certificates page - https://letsencrypt.org/certificates/

Right-click on the ISRG Root X1 self-signed .der link (isrgrootx1.der) and choose "Save Link As..."

Save the file onto your desktop.

Double-click on the certificate on your desktop.

Click "Install Certificate".

Follow the wizard by pressing "Next" until "Finish". Do not change any options.

Close the certificate window, and close Google Chrome.

Re-open Chrome and try viewing the test URL again.

If you get stuck, please state exactly where and exactly what the problem is. Error messages should be copied word-for-word.

googler

Maybe Let's Encrypt should be clearer about their download process, because I was single left-clicking, expecting the link to 'do the download'. When I got the dialog boxes in return, it appeared that was the correct action. 

Maybe they think it's obvious that one should right-click and select Save as ... clearly you're tuned in to what they expect  ..... however

==================================================================

Double-click on the certificate on your desktop.

 - (that opens an "Open File - Security Warning" dialog box, I click open, and ... )

Click "Install Certificate".

Follow the wizard by pressing "Next" until "Finish". Do not change any options.

 - (The last one is a security warning, with a thumbprint (sha1), and advice to check, but I'm feeling brave, so....) 

- (I get an "Import successful" dialog box)

Close the certificate window, and close Google Chrome.

Re-open Chrome and try viewing the test URL again.

===================================================

That's done it. The test page opens successfully, and the pages that were failing have now loaded successfully.

I thank you profusely. 

Again, I thank you profusely.