Starting in October 2021, Mac OS X 10.10 Yosemite (released July 19, 2017), Mac OS X 10.11 El Capitan (released September 30, 2015), Mac OS X 10.9 Mavericks (released October 22, 2013) and earlier OS X versions will no longer trust cached Let's Encrypt certificates. New visitors on older operating systems will not have this issue.
Chrome's SSL error is something like:
Your connection is not private
Attackers might be trying to steal your information from [domain] (for example, passwords, messages, or credit cards).
Safari's SSL error is something like
This Connection Is Not Private
This website may be impersonating [domain] to steal your personal or financial information. You should go back to the previous page.
There are three client-side fixes/workarounds for old versions of Mac OS X:
Upgrade to Mac OS X Sierra (10.12.1) or newer. Here's the link with requirements for old MacOS versions: https://support.apple.com/en-gb/HT211683 2
Use Firefox instead of Chrome or Safari. https://www.mozilla.org/firefox/new/
Force Mac OS to Always Trust the expired DST Root CA X3 certificate:
- Open the Keychain Access app (under Finder -> Applications -> Utilities )
- On the left sidebar under System Keychains click System Roots
- In the menu bar at the top of the screen under View, select Show Expired Certificates
- In the Search bar the top-right, type DST
- Double-click DST Root CA X3 (or click it once and then press enter/return)
- In the pop-up, click the > arrow next to Trust
- Set When using this certificate to Always Trust
- Close the pop-up by clicking the red x in the top-left
- It will ask you to Enter your password to allow this
- Restart your computer