SSL certificate problem: certificate has expired (on macOS High Sierra 10.13.6)

rob · October 1, 2021, 2:48pm

Although my Mac mini (Mid 2011) running macOS High Sierra 10.13.6 (can’t upgrade) is pretty old, I have been keeping it “up-to-date” using Homebrew, where possible.

However, as of this week that fails due to SSL certificate issues:

curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

Might be related to the Let’s Encrypt root certificate expiring (yesterday/today)?

What can I do about this? (If anything?)

vco1 · October 1, 2021, 8:21pm

Open the url in Safari and accept the exception. That did the trick for me.

Of course it’s a bit of a hack. I think it’s also possible to install the root certificate. Read about it somewhere, but didn’t have the time to look into it.

anon78316750 · October 1, 2021, 11:16pm

Yeah, that certificate recently expiring has caused a massive amount of problems across the different communities that I’m a part of. Not just websites!

The (current) solution is to use Mozilla Firefox.

rob · October 2, 2021, 7:04am

The failing curl command is executed by Homebrew (on the command line).

I don’t think switching browsers will help with that?

ACautionaryTale · October 2, 2021, 9:29am

You should be able to get a new root certificate and install that on your Mac, right?

JohnAtl · October 2, 2021, 11:01am

Finally figured this out for a long-standing problem with Arq backing up to MinIO on my NAS using https.

anon78316750 · October 2, 2021, 1:29pm

I know that. It was a recommendation for others who might be in a different situation of their own. From what I can remember, Mozilla Firefox uses it’s own certificates or something like that (I don’t remember the exact wording).

JohnAtl · October 2, 2021, 1:43pm

I agree with you, Firefox is a potential workaround for older systems with bigger problems than just curl.
From the article:

“However, Firefox is currently unique among browsers — it ships with its own list of trusted root certificates.”

rob · October 2, 2021, 3:14pm

This might work: (will try later)

vco1 · October 2, 2021, 6:37pm

It does work. Just moments before I read the blogpost I followed the same procedure on my dad’s Mac. And the problem with the let’s encrypt certificate has been fixed.

vco1 · October 3, 2021, 6:32am

That being said, I’m also using Let’s Encrypt on a mail server. And while that works on 95% of the devices, including Android, iPads running the latest iPasOS versions 14 and 15 refuse to connect.

Apple mail on iPad is a pain in the back anyway when you try to connect to something other than one of the big e-mail providers in my opinion.

rob · October 3, 2021, 7:36pm

Turn out my Mac already has an ISRG Root X1 certificate which is valid until 4-Jun-2035.

It’s more likely this issue with the curl version provided by Apple in macOS:

github.com/Homebrew/brew

MacOS system curl broken after letsencrypt CA cert expiry

opened 12:55AM - 01 Oct 21 UTC

wwuck

bug

### `brew config` output ```shell HOMEBREW_VERSION: 3.2.14 ORIGIN: https://git…hub.com/Homebrew/brew HEAD: 4e6919b73444e9f9e02ad81d8afc4bbd97533567 Last commit: 2 days ago Core tap ORIGIN: https://github.com/Homebrew/homebrew-core Core tap HEAD: c437fbe02752c09d3bad41eb2ab84832ea15968f Core tap last commit: 20 minutes ago Core tap branch: master HOMEBREW_PREFIX: /usr/local HOMEBREW_CASK_OPTS: [] HOMEBREW_MAKE_JOBS: 4 Homebrew Ruby: 2.6.3 => /usr/local/Homebrew/Library/Homebrew/vendor/portable-ruby/2.6.3_2/bin/ruby CPU: quad-core 64-bit kabylake Clang: 11.0.0 build 1100 Git: 2.33.0 => /usr/local/bin/git Curl: 7.54.0 => /usr/bin/curl macOS: 10.14.6-x86_64 CLT: 10.3.0.0.1.1562985497 Xcode: 11.3.1 ``` ### `brew doctor` output ```shell Please note that these warnings are just used to help the Homebrew maintainers with debugging if you file an issue. If everything you use Homebrew for is working fine: please don't worry or file an issue; just ignore this. Thanks! Warning: A newer Command Line Tools release is available. Update them from Software Update in System Preferences or run: softwareupdate --all --install --force If that doesn't show you any updates, run: sudo rm -rf /Library/Developer/CommandLineTools sudo xcode-select --install Alternatively, manually download them from: https://developer.apple.com/download/more/. You should download the Command Line Tools for Xcode 11.3.1. Warning: Homebrew's "sbin" was not found in your PATH but you have installed formulae that put executables in /usr/local/sbin. Consider setting your PATH for example like so: echo 'export PATH="/usr/local/sbin:$PATH"' >> /Users/me/.bash_profile ``` ### - [X] I ran `brew update` and am still able to reproduce my issue. - [X] I have resolved all warnings from `brew doctor` and that did not fix my problem. ### What were you trying to do (and why)? I was trying to reinstall `openconnect` from HEAD using `brew reinstall openconnect`. I had originally installed `openconnect` using `brew install openconnect --HEAD`. ### What happened (include all command output)? ```console $ brew reinstall openconnect ==> Downloading https://git.infradead.org/users/dwmw2/vpnc-scripts.git/blob_plain/c0122e891f7e033f35f047dad963702199d5cb9e:/vpnc-script curl: (60) SSL certificate problem: certificate has expired More details here: https://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure. Error: Failed to download resource "openconnect--vpnc-script" Download failed: https://git.infradead.org/users/dwmw2/vpnc-scripts.git/blob_plain/c0122e891f7e033f35f047dad963702199d5cb9e:/vpnc-script ``` ### What did you expect to happen? `openconnect` should be installed from latest `HEAD`. ### Step-by-step reproduction instructions (by running `brew` commands) ```shell brew reinstall openconnect ```

rob · October 4, 2021, 8:19am

The suggested answer on StackOverflow (deleting the expired certificate from /etc/ssl/cert.pem) did the trick, but I wonder whether I’ll notice any side effects…