macOS 10.13.6, Server.app 5.6.3 I'm using LetsEncrypt SSL certs. After updating a cert with certbot, I use openssl to export a PKCS12 file, then import that to the system keychain using "security" as follows:

# cd /etc/letsencrypt/live/www.brazoslink.net
# openssl pkcs12 -export -inkey privkey.pem -in cert.pem -certfile fullchain.pem -out letsencrypt_sslcert.p12 -passout pass:(random passkey)
# security import letsencrypt_sslcert.p12 -f pkcs12 -k /Library/Keychains/System.keychain -P (random passkey) -T /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.bundle/Contents/MacOS/servermgrd

This all works, no errors, the updated cert appears in Server Admin just as it should, and any services/websites using that cert are automatically updated to use the updated cert so I can delete the old version. All good. However, the cert that gets created in /etc/certificates contains the self-signed "ISRG Root X1" cert, which was not contained in the original LE cert. When I run the SSL cert tests at ssllabs.com, it complains, "Incorrect order, Extra certs, Contains anchor" and gives me a "B" rating. Can anyone explain what is going on here, and how I can fix it?

According to Apple , > With Safari 5 through 5.1.7, a lock icon appears near the top right > corner [only] if all of the webpage's content uses a secure connection. That's all very well, but normally to view the SSL/TLS certificate for a webpage serving content over HTTPS, one would click the padlock icon. Because the icon is not present on pages that serve only *some* of their content over SSL/TLS, there ought to be another way to view the certificate, but what is it?

I have developed a web proxy server. It's running on a Raspberry Pi in my house, and it seems to be working as intended using Linux devices I have around and using cURL on my Mac. However, in practice, when I configure my Mac in System Settings to use the proxy server, things don't go as expected. I found that my Mac will always send plain HTTP requests to the server despite having configured a "secure web proxy (HTTPS)" as opposed to a "web proxy (HTTP)" (and the Proxy-Authorization header is missing despite having configured a username and password). I tried handling this in the proxy server, by detecting if it received HTTP data instead of TLS data and responding with a “426 Upgrade Required” and the relevant headers, but this seems to be ignored. The TLS certificate was generated using [mkcert](https://github.com/FiloSottile/mkcert) , and the CA is correctly installed on my Mac. The proxy server is served on port 443. My Mac is on macOS 15.5 (24F74). I also tested on my iPhone, iOS 18.5 (22F76), which seems to completely ignore the proxy altogether. As far as I can tell, no requests from my iPhone go through the proxy at all.

I recently installed an 802.1x EAP-TTLS profile on my Macbook (Sequoia 15.4.1) using a .mobileconfig file. The profile came along with two CA certificates. After installing the bundle, I can successfully connect to my work's Wifi network. I can also see the added certificates on Keychain Access. However, I didn't want to keep these certificates active for Safari, so I tried to delete them from the keychain while keeping the 802.1x settings. Surprisingly, the Wifi connection still works, without the certificates in the keychain: Does MacOS keep a copy of the certificates only for the 802.1x settings? Would they be still trusted in for example, Safari, even after removing them from the keychain?

I have a website running on nginx webserver. It uses optional SSL client vertification by certificate. I also have a certificate issued by proper CA added to my keychain "Login" (I am not actually sure of its name since my OS language is not English). When I go to that site using other browsers than Safari (tried Orion and Chrome), it asks for certificate right away, but Safari does not. Also, by toggling "Lock keychain after xxx minutes" option I managed to make Safari to ask for certificate for one of the 3rd level domains on my site, but not for the other. Client certificate authentication works well with other browsers so I assume there is nothing wrong server-side as certificate is being recognized and accepted, and my best guess is - something is wrong with Safari. Cleaning site settings doesn't seem to have any effect too. Why Safari doesn't want to use certificate sometimes? I guess if set SSL client verification to be required, it is going to solve the problem, but for some unrelated reasons I cannot do that. Update: while I was writing that, I let safari so do nothing and think of its behavior I assume. Next time I reloaded page, it asked for certificate from keychain. Although now it behaves as I expect, its behavior is still somewhat erratic.

