[anon(10512033)]

Update for Let's Encrypt Certificates on BB10

Follow the steps below to add Let's Encrypt certificate compatibility to the native browser on your BB10 handset.

There are two ways to do this: one involves exporting the certificate from Mozilla Firefox. The other involves downloading the certificate directly from Let's Encrypt's website.

Update: skip to step 7. Chances are that you have the ISRG Root X1 already and step 7 will fix the problem. Thanks to @lolo9269.

Method 1: Firefox Certificate Export

You need Mozilla Firefox on a regular computer to get the certificates. I guess you might be able to do this from Firefox on a mobile device, but I'm not sure.

Here are the steps:

1. In Firefox, go to the hamburger menu at the top right > Select "Preferences" > "Privacy and Security". Scroll to the bottom of the page and select "View Certificates".
2. Scroll down to the "Internet Security Research Group" section.
3. Select "ISRG Root X1". Press export. Save the file.
4. Rename the file, changing the extension from .crt to .pem
5. Email the file to your phone. Save it to your downloads folder (or somewhere else in internal storage. I'm not sure this will work from the SD card).
6. On the phone, open the folder where you saved the file in your file manager. Tap on the file and complete the import process.
7. Then go to settings > Security and Privacy > Certificates. Scroll down and select "DST Root CA X3". Uncheck the 'trusted' box. You could probably also delete the certificate, but I haven't done that, so I'm not sure.

You should now be able to visit sites using the newer Let's Encrypt certificates. I've tested two sites (canac.ca and inews.co.uk) that were reported as not working in another thread.

Edit: it turns out that you don't need the "Let's Encrypt Authority X3" certificate, so I removed that step. Thanks @fergusd


Method 2: Direct Download from Let's Encrypt (Thanks to @BeerBear for this method!)

1. Download the ISRG Root X1 certificate directly from https://letsencrypt.org/certificates/ as a pem file. You could use an alternative browser like the PaperBird Beta browser to download the file directly into the download folder on your BB10 device. Or you could download the certificate on another device and transfer it over to your BB10 smartphone.
2. On the phone, open the folder where you saved the file in your file manager. Tap on the file and complete the import process.
3. Then go to settings > Security and Privacy > Certificates. Scroll down and select "DST Root CA X3". Uncheck the 'trusted' box.

[MadMalthus]

THANK YOU for this information...

[bhastings18]

thank you for your help!

[7mike9]

Update for Let's Encrypt Certificates on BB10

You need Mozilla Firefox on a regular computer to get the certificates. I guess you might be able to do this from Firefox on a mobile device, but I'm not sure.

Here are the steps:

1. In Firefox, go to the hamburger menu at the top right > Select "Preferences" > "Privacy and Security". Scroll to the bottom of the page and select "View Certificates".
2. Scroll down to the "Internet Security Research Group" section.
3. Select "ISRG Root X1". Press export. Save the file.
4. Rename the file, changing the extension from .crt to .pem
5. Email the file to your phone. Save it to your downloads folder (or somewhere else in internal storage. I'm not sure this will work from the SD card).
6. On the phone, open the folder where you saved the file in your file manager. Tap on the file and complete the import process.
7. Then go to settings > Security and Privacy > Certificates. Scroll down and select "DST Root CA X3". Uncheck the 'trusted' box. You could probably also delete the certificate, but I haven't done that, so I'm not sure.

You should now be able to visit sites using the newer Let's Encrypt certificates. I've tested two sites (canac.ca and inews.co.uk) that were reported as not working in another thread.

Edit: it turns out that you don't need the "Let's Encrypt Authority X3" certificate, so I removed that step. Thanks @fergusd

Hello Shuswap and thank you for your help. But can you explain me how to
rename the file, changing the extension from .crt to .pem ??
Thank you

Posted via CB10

[BeerBear]

I downloaded the ISRG Root X1 certificate directly from https://letsencrypt.org/certificates/ , as a pem file, into the download folder on my BB10 device. (I used the PaperBird Beta browser for the download, but I assume other browsers work as well.)

What followed then is the same as described by Shuswap in steps 6 and 7 above:
"[...]
6. On the phone, open the folder where you saved the file in your file manager. Tap on the file and complete the import process.
7. Then go to settings > Security and Privacy > Certificates. Scroll down and select "DST Root CA X3". Uncheck the 'trusted' box.
[...]"

