![]() Rename /etc/ssl/cert.pem to something else. Even though my systems have a newer version of OpenSSL installed using homebrew and/or MacPorts, the system-wide OpenSSL pem file located at /etc/ssl/cert.pem was out of date and did not include the ISRG Root X1 certificate. pem file containing its root certificates. OpenSSL on macOS does not use the system keychain (which makes sense as it's a cross platform library) but rather has its own. Small addendum: the open source app is using OpenSSL 1.1.1j. I'm not sure what library the app is using for https - it may be libcurl, but I suspect it's failing for the same reason curl is. What do I need to do to fix this? I can't just use insecure mode on curl as the issue I'm trying to fix is the app that can't access the site. However, the app in question still fails, as does curl. I've confirmed that the ISRG Root X1 certificate is installed in Keychain Access and is trusted.įurther, I can access the site using Safari or any other web browser. * SSL certificate problem: certificate has expiredĬurl: (60) SSL certificate problem: certificate has expiredĬurl performs SSL certificate verification by default. * TLSv1.2 (OUT), TLS alert, Server hello (2): ![]() * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * Cipher selection: successfully set certificate verify locations: * Connected to hostname (x.x.x.x) port 443 (#0) Here's the output of curl -vv with the hostname and IP address redacted: * Rebuilt URL to: * Trying x.x.x.x. If I use curl to access the same site, it also gets an error about the certificate being expired. An open source app running on my macOS 10.13.6 and 10.14.6 system is failing to access a website via https that uses a Let's Encrypt certificate. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |