Fixing NET::ERR_CERT_INVALID errors on macOS Mojave with Let's Encrypt certificates

01 April 2020

Recently a weird problem started occurring to me when browsing the web with Safari or Chrome¹. These browsers refused to load some sites like stackoverflow.com or letsencrypt.org. Safari complained about the certificate not being standards compliant, while Chromium based browser showed a completely valid certificate chain.

I keep my macOS up to date, scanned it with ClamAV etc, but there was nothing suspicious. So the problem lays somewhere else. There’s a thread on the Let’s Encrpyt community forum with someone having the same problem. While the thread is more a investigation of causes, I just wanted my browsers to work as intended.

The workaround

1. Use Firefox to download the Let’s Encrypt Authority X3 (IdenTrust cross-signed) file directly from letsencrypt.org/certificates/
2. Remove the .txt extension from the file name, thus renaming it to lets-encrypt-x3-cross-signed.pem.
3. Open Keychain Access (from /Applications/Utilities)
4. Select Login in the upper left
5. Select Certificates in the bottom left
6. Drag and drop the certificate in the right-hand side of the Keychain Access window.
7. Right click on the newly added Let’s Encrypt Authority X3 and Get Info (Select and ⌘+i works fine here, too)
8. Open the Trust part of the certificate
9. Select Always trust
10. Restart macOS.

What’s the problem?

I’m not 100% sure why macOS renders the system-provided cert invalid.

I assume it has something to do with Apple’s upcoming changes in Extended KeyUsage. However, that change is due with macOS 10.15 (macOS Mojave is 10.14).

1. Some browsers, like Firefox, do not rely on the system’s certificate management and bring their own. With such a browser you could still browse. Same goes for some command line utilities like cURL. ↩