Let's Encrypt DST Root CA X3 Expiration

Michael keybounce at gmail.com
Thu Oct 7 17:03:53 UTC 2021 

(Moving from macports to macos-talk)

I am still having a problem with this.
I've managed to get the DST root into my system as "trusted for all users".
But the ISRG root is only marked as "trusted for this account" as my normal user ID, and it fails to authenticate for a process that runs as root.

Attempting this security command --
>  sudo security -v add-trusted-cert -d -r trustRoot -k /System/Library/Keychains/SystemRootCertificates.keychain isrgrootx1.pem

does not change it from "this account" to "all users", and I cannot figure out how to make that change.

Can anyone help me?

On 2021-10-02, at 8:25 PM, raf <macports at raf.org> wrote:

> On Sat, Oct 02, 2021 at 08:06:27PM -0700, Michael <keybounce at gmail.com> wrote:
> 
>> So, first, I want to say "Thank you" for this bit:
>> 
>>> • From View menu select "Show Expired Certificates"
>> 
>> In keychain access, I could not see the expired certs, and was
>> thinking that they were just deleted for being old. Once I could find
>> the old ones, I could turn them back on.
> 
> Ah, that explains why I couldn't see it. :-)
> 
>> The second thing is that for whatever reason, I could not download
>> and install the new cert into keychain access. But ... oddly, Firefox
>> 52 ESR had that cert installed (even that old ...???). I could export
>> from firefox, and import THAT into keychain access, and at least
>> enable that for my account.
>> 
>> So, ... well, not perfect. These certs are marked as trusted for *my
>> account*. Not for the system. So predictably, some things done by the
>> system in the background will fail, but at least Chrome and Firefox
>> both now work fine. (Safari isn't tested, but ... well, Safari isn't
>> tested :=-).
> 
> On 10.6.8, I wasn't able to add to the system keychain
> via the Keychain Access GUI (even after unlocking it),
> but I was able to do it using the "security" command
> following these instructions:
> 
>  How do I update my root certificates on an older version of Mac OS (e.g. El Capitan)?
>  https://apple.stackexchange.com/questions/422332/how-do-i-update-my-root-certificates-on-an-older-version-of-mac-os-e-g-el-capi
> 
> If you have ISRG Root X1 as a .pem file, something like this
> should import it into the "System" keychain:
> 
>  sudo security -v add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain isrgrootx1.pem
> 
> For the "System Roots" keychain, instead of the "System" keychain:
> 
>  sudo security -v add-trusted-cert -d -r trustRoot -k /System/Library/Keychains/SystemRootCertificates.keychain isrgrootx1.pem
> 
> I don't know if it matters which of these keychains it goes into.
> 
> cheers,
> raf

---
This message was composed with the aid of a laptop cat, and no mouse

More information about the macports-users mailing list