port cannot fetch because of expired cert, but cert is OK according to Safari, curl (question related to Mojave / Catalina)

Sat Nov 6 12:43:09 UTC 2021

On Nov 6, 2021, at 05:39, Gerben Wierda wrote:

> I was looking at updating nsd (for which I am maintaining and it is high time)
> 
> But fetching failed on macOS Mojave (where I have my MacPorts setup).
> 
> :debug:fetch Executing org.macports.fetch (nsd)
> :info:fetch --->  nsd-4.3.8.tar.gz does not exist in /opt/local/var/macports/distfiles/nsd
> :notice:fetch --->  Attempting to fetch nsd-4.3.8.tar.gz from https://www.nlnetlabs.nl/downloads/nsd/
> :debug:fetch Fetching distfile failed: SSL certificate problem: certificate has expired
> 
> Now, my main MacPorts dev/use machine is macOS Mojave so I suspect that is the Mojave-doesn’t-get-root-cert-updates problem. So, I tried to do a port fetch on Catalina, and there it works and the distribution is downloaded.
> 
> It is strange, though, because Safari on both Catalina (other machine) and Mojave say the cert is fine. Still, it is most likely that this is a problem that comes from still using Mojave.
> 
> Updating that machine will not happen until late December, so if I am to maintain anything MacPorts, I need a fix to get this working again.
> 
> I have tried using curl on the Mojave machine, and that one works.
> 
> So, Safari works, curl works, but port does not work.
> 
> I tried copying /etc/ssl/cert.pem over to the Mojave machine, but that doesn’t work either.

This is the "Let's Encrypt's old root certificate expired" problem described here:

https://trac.macports.org/wiki/ProblemHotlist#letsencrypt

When you said "curl works but port does not work" that's not quite right. /opt/local/bin/curl and /opt/local/lib/libcurl.dylib work. /usr/bin/curl and /usr/lib/libcurl.dylib (the latter of which MacPorts uses by default) do not work for Let's Encrypt-protected sites anymore.

I, on High Sierra, have the same issue, and I have no solution for you. This issue affects High Sierra and Mojave. I recommend upgrading to Catalina or later; I plan to eventually.

Well, you could rebuild MacPorts from source, instructing it to use a newer copy of libcurl with a newer copy of openssl or libressl that has a newer certificate bundle. For example, install a bootstrap copy of MacPorts in a separate prefix, install curl in that prefix, then rebuild your primary MacPorts from source, telling it to use the libcurl in the separate prefix. Any future upgrades to MacPorts base probably also have to be done from source; using "sudo port selfupdate" will not preserve your configure arguments and you'll be back to using the System's broken libcurl again.