[7mike9]

I downloaded the ISRG Root X1 certificate directly from https://letsencrypt.org/certificates/ , as a pem file, into the download folder on my BB10 device. (I used the PaperBird Beta browser for the download, but I assume other browsers work as well.)

What followed then is the same as described by Shuswap in steps 6 and 7 above:
"[...]
6. On the phone, open the folder where you saved the file in your file manager. Tap on the file and complete the import process.
7. Then go to settings > Security and Privacy > Certificates. Scroll down and select "DST Root CA X3". Uncheck the 'trusted' box.
[...]"

Thank you so much!!!

Posted via CB10

[anon(10512033)]

I downloaded the ISRG Root X1 certificate directly from https://letsencrypt.org/certificates/ , as a pem file, into the download folder on my BB10 device. (I used the PaperBird Beta browser for the download, but I assume other browsers work as well.)

What followed then is the same as described by Shuswap in steps 6 and 7 above:
"[...]
6. On the phone, open the folder where you saved the file in your file manager. Tap on the file and complete the import process.
7. Then go to settings > Security and Privacy > Certificates. Scroll down and select "DST Root CA X3". Uncheck the 'trusted' box.
[...]"

Nice! Do you mind if I add this method to the top post?

[BeerBear]

Nice! Do you mind if I add this method to the top post?

Of course not, go ahead.

[Paul Sinatra]

Hello Shuswap and thank you for your help. But can you explain me how to
rename the file, changing the extension from .crt to .pem ??
Thank you

Posted via CB10

I copied it to my phone(s) then in File manager opened the Properties menu. There is a pencil icon at the bottom, that lets you rename the extension (not accessible on my version of Windows on the hard drive). Ignore the warning, click Done and then the rest of the process should work.

[anon(10512033)]

I copied it to my phone(s) then in File manager opened the Properties menu. There is a pencil icon at the bottom, that lets you rename the extension (not accessible on my version of Windows on the hard drive). Ignore the warning, click Done and then the rest of the process should work.

I assumed that @7mike9 was able to download the .pem file directly from the website before I was able to respond. So thanks for adding these instructions for anyone else that comes along.

You should set up your windows file explorer so that you can see file name extensions. It's actually more dangerous not to be able to see file types, since you could have one type of malicious file masquerading as another. Here's a set of instructions: https://www.howtogeek.com/205086/beg...le-extensions/

[joeldf]

I copied it to my phone(s) then in File manager opened the Properties menu. There is a pencil icon at the bottom, that lets you rename the extension (not accessible on my version of Windows on the hard drive). Ignore the warning, click Done and then the rest of the process should work.

You should set up your windows file explorer so that you can see file name extensions. It's actually more dangerous not to be able to see file types, since you could have one type of malicious file masquerading as another. Here's a set of instructions: https://www.howtogeek.com/205086/beg...le-extensions/

I was gonna say the same thing.

Every version of Windows lets you rename any part of the file, including the extension. But you have to turn on "show file extensions" in the Windows Explorer, because that's turned off by default. Turning that on is one of the first things I do when setting up a new machine, or doing a fresh Windows install.

[7mike9]

I copied it to my phone(s) then in File manager opened the Properties menu. There is a pencil icon at the bottom, that lets you rename the extension (not accessible on my version of Windows on the hard drive). Ignore the warning, click Done and then the rest of the process should work.

Thank you!!

Posted via CB10

[7mike9]

I assumed that @7mike9 was able to download the .pem file directly from the website before I was able to respond. So thanks for adding these instructions for anyone else that comes along.

You should set up your windows file explorer so that you can see file name extensions. It's actually more dangerous not to be able to see file types, since you could have one type of malicious file masquerading as another. Here's a set of instructions: https://www.howtogeek.com/205086/beg...le-extensions/

Thank you

Posted via CB10

[m3ach]

I was gonna say the same thing.

Every version of Windows lets you rename any part of the file, including the extension. But you have to turn on "show file extensions" in the Windows Explorer, because that's turned off by default. Turning that on is one of the first things I do when setting up a new machine, or doing a fresh Windows install.

I really don’t understand why that isn’t default behaviour for Windows.

[joeldf]

I really don’t understand why that isn’t default behaviour for Windows.

