port cannot fetch because of expired cert, but cert is OK according to Safari, curl (question related to Mojave / Catalina)

Kastus Shchuka macports at tprfct.net
Sun Nov 7 02:08:11 UTC 2021 

Something does not add up here.

High Sierra is older than Mojave, right? I can fetch sources of nsd on High Sierra without any problems:

$ sudo port -d fetch nsd    
DEBUG: Copying /Users/pike/Library/Preferences/com.apple.dt.Xcode.plist to /opt/local/var/macports/home/Library/Preferences
DEBUG: Changing to port directory: /opt/local/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/net/nsd
DEBUG: OS darwin/17.7.0 (macOS 10.13.6) arch i386
DEBUG: adding the default universal variant
DEBUG: Reading variant descriptions from /opt/local/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/_resources/port1.0/variant_descriptions.conf
DEBUG: Running callback portconfigure::add_automatic_compiler_dependencies
DEBUG: Finished running callback portconfigure::add_automatic_compiler_dependencies
DEBUG: Running callback portbuild::add_automatic_buildsystem_dependencies
DEBUG: Finished running callback portbuild::add_automatic_buildsystem_dependencies
DEBUG: Running callback portstartupitem::add_notes
DEBUG: Finished running callback portstartupitem::add_notes
DEBUG: Attempting ln -sf /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_net_nsd/nsd/work /opt/local/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/net/nsd/work
DEBUG: dropping privileges: euid changed to 504, egid changed to 20.
DEBUG: Starting logging for nsd @4.2.1_2
DEBUG: macOS 10.13.6 (darwin/17.7.0) arch i386
DEBUG: MacPorts 2.7.1
DEBUG: Xcode 9.4.1
DEBUG: SDK 10.13
DEBUG: MACOSX_DEPLOYMENT_TARGET: 10.13
DEBUG: Executing org.macports.main (nsd)
DEBUG: dropping privileges: euid changed to 504, egid changed to 20.
DEBUG: fetch phase started at Sat Nov  6 19:00:42 PDT 2021
--->  Fetching distfiles for nsd
DEBUG: elevating privileges for fetch: euid changed to 0, egid changed to 0.
DEBUG: dropping privileges: euid changed to 504, egid changed to 20.
DEBUG: Executing org.macports.fetch (nsd)
--->  nsd-4.2.1.tar.gz does not exist in /opt/local/var/macports/distfiles/nsd
--->  Attempting to fetch nsd-4.2.1.tar.gz from http://distfiles.macports.org/nsd
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 1118k  100 1118k    0     0  3557k      0 --:--:-- --:--:-- --:--:-- 3563k
$ ls -l /opt/local/var/macports/distfiles/nsd
total 2240
-rw-r--r--  1 macports  wheel  1145713 Nov  6 19:00 nsd-4.2.1.tar.gz

I have MacPorts installed from a package, I did not build it, so it is pretty much standard. Neither I did anything to the system certificate chain.

> On Nov 6, 2021, at 5:43 AM, Ryan Schmidt <ryandesign at macports.org> wrote:
> 
> 
> 
> On Nov 6, 2021, at 05:39, Gerben Wierda wrote:
> 
>> I was looking at updating nsd (for which I am maintaining and it is high time)
>> 
>> But fetching failed on macOS Mojave (where I have my MacPorts setup).
>> 
>> :debug:fetch Executing org.macports.fetch (nsd)
>> :info:fetch --->  nsd-4.3.8.tar.gz does not exist in /opt/local/var/macports/distfiles/nsd
>> :notice:fetch --->  Attempting to fetch nsd-4.3.8.tar.gz from https://www.nlnetlabs.nl/downloads/nsd/
>> :debug:fetch Fetching distfile failed: SSL certificate problem: certificate has expired
>> 
>> Now, my main MacPorts dev/use machine is macOS Mojave so I suspect that is the Mojave-doesn’t-get-root-cert-updates problem. So, I tried to do a port fetch on Catalina, and there it works and the distribution is downloaded.
>> 
>> It is strange, though, because Safari on both Catalina (other machine) and Mojave say the cert is fine. Still, it is most likely that this is a problem that comes from still using Mojave.
>> 
>> Updating that machine will not happen until late December, so if I am to maintain anything MacPorts, I need a fix to get this working again.
>> 
>> I have tried using curl on the Mojave machine, and that one works.
>> 
>> So, Safari works, curl works, but port does not work.
>> 
>> I tried copying /etc/ssl/cert.pem over to the Mojave machine, but that doesn’t work either.
> 
> This is the "Let's Encrypt's old root certificate expired" problem described here:
> 
> https://trac.macports.org/wiki/ProblemHotlist#letsencrypt
> 
> When you said "curl works but port does not work" that's not quite right. /opt/local/bin/curl and /opt/local/lib/libcurl.dylib work. /usr/bin/curl and /usr/lib/libcurl.dylib (the latter of which MacPorts uses by default) do not work for Let's Encrypt-protected sites anymore.
> 
> I, on High Sierra, have the same issue, and I have no solution for you. This issue affects High Sierra and Mojave. I recommend upgrading to Catalina or later; I plan to eventually.
> 
> Well, you could rebuild MacPorts from source, instructing it to use a newer copy of libcurl with a newer copy of openssl or libressl that has a newer certificate bundle. For example, install a bootstrap copy of MacPorts in a separate prefix, install curl in that prefix, then rebuild your primary MacPorts from source, telling it to use the libcurl in the separate prefix. Any future upgrades to MacPorts base probably also have to be done from source; using "sudo port selfupdate" will not preserve your configure arguments and you'll be back to using the System's broken libcurl again.

More information about the macports-users mailing list