TLS secure connection error

[Wheels-Of-Fire]

My mum’s neighbour is having trouble connecting to about half the websites in existence because of a TLS error (according to W10 anyway). A message appears saying the site may not be properly configured for TLS (cobblers). The error only appears on her PC, not on her IPad or phone.

The only solution I can find online is to reset the TLS/SSL settings under internet options but it makes no difference.

Does anyone have any ideas before I have to investigate further ?

[RSB]

Possibly the computers date and time. Check it’s correct.

Americans: Over Sexed, Over Payed and Over here, Wat Wat!

[Ed P]

If so and if neighbours PC is old (pre 2010) it may be a CMOS battery issue.

[Wheels-Of-Fire]

Nothing so simple Ed. The PC is 3 years old and apart from using the onboard Intel graphics it was top of the line then (I helped her spec it on the Palicomp website). The PC gets its time from the MS time server and is spot on.

AVG paid for version is installed and up to date and I tried switching off its web protection feature but it made no difference. Edge and IE both do the same thing

[Ed P]

Root certificates need updating? link

The anti-virus used can add its own twist to this, for example Kaspersky’s trust certs are not trusted by Firefox.

[edit] This link gives some other possible steps.

[Wheels-Of-Fire]

I was thinking certificate problems  from the start, because Transport Layer Security relies on them, and my workaround seems to prove it.

I installed Firefox because it has its own secure certificate list instead of using the one built into Windows networking and it works just fine.

The trouble is my mum’s friend would rather use Chrome and that uses Windows own database so I really need to find out what’s wrong with that.

All the info I can find says that the certs database is kept up to date automatically via Windows update so they suggest that I check that that is working, I have and it is so now I’m stuck again.

[Ed P]

Certutil.exe?

[Wheels-Of-Fire]

The answer may well be in certutil.exe somewhere but I was hopeing to avoid it. It is easy enough to get a list of all the installed certs and the authorised root cert providers using an MMC snap in, but getting a new list, in an approved and certified format, and then getting it installed is something else. The recommended method for stand alone PC’s is to let Windows update do it but for those who administer domain servers there is a long and complicated process that lets you do it manually using certutil.exe

 

 

[Ed P]

While that is true for AD domains, I think you can just use:

certutil -addstore -f root authroot.stl

Check out the first link I gave you.

[Wheels-Of-Fire]

I just had a go at the quick method in the middle of your link Ed.

I followed the link the to get the latest root cert trusted list in cab format from Windows update. The link says you can unpack the cab file in file explorer to get the .stl file, and you can, and it then says you can right click the file to import it from its context menu but you can’t because W10 thinks a .stl file is a 3D object so it tries and fails to open it in its funky new 3D object app.

Anyway you can import it from the MMC certs snap in, and it will work, but if you do you will find that the file’s certificate is invalid and it is not in use !

Ho Hum 🙄

[Ed P]

“The link says you can unpack the cab file in file explorer to get the .stl file, and you can, and it then says you can right click the file to import it from its context menu but you can’t because W10 thinks a .stl file is a 3D object”

Can’t you fix that by ignoring the right click and just using the command line per my last post?  (Make sure you open cmd.exe in Admin mode).

[Wheels-Of-Fire]

I ignored the context menu and loaded the .stl file from the management console snap in but, like I said, if you view the newly loaded list from the management consoles certificates list it says that the new list has an invalid cert its self and is not in use.

I tried this on my own PC which is working fine and the same thing happens. Nothing broke so you can give it a go yourself if you like 😉

[Wheels-Of-Fire]

The MMC gives you a nice little certs installation wizard that is worth a look on its own 😁

[Ed P]

I suspect the ‘invalid certificate’ notice may have come from the way you installed it. Windows can be quite picky at requiring admin level command line access to many of its components and a critical component such as the root certificates falls into that sort of category.

[Ed P]

If you are not convinced about the merits of the command line then you could try the procedure given here (note the elevated prompt comment):

https://www.tecklyfe.com/restore-missing-invalid-root-certificates-windows/

[Author]

Posts