Closed ghost closed 10 years ago
Is this specific to Homebrew?
Yes, as the OpenSSL formula pulls CA Certs from the keychain.
You can run brew postinstall openssl
to regen cert.pem
without reinstalling all of openssl.
Given that we lean pretty heavily on Apple to handle certificate management, it's not clear to me that there is anything Homebrew can do here, especially while operating within it's normal bounds (i.e. not doing stuff without the user being explicit). Even if there was some kind of expired certificate check during post-install, it would still be possible to end up with expired certs at a later time and Homebrew wouldn't know about it.
If this is indeed an upstream bug in openssl, then hopefully a fix will materialize in a future release.
The OpenSSL bug is still stalled, and I ran into this bug (with the same CA) again. My solution was to just erase the expired certificate, as explained in the other issue, though I only guessed it should be safe — so don't use it unless you understand what you're doing (I'm not even entirely sure the hash I used is system-independent, though why not?).
sudo security delete-certificate -Z 2F173F7DE99667AFA57AF80AA2D1B12FAC830338 /System/Library/Keychains/SystemRootCertificates.keychain
brew postinstall openssl
Thanks @Blaisorblade, your sequence of commands to delete the old cert & update worked for me:
sudo security delete-certificate -Z 2F173F7DE99667AFA57AF80AA2D1B12FAC830338 /System/Library/Keychains/SystemRootCertificates.keychain
brew postinstall openssl
I was going crazy trying to figure out why I was getting the following SSL verification error:
Works in the browser, and I can see in my keychain the Root CA there. Using @mislav's doctor utility, I can see that the Root CA is expired...
But this works and isn't expired at all in the browser?!
Poking around the OpenSSL formula, I can see the use of the
security find-certificate
command to retrieve the certs in the keychain. Running the following gives me 2 Root CA's with the same common name:2 certs with the same common name? Oh one of them is expired!
After removing the expired Root CA, and reinstalling openssl (so that
/usr/local/etc/openssl/cert.pem
is regenerated) hitting the above endpoint works! (As well as any other site that has a SSL cert signed by GlobalSign).So is there a better way to deal with expired Root CAs? Or should there be a check in the formula to deal with expired ones? Looking at the man pages for
security
I can't find a way to omit expired CA certs.In any case hopefully this will come up in searches for other people.