provide latest OS root certificates via port?

Richard L. Hamilton rlhamil at smart.net
Mon Nov 1 10:37:08 UTC 2021 


> On Nov 1, 2021, at 03:12, raf <macports at raf.org> wrote:
> 
> On Sat, Oct 30, 2021 at 05:49:11AM -0700, Al Varnell via macports-users <macports-users at lists.macports.org> wrote:
> 
>> I see that I already have the latest ISRG Root X1 certificate in the
>> System Roots keychain, so not sure why I would need to add it to my
>> System keychain.
> 
> It doesn't sound sensible, does it? I followed those instructions,
> then added it to System Roots because it hadn't changed anything,
> only to discover (on 10.6) that only TLSv1.0 was supported by the
> system-supplied software so things wouldn't work anyway.
> 
> I still don't understand why /usr/bin/curl isn't working for me on
> 10.14 but Safari is.

/usr/bin/curl (also?) uses /etc/ssl/cert.pem file. Copy that file to /etc/ssl/cert.pem.orig as a backup and look around line 1130 for the following:

### Digital Signature Trust Co.

=== /O=Digital Signature Trust Co./CN=DST Root CA X3
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b
    Signature Algorithm: sha1WithRSAEncryption
        Validity
            Not Before: Sep 30 21:12:19 2000 GMT
            Not After : Sep 30 14:01:15 2021 GMT
        Subject: O=Digital Signature Trust Co., CN=DST Root CA X3
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE 
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign 
            X509v3 Subject Key Identifier:
                C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10
SHA1 Fingerprint=DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13
SHA256 Fingerprint=06:87:26:03:31:A7:24:03:D9:09:F1:05:E6:9B:CF:0D:32:E1:BD:24:93:FF:C6:D9:20:6D:11:BC:D6:77:07:39
-----BEGIN CERTIFICATE-----


Remove from there (if it is line 1130) to the matching
-----END CERTIFICATE-----
line in /etc/ssl/cert.pem (around 1171) and that gets rid of the expired X3 cert that doesn't really need to be in the certificate chain. After that,
/opt/local/libexec/mpstats submit
works for me on 10.14. Still doesn't help with what's presumably the TLS problem on older versions (10.6.8 being the only older version I have available, so I don't know just what version is the cutoff for that problem).

More information about the macports-users mailing list