3

Safari and Chrome report invalid certificates on certain HTTPS sites (for example GitHub and Bitbucket). Firefox strangely shows a green valid certificate.

I've created a new OS X user and everything is perfectly valid there. I though that maybe there was some invalid certificate in my login keychain. However, even after removing all certs from that keychain, it still reports as invalid.

The Entrust cert that only shows on my account is present in my login keychain. I removed it, which makes the DigiCert High Assurance EV Root CA the new top certificate in the list, but it is not the same cert as on the working account...

The problem also occurs when using curl or for example pushing with git.

Is there something I'm overlooking?

UPDATE
Everything works after copying the DigiCert High Assurance EV Root CA from the System Roots to the login keychain. But why is this necessary on my user account?

Certificate chain in Safari on my user account Certificate chain in Safari on my user account

Certificate chain in Safari on a new OS X account Certificate chain in Safari on a new OS X account

Rengers
  • 133
  • 1
  • 6
  • Is the computer fully up to date with all software patches and updates on the latest version of OSX? – Darth Android Jul 25 '14 at 16:01
  • Yep, installed all the updates. It feels like somehow Safari is using an old certificate or something. – Rengers Jul 25 '14 at 16:03
  • 1
    When using the search box in Keychain Access to find "digicert high", do you get a single hit? (On my Mac, I only get the one that expires November 2013, and that's in the System Roots.) – Arjan Jul 25 '14 at 16:22
  • Yes, I only get one certificate that expires 10 november 2031. This cert is in my System Roots. The weird this is: after I copy this to my login keychain (so that I have it twice), it actually works! But why doesn't it pick it up in the System Roots keychain...? – Rengers Jul 25 '14 at 16:24
  • See also: [Why won't OS X trust GitHub's SSL certificate?](http://superuser.com/questions/605900/why-wont-os-x-trust-githubs-ssl-certificate) (which might be a dupe; not sure yet). – Arjan Jul 25 '14 at 16:25
  • I've come across that question. It looked like the same problem or at least related, but none of the answers have worked for me. The only thing I didn't do was reset my default keychain. – Rengers Jul 25 '14 at 16:27
  • *"after I copy this to my login keychain (so that I have it twice), it actually works! But why doesn't it pick it up in the System Roots keychain"* -- prior to copying, it should also pick up the one from the System Roots, for otherwise it wouldn't have a chain at all. But apparently *somewhere* it can find the faulty one instead. So I assume that copying it into your Login Keychain just gives it higher precedence. But where is the faulty one hiding...!? Did you see the note about "Repair" in the answers to the other question? – Arjan Jul 25 '14 at 16:33
  • Yep, my thoughts exactly. I've tried repairing but no problems were found. I don't know enough about certificates on OS X to find where this faulty cert could be though... – Rengers Jul 25 '14 at 16:36
  • 1
    I just noticed that my Keychain Access did not show any expired root certificates. Enabling that in menu View, Show Expired Certificates might show you another version when searching for "digicert high"? (No changes for me, for that search.) – Arjan Jul 25 '14 at 16:42
  • Ah man, thanks, that was it! There was an expired DigiCert certificate in my login keychain. Sometimes the solution is so easy, never even crossed my mind that expired certificates were hidden by default. If you post this as an answer, I will accept it. – Rengers Jul 25 '14 at 16:44

3 Answers3

5

It seems that somehow Chrome and Safari for that account are using an expired root certificate, even though a new one is already present in your System Roots.

However, by default Keychain Access does not show expired certificates: enable that using menu View, Show Expired Certificates, and then search for the name of the expired certificate, like "digicert high". Then delete any expired one. As all is fine in a new user account, the culprit must be in your Login Keychain.

(This doesn't explain why Firefox uses the correct one; I would expect all browsers to simply delegate the full validation to OS X, but apparently not.)

Arjan
  • 30,974
  • 14
  • 75
  • 112
  • Something to keep in mind: some say that using synchronization through iCloud might actually restore the expired certificate again. – Arjan Jul 28 '14 at 20:44
  • One final step: restart your browser after deleting any expired certs. @Arjan thanks for the tip! – schmielson Jul 30 '14 at 22:23
2

I had the same problem with my macbook pro and sourcetree app. I followed the instruction provided in the digicert blog (link provided below) to solve this issue.

https://blog.digicert.com/expired-intermediate-certificate/

Jay
  • 21
  • 1
0

I'm not 100% sure about the solution.

But same thing happened to me when I set a back date on my PC. Suppose this is 2014. If you set 2013 or 2012 as your year, this problem may happen.

And in this situation, it's really tough to sign in Gmail, Facebook or Yahoo!

Check your date settings.

Thanks.

Marks PC Solution
  • 112
  • 1
  • 7