invalid certificate chain during port-fetch

Ryan Schmidt ryandesign at macports.org
Sat Dec 28 03:32:26 UTC 2019 


On Dec 5, 2019, at 09:02, René J.V. Bertin wrote:

> Any suggestions how I can work around this kind of error (on OSX 10.9.8)?
> 
> {{{
> --->  Attempting to fetch kcontacts-19.08.3.tar.xz from https://download.kde.org/stable/applications/19.08.3/src
>  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
>                                 Dload  Upload   Total   Spent    Left  Speed
>  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
> Warning: Fetching distfile failed: SSL certificate problem: Invalid certificate chain
> }}}
> 
> The instructions I found on stackexchange didn't work for me.

You didn't mention what instructions you're referring to or what port this is about, but I am able to reproduce a certificate error if I try to use /usr/bin/curl to access that URL on OS X 10.9. I guess the server imposes such hefty encryption requirements on its clients that 10.9's bundled curl/openssl isn't able to accommodate them. Same goes for OS X 10.10 and 10.11. The problem disappears on macOS 10.12 and later.


You can use a different method to fetch the file (for example MacPorts curl or Safari or another web browser) and put it in the right place on your system:

https://trac.macports.org/wiki/ProblemHotlist#fetch-failures

Or you can recompile MacPorts linked to a newer libcurl/openssl that is able to talk to that server.


If this is a port that is in our port collection, ideally we would have already mirrored the file on our servers, from which MacPorts would then be able to fetch it since our server doesn't impose such strenuous encryption requirements. Unfortunately, the mirroring currently happens on a machine running OS X 10.11, so it would also fail to download from this server. We should do our mirroring on a newer version of macOS, but making that change to our server infrastructure is nontrivial.


You might want to bring this problem to the attention of whoever runs that server. They may not realize that the restrictions they've put in place impact OS versions as recent as OS X 10.11. They may be willing to relax their restrictions somewhat so that older systems can still connect.

More information about the macports-dev mailing list