port cannot fetch because of expired cert, but cert is OK according to Safari, curl (question related to Mojave / Catalina)

André-John Mas andrejohn.mas at gmail.com
Sun Nov 7 02:53:56 UTC 2021

Does it make a difference if you test via sudo or your own user login?


Sent from my phone. Envoyé depuis mon téléphone. 

> On 06 Nov 2021, at 22:08, Kastus Shchuka <macports at tprfct.net> wrote:
> Something does not add up here.
> High Sierra is older than Mojave, right? I can fetch sources of nsd on High Sierra without any problems:
> $ sudo port -d fetch nsd    
> DEBUG: Copying /Users/pike/Library/Preferences/com.apple.dt.Xcode.plist to /opt/local/var/macports/home/Library/Preferences
> DEBUG: Changing to port directory: /opt/local/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/net/nsd
> DEBUG: OS darwin/17.7.0 (macOS 10.13.6) arch i386
> DEBUG: adding the default universal variant
> DEBUG: Reading variant descriptions from /opt/local/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/_resources/port1.0/variant_descriptions.conf
> DEBUG: Running callback portconfigure::add_automatic_compiler_dependencies
> DEBUG: Finished running callback portconfigure::add_automatic_compiler_dependencies
> DEBUG: Running callback portbuild::add_automatic_buildsystem_dependencies
> DEBUG: Finished running callback portbuild::add_automatic_buildsystem_dependencies
> DEBUG: Running callback portstartupitem::add_notes
> DEBUG: Finished running callback portstartupitem::add_notes
> DEBUG: Attempting ln -sf /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_net_nsd/nsd/work /opt/local/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/net/nsd/work
> DEBUG: dropping privileges: euid changed to 504, egid changed to 20.
> DEBUG: Starting logging for nsd @4.2.1_2
> DEBUG: macOS 10.13.6 (darwin/17.7.0) arch i386
> DEBUG: MacPorts 2.7.1
> DEBUG: Xcode 9.4.1
> DEBUG: SDK 10.13
> DEBUG: Executing org.macports.main (nsd)
> DEBUG: dropping privileges: euid changed to 504, egid changed to 20.
> DEBUG: fetch phase started at Sat Nov  6 19:00:42 PDT 2021
> --->  Fetching distfiles for nsd
> DEBUG: elevating privileges for fetch: euid changed to 0, egid changed to 0.
> DEBUG: dropping privileges: euid changed to 504, egid changed to 20.
> DEBUG: Executing org.macports.fetch (nsd)
> --->  nsd-4.2.1.tar.gz does not exist in /opt/local/var/macports/distfiles/nsd
> --->  Attempting to fetch nsd-4.2.1.tar.gz from http://distfiles.macports.org/nsd
>  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
>                                 Dload  Upload   Total   Spent    Left  Speed
> 100 1118k  100 1118k    0     0  3557k      0 --:--:-- --:--:-- --:--:-- 3563k
> $ ls -l /opt/local/var/macports/distfiles/nsd
> total 2240
> -rw-r--r--  1 macports  wheel  1145713 Nov  6 19:00 nsd-4.2.1.tar.gz
> I have MacPorts installed from a package, I did not build it, so it is pretty much standard. Neither I did anything to the system certificate chain.
>> On Nov 6, 2021, at 5:43 AM, Ryan Schmidt <ryandesign at macports.org> wrote:
>>> On Nov 6, 2021, at 05:39, Gerben Wierda wrote:
>>> I was looking at updating nsd (for which I am maintaining and it is high time)
>>> But fetching failed on macOS Mojave (where I have my MacPorts setup).
>>> :debug:fetch Executing org.macports.fetch (nsd)
>>> :info:fetch --->  nsd-4.3.8.tar.gz does not exist in /opt/local/var/macports/distfiles/nsd
>>> :notice:fetch --->  Attempting to fetch nsd-4.3.8.tar.gz from https://www.nlnetlabs.nl/downloads/nsd/
>>> :debug:fetch Fetching distfile failed: SSL certificate problem: certificate has expired
>>> Now, my main MacPorts dev/use machine is macOS Mojave so I suspect that is the Mojave-doesn’t-get-root-cert-updates problem. So, I tried to do a port fetch on Catalina, and there it works and the distribution is downloaded.
>>> It is strange, though, because Safari on both Catalina (other machine) and Mojave say the cert is fine. Still, it is most likely that this is a problem that comes from still using Mojave.
>>> Updating that machine will not happen until late December, so if I am to maintain anything MacPorts, I need a fix to get this working again.
>>> I have tried using curl on the Mojave machine, and that one works.
>>> So, Safari works, curl works, but port does not work.
>>> I tried copying /etc/ssl/cert.pem over to the Mojave machine, but that doesn’t work either.
>> This is the "Let's Encrypt's old root certificate expired" problem described here:
>> https://trac.macports.org/wiki/ProblemHotlist#letsencrypt
>> When you said "curl works but port does not work" that's not quite right. /opt/local/bin/curl and /opt/local/lib/libcurl.dylib work. /usr/bin/curl and /usr/lib/libcurl.dylib (the latter of which MacPorts uses by default) do not work for Let's Encrypt-protected sites anymore.
>> I, on High Sierra, have the same issue, and I have no solution for you. This issue affects High Sierra and Mojave. I recommend upgrading to Catalina or later; I plan to eventually.
>> Well, you could rebuild MacPorts from source, instructing it to use a newer copy of libcurl with a newer copy of openssl or libressl that has a newer certificate bundle. For example, install a bootstrap copy of MacPorts in a separate prefix, install curl in that prefix, then rebuild your primary MacPorts from source, telling it to use the libcurl in the separate prefix. Any future upgrades to MacPorts base probably also have to be done from source; using "sudo port selfupdate" will not preserve your configure arguments and you'll be back to using the System's broken libcurl again.

More information about the macports-users mailing list