- Update for Let's Encrypt Certificates on BB10
Follow the steps below to add Let's Encrypt certificate compatibility to the native browser on your BB10 handset.
There are two ways to do this: one involves exporting the certificate from Mozilla Firefox. The other involves downloading the certificate directly from Let's Encrypt's website.
Update: skip to step 7. Chances are that you have the ISRG Root X1 already and step 7 will fix the problem. Thanks to @lolo9269.
Method 1: Firefox Certificate Export
You need Mozilla Firefox on a regular computer to get the certificates. I guess you might be able to do this from Firefox on a mobile device, but I'm not sure.
Here are the steps:
- In Firefox, go to the hamburger menu at the top right > Select "Preferences" > "Privacy and Security". Scroll to the bottom of the page and select "View Certificates".
- Scroll down to the "Internet Security Research Group" section.
- Select "ISRG Root X1". Press export. Save the file.
- Rename the file, changing the extension from .crt to .pem
- Email the file to your phone. Save it to your downloads folder (or somewhere else in internal storage. I'm not sure this will work from the SD card).
- On the phone, open the folder where you saved the file in your file manager. Tap on the file and complete the import process.
- Then go to settings > Security and Privacy > Certificates. Scroll down and select "DST Root CA X3". Uncheck the 'trusted' box. You could probably also delete the certificate, but I haven't done that, so I'm not sure.
You should now be able to visit sites using the newer Let's Encrypt certificates. I've tested two sites (canac.ca and inews.co.uk) that were reported as not working in another thread.
Edit: it turns out that you don't need the "Let's Encrypt Authority X3" certificate, so I removed that step. Thanks @fergusd
Method 2: Direct Download from Let's Encrypt (Thanks to @BeerBear for this method!)
- Download the ISRG Root X1 certificate directly from https://letsencrypt.org/certificates/ as a pem file. You could use an alternative browser like the PaperBird Beta browser to download the file directly into the download folder on your BB10 device. Or you could download the certificate on another device and transfer it over to your BB10 smartphone.
- On the phone, open the folder where you saved the file in your file manager. Tap on the file and complete the import process.
- Then go to settings > Security and Privacy > Certificates. Scroll down and select "DST Root CA X3". Uncheck the 'trusted' box.
Last edited by Shuswap; 10-09-21 at 10:09 PM.
10-03-21 02:00 PMLike 6 -
-
- Update for Let's Encrypt Certificates on BB10
You need Mozilla Firefox on a regular computer to get the certificates. I guess you might be able to do this from Firefox on a mobile device, but I'm not sure.
Here are the steps:
- In Firefox, go to the hamburger menu at the top right > Select "Preferences" > "Privacy and Security". Scroll to the bottom of the page and select "View Certificates".
- Scroll down to the "Internet Security Research Group" section.
- Select "ISRG Root X1". Press export. Save the file.
- Rename the file, changing the extension from .crt to .pem
- Email the file to your phone. Save it to your downloads folder (or somewhere else in internal storage. I'm not sure this will work from the SD card).
- On the phone, open the folder where you saved the file in your file manager. Tap on the file and complete the import process.
- Then go to settings > Security and Privacy > Certificates. Scroll down and select "DST Root CA X3". Uncheck the 'trusted' box. You could probably also delete the certificate, but I haven't done that, so I'm not sure.
You should now be able to visit sites using the newer Let's Encrypt certificates. I've tested two sites (canac.ca and inews.co.uk) that were reported as not working in another thread.
Edit: it turns out that you don't need the "Let's Encrypt Authority X3" certificate, so I removed that step. Thanks @fergusd
rename the file, changing the extension from .crt to .pem ??
Thank you
Posted via CB1010-05-21 10:39 AMLike 0 - I downloaded the ISRG Root X1 certificate directly from https://letsencrypt.org/certificates/ , as a pem file, into the download folder on my BB10 device. (I used the PaperBird Beta browser for the download, but I assume other browsers work as well.)
What followed then is the same as described by Shuswap in steps 6 and 7 above:
"[...]
6. On the phone, open the folder where you saved the file in your file manager. Tap on the file and complete the import process.
