aszlig
commented
6 years ago Is /usr/local/etc/openssl/cert.pem something that's common on Mac OS X systems or is this only something that's specific to your installation?
Cc: @copumpkin
Closed fabiant7t closed 5 months ago
aszlig
commented
6 years ago Is /usr/local/etc/openssl/cert.pem something that's common on Mac OS X systems or is this only something that's specific to your installation?
Cc: @copumpkin
copumpkin
commented
6 years ago Homebrew puts it there but not all macOS users use homebrew. There’s a more official source of certificates on macOS (the keychain) but it doesn’t really have a file-based interface
aszlig
commented
6 years ago @copumpkin: Ah, thanks for the info.
Hm, maybe it makes sense to switch to something like certifi then, because probing of all kinds of CA bundle paths will end up in madness™.
fabiant7t
commented
6 years ago Homebrew is a third party package manager for macOS (an OS lacking a first party package manager). It's highly likely that ops and dev people have it installed (and updated) on their machines. Those people will be able to use this package as it is again.
Refactoring to use certifi might be a good step to keep the package platform independent. But while users might have fresh root certificates at installation time then, they probably won't ever update this package, resulting in using probably expired/revoked root certs. So discovered cert bundles on the system might still be the first choice.
farcaller
commented
6 years ago If anything, can you at least update the hardcoded CAs to match the current hetzner's digicert root?
aszlig
commented
6 years ago @farcaller: Done. Also pushed a new bugfix release (0.8.1).
Added a ca cert bundle probe path /usr/local/etc/openssl/cert.pem that is available on macOS after installing openssl using homebrew. This is a workaround to fix SSL errors with the current version of this packages and macOS.