/\ngel Oct 9, 2021 @ 11:33pm
2
[How To] Fix: Let's Encrypt SSL/TLS certificate issue - Some Steam web pages load raw/empty/without styles or media (i.e. "*.css", "*.js", images, videos etc.)
Dear marvelous Steam Community,

Thank you very much!

Just in case, if someone encountered an issue when some Steam web pages or certain actions fail in both the Steam client (may look similar to https://i.imgur.com/hlcktdM.png) and a general web browser (i.e. Google Chrome), and some resource downloads/transmissions (i.e.
https://community.akamai.steamstatic.com/public/shared/images/login/throbber.gif) or some other website/data accesses result in an error where network request logs indicate HTTPS (HTTP over SSL/TLS) certificate issues (i.e. "ERR_CERT_DATE_INVALID"), please try the following:

Indeed, such date mismatch issue is usually caused when client's time is out of a certificate valid time range. If the client's date/time is actual/valid, then try the next:

Investigation
Let's try checking out the page certificate information and its all parental certificates' dates - of all certificates in the signing hierarchy. The information should be available in the "Certificate Path" tab (i.e. https://i.imgur.com/QBIx71z.png).

If the hierarchy indicates "DST Root CA X3" root certificate authority (CA) (i.e. https://i.imgur.com/Z9x6d6g.png), it may be the issue source - the certificate is outdated ("valid to" 2021-09-30 or September 30, 2021).

Fix: Install "DST Root CA X3" root certificate authority
In such case, perhaps the OS doesn't have an alternative/actual trusted root CA installed ("ISRG Root X1"). Let's Encrypt (LE) offers a way to install the certificate manually. Please download the certificate from their official resource and install it manually: https://letsencrypt.org/certs/isrgrootx1.der.

If the same error appears while trying to download the file, try skipping the warning temporarily, use an alternative device/network/environment, or ask a friend/person you trust.

After the download, try installing the CA as trusted in the OS (Windows assumed):
  1. Open the downloaded "Distinguished Encoding Rules (DER)" ("*.der") file;
  2. In the opened window, press "Install Certificate…";
  3. Select "Local Machine" if it's required to install the certificate for all OS users in general, or "Current User" - only for the current user's environment. Press "Next".
  4. In the prompt for the "Certificate Store", select "Place all certificates in the following store", press "Browse...", select "Trusted Root Certification Authorities" and press "OK";
  5. Press "Finish".
After that, try restarting clients (i.e. Steam and/or browsers) and reloading pages without cache enabled, or launching previously not working procedures. Some environments may require a restart.

Explanation
There are/were 3 certificates in the hierarchy:
  1. The root certificate authority (CA) of Let's Encrypt (LE) - "DST Root CA X3";
  2. "R3" LE CA which was signed by "DST Root CA X3";
  3. The certificate Steam uses/used for some resource traffic which was singed by "R3".
The Steam certificate (common name (CN) - cdn.akamai.steamstatic.com), includes Subject Alternative Name (SAN) X.509 extension entries (https://i.imgur.com/eunXUCu.png):
  • cdn.akamai.steamstatic.com;
  • cdn.steamstatic.com;
  • community.akamai.steamstatic.com;
  • media.steamcommunity.com;
  • media.steampowered.com;
  • store.akamai.steamstatic.com.
Today, "DST Root CA X3" certificate is expired ("valid to" 2021-09-30). Since various clients normally invalidate/deny every SSL transaction which includes any expired/invalid item property in a whole sign hierarchy, the Steam client and/or modern browsers result in an error too.
The alternative actual CA ("ISRG Root X1") is supported by "R3" too, thus its installation as trusted root CA in the operating system should solve the issue.

The certificates diagram: https://letsencrypt.org/images/isrg-hierarchy.png

Please check the following: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ (Update September 30, 2021 As planned, the DST Root CA X3 cross-sign has expired, and...)