Recently acquired an old MacBook Pro, new to MacOS. I have downloaded & installed node 16.20.1 https://nodejs.org/en/download/releases npm install fails. npm doctor returns:

Check                               Value   Recommendation/Notes
npm ping                            not ok  error:0909006C:PEM routines:get_name:no start line
npm -v                              not ok  Error: error:0909006C:PEM routines:get_name:no start line
node -v                             not ok  Error: error:0909006C:PEM routines:get_name:no start line
npm config get registry             ok      using default registry (https://registry.npmjs.org/) 
which git                           ok      /usr/local/bin/git
Perms check on cached files         ok
Perms check on local node_modules   ok
Perms check on global node_modules  ok
Perms check on local bin folder     ok
Perms check on global bin folder    ok
Verify cache contents               ok      verified 0 tarballs
npm ERR! Some problems found. See above for recommendations.

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/travis/.npm/_logs/2023-06-26T21_56_49_431Z-debug-0.log


logfile contents:


0 verbose cli /usr/local/bin/node /usr/local/bin/npm
1 info using npm@8.19.4
2 info using node@v16.20.0
3 timing npm:load:whichnode Completed in 1ms
4 timing config:load:defaults Completed in 2ms
5 timing config:load:file:/usr/local/lib/node_modules/npm/npmrc Completed in 1ms
6 timing config:load:builtin Completed in 1ms
7 timing config:load:cli Completed in 2ms
8 timing config:load:env Completed in 0ms
9 timing config:load:project Completed in 12ms
10 timing config:load:file:/Users/travis/.npmrc Completed in 3ms
11 timing config:load:user Completed in 3ms
12 timing config:load:file:/usr/local/etc/npmrc Completed in 0ms
13 timing config:load:global Completed in 0ms
14 timing config:load:validate Completed in 3ms
15 timing config:load:credentials Completed in 1ms
16 timing config:load:setEnvs Completed in 2ms
17 timing config:load Completed in 26ms
18 timing npm:load:configload Completed in 26ms
19 timing npm:load:mkdirpcache Completed in 2ms
20 timing npm:load:mkdirplogs Completed in 1ms
21 verbose title npm doctor
22 verbose argv "doctor"
23 timing npm:load:setTitle Completed in 28ms
24 timing config:load:flatten Completed in 4ms
25 timing npm:load:display Completed in 6ms
26 verbose logfile logs-max:10 dir:/Users/travis/.npm/_logs
27 verbose logfile /Users/travis/.npm/_logs/2023-06-26T21_56_49_431Z-debug-0.log
28 timing npm:load:logFile Completed in 7ms
29 timing npm:load:timers Completed in 0ms
30 timing npm:load:configScope Completed in 0ms
31 timing npm:load Completed in 72ms
32 info Running checkup
33 silly logfile start cleaning logs, removing 1 files
34 silly logfile done cleaning log files
35 timing command:doctor Completed in 140501ms
36 verbose stack Error: Some problems found. See above for recommendations.
36 verbose stack     at Doctor.exec (/usr/local/lib/node_modules/npm/lib/commands/doctor.js:126:13)
36 verbose stack     at async module.exports (/usr/local/lib/node_modules/npm/lib/cli.js:78:5)
37 verbose cwd /Users/travis
38 verbose Darwin 17.7.0
39 verbose node v16.20.0
40 verbose npm  v8.19.4
41 error Some problems found. See above for recommendations.
42 verbose exit 1
43 timing npm Completed in 140587ms
44 verbose code 1
45 error A complete log of this run can be found in:
45 error     /Users/travis/.npm/_logs/2023-06-26T21_56_49_431Z-debug-0.log

- I have tried manually installing & uninstalling node & npm - I have tried installing node via nvm - I am not able to install node via homebrew due to gcc dependency (willing to try if someone can walk me through installing a package outside homebrew then linking to homebrew) - I have tried setting http://registry.nmpjs.org/ . and back Is there an SSL certificate I need to add or modify somewhere? What else can I look at to troubleshoot this?

I am trying to have Safari stop preventing me from visiting one of my dev machines with an invalid cert. I am trying to use the solution in this thread but install it using the CLI: security add-trusted-cert -r trustRoot -k ~/Library/Keychains/login.keychain-db /tmp/test.cert I am still receiving the "Safari Can't Open the Page because Safari can't establish a secure connection to the server" error. I want it to be applied to the user so I don't want to do the -d flag. And I know I am correctly downloading the cert because if I add the certificate and trust it through the OSX GUI, it works fine. Another interesting note is that this solution works for my Brave and Firefox browsers, so it's just Safari that is giving me grief, but even safari works when I add the downloaded cert via the GUI.

