Incompatible with macOS Ventura (13) or current homebrew packages?

[numeratorjik]

When I have openssl-osx-ca installed from homebrew and enabled in Ventura with all current homebrew casks, /usr/local/etc/openssl\@1.1/cert.pem and /usr/local/etc/openssl\@3/cert.pem are empty. I'm pretty sure openssl-osx-ca is the culprit, though I can't figure out the root of the incompatibility.

[raggi]

Oh dear, homebrew has been changing how they operate in this area. I don't think they've really solved the problem correctly, but their new mechanisms are now going to cause problems with the mechanisms used by this project.

Specifically homebrew now makes the openssl formulas depend on the ca-certificates formula, and they install symlinks between the openssl cert.pem and the ca-certificates formula. A while ago a contributor took the implementation from here, and added that to homebrew - that implementation is now in the ca-certificates formula (not well documented) so that the cert.pem contains both the Mozilla pem and the macOS trusted certificates.

There is still no provision in homebrew for regular updates.

Nonetheless, I think the responsible solution now is to deprecate this project entirely, and replace it with a periodic task that updates the homebrew ca-certificates package. Sadly I think it will be necessary to actually uninstall and then reinstall the ca-certificates package, in order to force it to include up to date data from the macOS system stores.

[raggi]

Thank you for the report. I'm trying to decide how best to handle this.

[seidnerj]

I'm facing this same issue, cert.pem becomes 0 bytes every once in a while. Both for openssl@1.1 (/opt/homebrew/etc/openssl@1.1/cert.pem) as well as for openssl@3 (/opt/homebrew/etc/openssl@3/cert.pem). Running openssl-osx-ca manually every time after this happens, repopulates cert.pem and resolves this issue:

/o/h/e/openssl@1.1 ❯❯❯ ls -ltr
total 64
-rw-r--r--  1 user  admin    412 May 31 23:01 ct_log_list.cnf
-rw-r--r--  1 user  admin    412 May 31 23:01 ct_log_list.cnf.dist
drwxr-xr-x  7 user  admin    224 May 31 23:01 misc
-rw-r--r--  1 user  admin  10909 May 31 23:01 openssl.cnf
-rw-r--r--  1 user  admin  10909 May 31 23:01 openssl.cnf.dist
-rw-r--r--  1 user  admin      0 Jun  8 01:39 cert.pem
/o/h/e/openssl@1.1 ❯❯❯ openssl-osx-ca
/o/h/e/openssl@1.1 ❯❯❯ ls
total 560
-rw-r--r--  1 user  admin  250694 Jun 10 13:35 cert.pem
-rw-r--r--  1 user  admin     412 May 31 23:01 ct_log_list.cnf
-rw-r--r--  1 user  admin     412 May 31 23:01 ct_log_list.cnf.dist
drwxr-xr-x  7 user  admin     224 May 31 23:01 misc
-rw-r--r--  1 user  admin   10909 May 31 23:01 openssl.cnf
-rw-r--r--  1 user  admin   10909 May 31 23:01 openssl.cnf.dist

What would be a good solution to deal with this? should I just create a crontab to run this periodically? that wouldn't be such a big deal, the issue is that I can't afford for cert.pem to become 0 bytes in the first place.

[seidnerj]

For now, I've disable the service via brew services stop openssl-osx-ca and manually created a cron that runs every hour. I believe this should be enough, though I'm not certain why cert.pem gets zeroed out in the first place. Given that running openssl-osx-ca manually does not present with this issue, it seems like homebrew is the culprit, but I have not idea why.

[raggi]

Yeah, I'm considering just withdrawing this package. The most recent homebrew changes are a real pain to work with and they still don't seem to be overly interested in fixing the problem of the stale cert packs they install, but they do check them more regularly than they used to.

[dpslwk]

https://github.com/raggi/homebrew-ale/pull/3 is still not merged which may be the cause

[seidnerj]

Yeah, I'm considering just withdrawing this package. The most recent homebrew changes are a real pain to work with and they still don't seem to be overly interested in fixing the problem of the stale cert packs they install, but they do check them more regularly than they used to.

If moving to a cron locally and removing brew services works then we not just go that route?