[Bug]: ERR_CERT_DATE_INVALID when making requests to Let's Encrypt server on macOS 10.11

[quanglam2807]

Preflight Checklist

• I have read the Contributing Guidelines for this project.
• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for a feature request that matches the one I want to file, without success.

Electron Version

15.1.2 | 13.5.1

What operating system are you using?

macOS

Operating System Version

macOS 10.11.6

What arch are you using?

x64

Last Known Working Electron version

Expected Behavior

Able to make requests to URL with Let's Encrypt certificate.

Actual Behavior

Unable to make requests to URL with Let's Encrypt certificate.

Testcase Gist URL

const fetch = require('electron-fetch').default;

fetch('https://webcatalog.io/webcatalog/juli/releases/latest.json')
  .then(console.log)
  .catch(console.log);

WebCatalog (with Electron 13.5.1): https://github.com/webcatalog/webcatalog-app/releases/tag/v37.3.1
WebCatalog (with Electron 15.1.2): https://github.com/webcatalog/webcatalog-app/releases/tag/v38.0.1

Additional Information

I couldn't reproduce the problem on my MacBook Pro (13-inch, M1, 2020, macOS 11.6) but at least two users have reported the problem. Both users are running older versions of macOS (not Big Sur, one specifies 10.11.6).

I have provided two versions to the users for testing, one built with 15.1.2 (which includes #31221) and one built with 13.5.1 (which includes #31213). And both have the same problem.

I'm not sure if this is related to recent fixes as the error message is ERR_CERT_DATE_INVALID, not certificate has expired.

[quanglam2807]

NET::ERR_CERT_DATE_INVALID is Chrome's equivalent of certificate has expired. Since electron-fetch use electron net module, it shows Chrome error code. Could it this happen because of caching?

[quanglam2807]

Found the problem. macOS 10.11 and older doesn't support ISRG Root X1 root certificate but Electron does support macOS 10.11. So I thought Electron is packaged with a list of trusted certificates so it doesn't rely on macOS? Or am I wrong?

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
https://letsencrypt.org/docs/certificate-compatibility/

[quanglam2807]

#31221 applies to the patch to Node.js. So maybe, Chrome (net module) doesn't have bundled trusted certificate list but uses macOS one?

[quanglam2807]

https://community.letsencrypt.org/t/certificates-are-not-trusted-on-chrome-and-safari-on-old-imac-with-el-capitan/161231
https://support.apple.com/en-us/HT205204

[kerattila]

Have you tried out updating to latest Electron version? See: #31212

[quanglam2807]

@kerattila Yes, but as I mentioned above, this is different. This problem only affects macOS 10.11. This affects not only Electron, but also Chromium/Chrome upstream.

It will only happens if:

• You are running macOS 10.11 or older.
• You make requests through Electron net module, not with Node.js http and https module. Or if you try to access websites using Let's Encrypt.

Node.js uses bundled root certs list (https://github.com/nodejs/node/blob/master/src/node_root_certs.h) while Chromium uses the one packaged with the OS. As as macOS 10.11 no longer receives updates from Apple, it doesn't have the latest root certs.

[deepak1556]

As you have mentioned @quanglam2807 chromium network stack does rely on the trust store from the OS, I would recommend to guide your users on 10.11 to attempt the workaround mentioned in #31368 (comment) by manually installing the alternative root ISRG Root X1 on their system.