7. Then go to settings > Security and Privacy > Certificates. Scroll down and select "DST Root CA X3". Uncheck the 'trusted' box.
[...]"anon(10512033) likes this.10-05-21 10:58 AMLike 1 - I downloaded the ISRG Root X1 certificate directly from https://letsencrypt.org/certificates/ , as a pem file, into the download folder on my BB10 device. (I used the PaperBird Beta browser for the download, but I assume other browsers work as well.)
What followed then is the same as described by Shuswap in steps 6 and 7 above:
"[...]
6. On the phone, open the folder where you saved the file in your file manager. Tap on the file and complete the import process.
7. Then go to settings > Security and Privacy > Certificates. Scroll down and select "DST Root CA X3". Uncheck the 'trusted' box.
[...]"
Posted via CB1010-05-21 11:08 AMLike 0 - I downloaded the ISRG Root X1 certificate directly from https://letsencrypt.org/certificates/ , as a pem file, into the download folder on my BB10 device. (I used the PaperBird Beta browser for the download, but I assume other browsers work as well.)
What followed then is the same as described by Shuswap in steps 6 and 7 above:
"[...]
6. On the phone, open the folder where you saved the file in your file manager. Tap on the file and complete the import process.
7. Then go to settings > Security and Privacy > Certificates. Scroll down and select "DST Root CA X3". Uncheck the 'trusted' box.
[...]"10-05-21 12:39 PMLike 0 - I copied it to my phone(s) then in File manager opened the Properties menu. There is a pencil icon at the bottom, that lets you rename the extension (not accessible on my version of Windows on the hard drive). Ignore the warning, click Done and then the rest of the process should work.anon(10512033) likes this.10-06-21 04:46 PMLike 1
- I copied it to my phone(s) then in File manager opened the Properties menu. There is a pencil icon at the bottom, that lets you rename the extension (not accessible on my version of Windows on the hard drive). Ignore the warning, click Done and then the rest of the process should work.
You should set up your windows file explorer so that you can see file name extensions. It's actually more dangerous not to be able to see file types, since you could have one type of malicious file masquerading as another. Here's a set of instructions: https://www.howtogeek.com/205086/beg...le-extensions/10-06-21 06:28 PMLike 0 - I copied it to my phone(s) then in File manager opened the Properties menu. There is a pencil icon at the bottom, that lets you rename the extension (not accessible on my version of Windows on the hard drive). Ignore the warning, click Done and then the rest of the process should work.
You should set up your windows file explorer so that you can see file name extensions. It's actually more dangerous not to be able to see file types, since you could have one type of malicious file masquerading as another. Here's a set of instructions: https://www.howtogeek.com/205086/beg...le-extensions/
Every version of Windows lets you rename any part of the file, including the extension. But you have to turn on "show file extensions" in the Windows Explorer, because that's turned off by default. Turning that on is one of the first things I do when setting up a new machine, or doing a fresh Windows install.10-06-21 07:04 PMLike 0 - I copied it to my phone(s) then in File manager opened the Properties menu. There is a pencil icon at the bottom, that lets you rename the extension (not accessible on my version of Windows on the hard drive). Ignore the warning, click Done and then the rest of the process should work.
Posted via CB1010-07-21 01:25 AMLike 0 - I assumed that @7mike9 was able to download the .pem file directly from the website before I was able to respond. So thanks for adding these instructions for anyone else that comes along.
You should set up your windows file explorer so that you can see file name extensions. It's actually more dangerous not to be able to see file types, since you could have one type of malicious file masquerading as another. Here's a set of instructions: https://www.howtogeek.com/205086/beg...le-extensions/
Posted via CB1010-07-21 01:26 AMLike 0 - I was gonna say the same thing.