Neither do I. But, hiding extensions has been the default since Win 95. That, and hiding system files and folders. Another thing I change, but I understand that purpose a bit more.

[m3ach]

Neither do I. But, hiding extensions has been the default since Win 95. That, and hiding system files and folders. Another thing I change, but I understand that purpose a bit more.

Agreed, as you say hiding system files does at least make sense!

[EFats]

Update for Let's Encrypt Certificates on BB10

...

1. ...
2. Then go to settings > Security and Privacy > Certificates. Scroll down and select "DST Root CA X3". Uncheck the 'trusted' box.

Can you explain this last step? Why should it be 'untrusted'? I'm not familiar with the terminology used in these certificates, but it seems to me we should only be using trusted stuff and the whole point of this process is to add new trusted certificates?

[anon(10512033)]

Can you explain this last step? Why should it be 'untrusted'? I'm not familiar with the terminology used in these certificates, but it seems to me we should only be using trusted stuff and the whole point of this process is to add new trusted certificates?

Sure. Let me preface this by saying that I have only a minimal knowledge of certificates (derived from setting up Let's Encrypt certificates on my website, email and XMPP servers).

Here's what happened: I imported the new certificate and it still didn't work. So then I "turned off" the old certificate by marking it untrusted and everything started to work. The magic of trial and error.

Here's what I think is going on: that DST Root CA X3 is the old Let's Encrypt root certificate. If you leave it as "trusted," it continues to intercept requests for Let's Encrypt certificates and since it is expired, you get an error. If you mark it as untrusted, it becomes inactive, and the certificate request goes to the new, valid certificate that you just imported.

In any case, if the presence of the untrusted certificate bothers you, I'm fairly sure you could just delete it. I didn't recommend deletion because I didn't want to encourage anyone to do anything that might be difficult to reverse.

[lolo9269]

ISRG root X1 is already present on blackberry oS last version 10.3.3

So you don't need import

Lolo69

[passportowner]

Neither do I. But, hiding extensions has been the default since Win 95. That, and hiding system files and folders. Another thing I change, but I understand that purpose a bit more.

I think this started with W98, but I can be wrong.

[anon(10512033)]

ISRG root X1 is already present on blackberry oS last version 10.3.3

So you don't need import

Lolo69

[Mister Perfect]

ISRG root X1 is already present on blackberry oS last version 10.3.3

So you don't need import

Lolo69

I can confirm that. One of my passports had problems to open youtube.com

I unchecked the one named here, did a restart and cleared the cache - that did the trick for me.

Cheers.

Posted via CB10

[hcaliste]

Just want to add my two cents. Method 2 fixed my issues with the stock browser on my passport. Thanks for the info.

[i_plod_an_dr_void]

This is not how I solved the ISRG Root X1 certificate problem. How I solved it did not involve downloading certificates.
Instead it involved finding the hidden certificate that recently expired and fixing the Trust checkbox in the BB10 settings:
1) Swipe down to open Settings on BB10 from one of your Home screens (not the Browser).
2)Scroll down to [Security and Privacy] and select it
3)Scroll down to [Certificates] and select it.
4) Search for ISRG ... ISRG Root X1 will show up in the resulting list select it
5) Uncheck the Trusted checkbox
6) go to your browser and go to the site that was previously blocked - it still will be blocked, but under [Certificate Info] it will now show another certificate (that it didn't show when ISRG was checked as trusted). This new Certificate in this case is DST Root CA X3, (it isnt new, it was just hidden). This is an expired certificate and seemed to be causing the problem. It expired Sept 21 2021. Go back to [Settings][Security and Privacy][Certificates] search for DST Root CA X3...select it (you will see the expiry date if you look) then unmark the Trusted checkbox.

7)now search for ISRG certificate again, and select, and now check the checkbox again as Trusted. Voila your website being blocked will stop!! Hurray. Verify this in your browser. I don't think you have to reboot. But if it doesn't work then reboot.
So it seems you have to look at certificate chains in the setting to see if there is a bad ie expired certificate in the chain, if there is it will block you from accessing websites that depend on it.

In my case it was Wikipedia, and it didn't start failing till October 2021 due to the expired but hidden certificate.. Good luck everyone, the Native Browser is good again!

[otaku2]

THANK YOU!