I have a certificate and/or private key file (pfx) on my OS X desktop. I'd like to look at its information (CN, SAN, OU, thumbprint, etc) but when I double click on it, it attempts to install into my Keychain. Once its in there, I can see the info and then delete it. I would like to know if there is a way to "open" a certificate for viewing without having to install it into your Keychain. Similar to how you can click on the padlock in Safari and see the cert info. I'd prefer something native to OS X but maybe there are tools out there too?

I Want to update ssl certificates on my iMac G4, macOS Tiger (10.4.11). I already tried to copy from a newer mac the certificate "Actalis Authentication Root CA", trust in in Keychain Access but when with safari i go on the website "alternativalinux.it" i recive the error "**Safari cannot enstabilish a safe connection with alternativalinux.com**".

We still have an old macOS server with profile manager running, with a domain wildcard SSL certificate. After renewing the certificate, I checked that https: was working, and also that management profiles could be downloaded. Great! However, when setting up a new device, the device says that the certificate is invalid, and will not install the profile. Reverting back to the (soon to be expiring) old certificate, everything works fine. So, I'm at a loss for why this is happening. As far as I can tell, the root for both certs is the same. In fact, the CA which was provided by Digicert/Geotrust looks to be the same as last year's. I've exhausted my basic knowledge of "openssl" commands trying to spot any differences, to no avail. In testing, I see the same behavior in iOS16, iOS17, iOS18, macOS14, and macOS15. When using the expiring certificate, new devices can download the profile, but when using the newer certificate, errors occur. Also, with the newer certificate, all of the above devices are able to install profiles (manually, from the /mydevices URL). One interesting note, is that yesterday the error was "invalid certificate"; however, today, it just says "canceled" (iOS16). I read that ABM was having issues overnight, so this may be related. But, my trouble with new devices and the new certificate started over a week ago. PS - I'm not using profile manager because _I_ want to. But, feel free to add more reasons why it's a bad idea (as long as you try to help solve the original problem).

Safari suddenly can't connect to any HTTPS site because it "can't establish a secure connection". This is on an administrator account, not a managed account. A different administrator account is able to use Safari with HTTPS, so must be something specific to my account, but I have no idea what. Google Chrome has no problems connecting to HTTPS sites. Things I have tried: * emptied Safari's cache * deleted Safari's preferences * reset Safari entirely * repaired Keychain (no errors found) * deleted Keychain (didn't help) * repaired permissions in Disk Utility * rebooted * hoped it would suddenly fix itself All of the google results I saw suggested either repairing the Keychain (which I tried and which did not help) or were only applicable if there were "Parental Controls" involved, which doesn't apply here. If I had to guess, I would think that wherever Safari is checking for "certificates" is somehow corrupted, but I could be wrong. I'm not even sure where to look for those - maybe ~/Library/?

I am using an iPad with Google Chrome installed to access the internet. I have downloaded and installed the Netbox Blue certificate authority [from their website](http://netboxblue.com/certs) . I can currently access https:// websites using Safari however I cannot access these sites using the Chrome app. I am not getting any certificate errors while using Safari. Is there a particular way you need to add certificate authorities to the Chrome app, or is this an issue with my connection?

My iphone 4 running iOS 7.1.2 and Safari cannot access certain SSL website, e.g. https://letsencrypt.org , presumably because of expired certificates. Installing the profile provided at https://blog.jjhayes.net/wp/2021/11/13/fix-old-iphone-4-4s-ios-7-ssl-certificate-errors/ did not help. (I am using a passcode on the device.) Is there some other method to update the trust store?

I'm trying to debug a Safari specific issue, but I can't see the data being passed in the TLS stream from a packet capture because I need the ephemeral keys to decrypt the session. In Chrome or Firefox you can set the environment variable SSLKEYLOGFILE=/path/to/my-tls-session.keys and then use that file with wireshark to decrypt the session. So, is there a way in Safari to have it record the TLS session keys? If not, is there a way in Safari to capture the raw data stream that passes between it and the server?