Every version of Windows lets you rename any part of the file, including the extension. But you have to turn on "show file extensions" in the Windows Explorer, because that's turned off by default. Turning that on is one of the first things I do when setting up a new machine, or doing a fresh Windows install.10-07-21 11:19 AMLike 0 -
-
- Can you explain this last step? Why should it be 'untrusted'? I'm not familiar with the terminology used in these certificates, but it seems to me we should only be using trusted stuff and the whole point of this process is to add new trusted certificates?10-07-21 04:16 PMLike 0
-
Here's what happened: I imported the new certificate and it still didn't work. So then I "turned off" the old certificate by marking it untrusted and everything started to work. The magic of trial and error.
Here's what I think is going on: that DST Root CA X3 is the old Let's Encrypt root certificate. If you leave it as "trusted," it continues to intercept requests for Let's Encrypt certificates and since it is expired, you get an error. If you mark it as untrusted, it becomes inactive, and the certificate request goes to the new, valid certificate that you just imported.
In any case, if the presence of the untrusted certificate bothers you, I'm fairly sure you could just delete it. I didn't recommend deletion because I didn't want to encourage anyone to do anything that might be difficult to reverse.10-07-21 06:45 PMLike 0 - ISRG root X1 is already present on blackberry oS last version 10.3.3
So you don't need import
Lolo69anon(10512033) likes this.10-09-21 02:43 AMLike 1 -
-
-
I unchecked the one named here, did a restart and cleared the cache - that did the trick for me.
Cheers.
Posted via CB1010-13-21 05:27 AMLike 0 - This is not how I solved the ISRG Root X1 certificate problem. How I solved it did not involve downloading certificates.
Instead it involved finding the hidden certificate that recently expired and fixing the Trust checkbox in the BB10 settings:
1) Swipe down to open Settings on BB10 from one of your Home screens (not the Browser).
2)Scroll down to [Security and Privacy] and select it
3)Scroll down to [Certificates] and select it.
4) Search for ISRG ... ISRG Root X1 will show up in the resulting list select it
5) Uncheck the Trusted checkbox
6) go to your browser and go to the site that was previously blocked - it still will be blocked, but under [Certificate Info] it will now show another certificate (that it didn't show when ISRG was checked as trusted). This new Certificate in this case is DST Root CA X3, (it isnt new, it was just hidden). This is an expired certificate and seemed to be causing the problem. It expired Sept 21 2021. Go back to [Settings][Security and Privacy][Certificates] search for DST Root CA X3...select it (you will see the expiry date if you look) then unmark the Trusted checkbox.
7)now search for ISRG certificate again, and select, and now check the checkbox again as Trusted. Voila your website being blocked will stop!! Hurray. Verify this in your browser. I don't think you have to reboot. But if it doesn't work then reboot.
So it seems you have to look at certificate chains in the setting to see if there is a bad ie expired certificate in the chain, if there is it will block you from accessing websites that depend on it.
In my case it was Wikipedia, and it didn't start failing till October 2021 due to the expired but hidden certificate.. Good luck everyone, the Native Browser is good again!Last edited by i_plod_an_dr_void; 10-31-21 at 06:08 AM.
10-31-21 04:37 AMLike 3
- Forum
- BlackBerry 10 Phones & OS
- BlackBerry 10 OS
Let's Encrypt Certificate Update Procedure
« Respectable site - "Site Blocked"
|
Latest perishable applications for BB10 (browsers, social networks ...) »
Similar Threads
-
September Update for key2...
By Phillip st in forum BlackBerry KEY2Replies: 95Last Post: 01-05-22, 06:32 AM -
Killing BB ID and BB Protect before BB support is gone, This procedure?
By EndRacism in forum BlackBerry 10 OSReplies: 9Last Post: 12-05-21, 08:19 AM -
Add new 4G VOIP provider profile to Keyone without updating firmware, e.g. via USB debug?
By Bluebeary in forum BlackBerry KEYoneReplies: 3Last Post: 10-01-21, 04:24 PM -
Has anyone heard of a new Android update for the Key2.
By [email protected] in forum Ask a QuestionReplies: 8Last Post: 09-28-21, 11:44 AM -
New Blackberry (when/if it is released) - Best guess on certification on ATT?
By dobbsa in forum General BlackBerry News, Discussion & RumorsReplies: 3Last Post: 09-21-21, 02:05 PM
LINK TO POST COPIED TO CLIPBOARD