Related:
- https://developer.chrome.com/docs/devtools/network (In general, use the Network panel when you need to...)
- https://www.globalsign.com/en/blog/how-to-view-ssl-certificate-details (How to view SSL certificate details in each browser...)
- https://www.technipages.com/google-chrome-bypass-your-connection-is-not-private-message (Chrome: Bypass “Your connection is not private” Message...)
- https://docs.microsoft.com/en-us/skype-sdk/sdn/articles/installing-the-trusted-root-certificate (Installing the trusted root certificate...)
- https://letsencrypt.org/certificates/ (Our roots are kept safely offline. We issue end...)

Best and kind regards ✨
Last edited by /\ngel; Dec 16, 2021 @ 12:55pm
< >
Showing 1-10 of 10 comments
Dr.Shadowds 🐉 Oct 10, 2021 @ 12:00am 
Hmm I keep this saved to check more into, thanks for sharing this.
Almos Oct 11, 2021 @ 5:15am 
Hi! When installing said DER file, I do not see a "Place all certificates in the following store" all I see is "Current user" or "Local Machine" which one do I click?
/\ngel Oct 12, 2021 @ 4:27am 
Originally posted by hito:
Hi! When installing said DER file, I do not see a "Place all certificates in the following store" all I see is "Current user" or "Local Machine" which one do I click?
A certificate installation to "Local Machine" should allow other OS users on the machine to use it, while "Current User" should install it only for the current user's environment, and every other user may encounter the same issue and have to install the certificate themselves.
Please check the following: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/local-machine-and-current-user-certificate-stores (Local Machine and Current User certificate stores...)
Thank you very much! I updated the article highlighting the selection :APTraven:
Last edited by /\ngel; Oct 12, 2021 @ 4:27am
Jun Yew Dec 9, 2021 @ 4:53am 
Omg I've been facing this problem for weeks, and can't have steam showing their website in client, as well as not being able to access FRIENDS CHAT function.

This fixed it. THANKS ALOT!!
Crashed Dec 9, 2021 @ 7:15am 
If you have an updated OS it should have the ISRG Root X1 certificate already, correct?

Would this mean the issue is primarily affecting Windows 7 users?
Satoru Dec 9, 2021 @ 7:52am 
Originally posted by Crashed:
If you have an updated OS it should have the ISRG Root X1 certificate already, correct?

Would this mean the issue is primarily affecting Windows 7 users?

Windows updates its root CA repository fairly frequently

Yes its only an issue with Windows 7 because again, no one should be using it, and no its not getting root CA updates because, again, no one is supposed to be using it

The solution is not "oh look here's a link to our CA"

the solution is "Update your OS to something that's actually supported and gets updates"
Last edited by Satoru; Dec 9, 2021 @ 7:57am
Crashed Dec 9, 2021 @ 8:31am 
Originally posted by Satoru:
Originally posted by Crashed:
If you have an updated OS it should have the ISRG Root X1 certificate already, correct?

Would this mean the issue is primarily affecting Windows 7 users?

Windows updates its root CA repository fairly frequently

Yes its only an issue with Windows 7 because again, no one should be using it, and no its not getting root CA updates because, again, no one is supposed to be using it

The solution is not "oh look here's a link to our CA"

the solution is "Update your OS to something that's actually supported and gets updates"
I think saying people aren't supposed to use it will probably anger some who believe updated versions are some sort of spyware.
Satoru Dec 9, 2021 @ 8:58am 
Originally posted by Crashed:
I think saying people aren't supposed to use it will probably anger some who believe updated versions are some sort of spyware.

I'm not going to give the wrong solution because people have irrational and illogical reasons

the reason Lets Encrypt has to provide this fix is because many corporations have older dumb systems that cannot be upgraded for various reasons.

But anyone on steam should not be using windows 7.
Kick Jan 29, 2022 @ 11:27am 
Thanks for documenting this solution.
Elucidator Jan 29, 2022 @ 12:43pm 
Originally posted by Kick:
Thanks for documenting this solution.
Make sure you get the others as well; the ones I mentioned here:
https://steamcommunity.com/discussions/forum/1/3203748716333923067/

let's encrypt's cert is not a miracle cert (on steam's network) and may not be used in some cases.
heck, the other certs may help with other websites as well.
< >
Showing 1-10 of 10 comments
Per page: 1530 50

Date Posted: Oct 9, 2021 @ 11:33pm
Posts: 10