I currently facing the problem that I created a certificate authority certificate and would like to add this custom CA to macOS. The general way would be to add it to the "System" area in my key chain and trust the certificate. This works fine for e.g. browsers. Now I would like to use command line tools like git and curl or one of intellij's IDEs. But then I am running into the following error message:

SSL certificate problem: unable to get local issuer certificate

I found out that curl on macOS is using LibreSSL. So my assumption would be that LibreSSL is not looking into macOS keychain. Do I think in the right direction? Or do I need to add my CA certificate to an additional directory?

Working on a site for a client, and for some reason I keep getting the "can't provide a secure connection" error in ALL browsers. Everyone outside me seems to see it fine. If I log in to my work computer with a VPN, it works fine. I've look at tons of articles on this error. Yes, my time is set correct, I've cleared my cache and so forth. I even tried copying over the SSL cert to my login keychain and select trust always, and this didn't work. It seems like browsers have been updated and they don't allow you to "trust anyway" anymore. This is my friend's company, it has a valid certificate and I know the site is fine. I need to allow this site to work in order to get my work done. I'm on a late 2013 iMac running Catalina 10.15.1.

Recently I updated my Macbook to the latest macOS (Ventura 13.1). Before the update, I was able to use FortiClient to connect to a VPN. I am trying the same configuration with previous versions of macOS on another MacBook and I don't have the same problem. The error message is: I tried the following to resolve the issue: 1) Disabled my built-in firewall and restart the OS, but didn't work. Here I would like to highlight that I don't have other firewalls or antivirus installed. 2) The FortiClient has full access to Disk: Again after restating the OS I have the same error 3) I found a post on Reddit and I followed the instructions there, but again before/after restarting the OS I have the same error as before. Since it stopped work after the update on Ventura 13.1 I think the root cause is the update and something related to the permission that I am missing. The version of **FortiClient is 7.0.7.0245** which is the latest version of FortiClient.

I'm using an old iMac G3, running Mac OS 10.3.9 Panther, for research purposes. My concern is not security - I don't put sensitive information on this machine, nor do I mind if the integrity of the Operating System is compromised. I just want to be able to connect to the internet for benchmarking purposes. I am aware that the specs of this machine are too low to run most websites. As you're probably aware, the SSL security protocols on this version of Mac OS X are out of date enough to prevent me from visiting anything aside from Google. One step I've taken care of is following the directions from https://apple.stackexchange.com/questions/422332/how-do-i-update-my-root-certificates-on-an-older-version-of-mac-os-e-g-el-capi : > Some operating systems hold onto the expired R3 > DST Root CA X3 chain even if your server is no longer using it. Try a restart of the affected client device. > > For older macOS not updated by Apple: > > Download the ISRG Root X1 certificate file from http://x1.i.lencr.org/ > Open the Keychain Access app and drag that file into the System folder > of that app. Find the ISRG Root X1 certificate in System and double > click on it, open the Trust menu and change "Use System Defaults" to > "Always Trust", then close that and enter your password to confirm the > change (if prompted). I seem to be able to connect to Google via HTTPS, which is a step up, but sites like Wikipedia still prevent me from accessing them for security reasons. What else could I try doing in order to get this computer on the internet (for better or worse)?

When I try to access our dev sites, I get this error on my iPhone X running the latest general release of iOS 15. Now 15.1. > Safari cannot open the page because it could not establish a secure connection to the server. I believe the problem is related to a root certificate expiring. https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ On Mac (macOS Big Sur 11.6.1) I was getting the same problem. When I inspected the certificate, it said the R3 and DST Root CA X3 certificates were expired. I was able to fix the issue by installing the R3 intermediate certificate . My Mac already had the ISRG Root X1 certificate installed. On iOS I've tried installing the root certificates ISRG Root X1 and X2, and the R3 intermediate certificate, and every combination thereof but I still can't load my dev sites. On Chrome for iOS I get ERR_SSL_PROTOCOL_ERROR. Using the free iOS app TLS Inspector, I get this for my dev site:

I currently bought a Mac and I'm a noob :). I used to connect to my server using stunnel on Windows and Ubuntu. I'm also a noob in networking. I check website download section, and there's no Mac version, but in users-community mailing list I see some posts about running it under macOS. But they didn't help to figure out what should I do. So anyone can help me install stunnel on OS X Mountain Lion (10.8.2), or tell me is there any alternative app?