provide latest OS root certificates via port?

raf macports at raf.org
Wed Nov 3 04:39:57 UTC 2021 

On Mon, Nov 01, 2021 at 06:37:08AM -0400, "Richard L. Hamilton" <rlhamil at smart.net> wrote:

> 
> 
> > On Nov 1, 2021, at 03:12, raf <macports at raf.org> wrote:
> > 
> > On Sat, Oct 30, 2021 at 05:49:11AM -0700, Al Varnell via macports-users <macports-users at lists.macports.org> wrote:
> > 
> >> I see that I already have the latest ISRG Root X1 certificate in the
> >> System Roots keychain, so not sure why I would need to add it to my
> >> System keychain.
> > 
> > It doesn't sound sensible, does it? I followed those instructions,
> > then added it to System Roots because it hadn't changed anything,
> > only to discover (on 10.6) that only TLSv1.0 was supported by the
> > system-supplied software so things wouldn't work anyway.
> > 
> > I still don't understand why /usr/bin/curl isn't working for me on
> > 10.14 but Safari is.
> 
> /usr/bin/curl (also?) uses /etc/ssl/cert.pem file. Copy that file to
> /etc/ssl/cert.pem.orig as a backup and look around line 1130 for the
> following:
> 
> ### Digital Signature Trust Co.
> 
> === /O=Digital Signature Trust Co./CN=DST Root CA X3
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number:
>             44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b
>     Signature Algorithm: sha1WithRSAEncryption
>         Validity
>             Not Before: Sep 30 21:12:19 2000 GMT
>             Not After : Sep 30 14:01:15 2021 GMT
>         Subject: O=Digital Signature Trust Co., CN=DST Root CA X3
>         X509v3 extensions:
>             X509v3 Basic Constraints: critical
>                 CA:TRUE 
>             X509v3 Key Usage: critical
>                 Certificate Sign, CRL Sign 
>             X509v3 Subject Key Identifier:
>                 C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10
> SHA1 Fingerprint=DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13
> SHA256 Fingerprint=06:87:26:03:31:A7:24:03:D9:09:F1:05:E6:9B:CF:0D:32:E1:BD:24:93:FF:C6:D9:20:6D:11:BC:D6:77:07:39
> -----BEGIN CERTIFICATE-----
> 
> 
> Remove from there (if it is line 1130) to the matching
> -----END CERTIFICATE-----
> line in /etc/ssl/cert.pem (around 1171) and that gets rid of the
> expired X3 cert that doesn't really need to be in the certificate
> chain. After that,
> /opt/local/libexec/mpstats submit
> works for me on 10.14. Still doesn't help with what's presumably the
> TLS problem on older versions (10.6.8 being the only older version I
> have available, so I don't know just what version is the cutoff for
> that problem).

Thanks! That worked on 10.14. I couldn't find the equivalent cert.pem
file for /usr/bin/curl on 10.6.8 (not that the same thing would have
worked there anyway), so I did this instead:

  cd /usr/bin
  mv curl curl.orig
  ln -s /opt/local/bin/curl curl

After that, "/usr/bin/curl https://ports.macports.org" worked
but "/opt/local/libexec/mpstats submit" still fails
with the same error.

cheers,
raf

More information about the macports-users mailing list