Expired DST Root CA X3 and LetsEncrypt
As of September 30, 2021, the DST Root CA X3 certificate used in the DST Root for Let's Encrypt trust chain will expire, making it impossible for applications that don't recognize the new ISRG Root X1 for security checks when accessing sites that use Let's Encrypt.
The details of this issue can be found in the following Let's Encrypt post: DST Root CA X3 Expiration
You do not need to worry because most website visitors will automatically accept ISRG Root X1 and will still access it normally, but there will be some cases when accessing will encounter errors related to secure connection. password as below:
Kết nối của bạn không phải là kết nối riêng tư
Những kẻ tấn công có thể đang cố gắng đánh cắp thông tin của bạn từ website (ví dụ: mật khẩu, thư hoặc thẻ tín dụng). Tìm hiểu thêm
NET::ERR_CERT_DATE_INVALID
Instructions for handling expired DST Root CA X3 and LetsEncrypt:
Method 1:
If you use Firefox you just update the browser and will be able to access it again. The reason is that browsers (Chrome, Safari, Edge, Opera) often trust root certificates as the operating system they're running on. Firefox is the exception: it has its own repository of root certificates. So if you use browsers other than firefox you will need
Method 2:
update your operating system to the latest version, details of browsers and operating systems that support ISRG Root X you can see more here
For Windows users: You can access in your browser to the following address: https://valid-isrgrootx1.letsencrypt.org/ which will prompt Windows to automatically include ISRG Root X1 in its root CA.
For macOS, iOS, etc: they keep the expired CA so you can try resetting the devices then try accessing again.
Method 3:
If for some reason related to system and security you cannot update the device to the latest version. You can sign up for a paid SSL other than letsenscrypt to completely fix this error. You can register for a paid SSL at the following link and submit a support request for technical support to install quickly and compatible with most devices: https://tinohost.com/ssl
Platforms that trust ISRG Root X1
Windows >= XP SP3 (assuming Automatic Root Certificate Update isn’t manually disabled)
macOS> = 10.12.1
iOS >= 10 (iOS 9 does not include it)
iPhone 5 and above can upgrade to iOS 10 and can thus trust ISRG Root X1
Android >= 7.1.1 (but Android >= 2.3.6 will work by default due to our special cross-sign)
Mozilla Firefox >= 50.0
Ubuntu >= xenial / 16.04 (with updates applied)
Debian >= jessie / 8 (with updates applied)
Java 8 >= 8u141
Java 7 >= 7u151
NSS >= 3.26
Platforms that trust DST Root CA X3
Windows >= XP SP3
macOS (most versions)
iOS (most versions)
Android >= v2.3.6
Mozilla Firefox >= v2.0
Ubuntu> = precise / 12.04
Debian >= squeeze / 6
Java 8 >= 8u101
Java 7 >= 7u111
NSS> = v3.11.9
Amazon FireOS (Silk Browser)
Cyanogen > v10
Jolla Sailfish OS > v1.1.2.16
Kindle > v3.4.1
Blackberry >= 10.3.3
PS4 game console with firmware >= 5.00
Known Incompatible
Blackberry < v10.3.3
Android < v2.3.6
Nintendo 3DS
Windows XP prior to SP3
cannot handle SHA-2 signed certificates
Java 7 < 7u111
Java 8 < 8u101
Windows Live Mail (2012 mail client, not webmail)
cannot handle certificates without a CRL
PS3 game console
PS4 game console with firmware < 5.00