Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

tubedogg

macrumors regular
Original poster
Dec 18, 2003
248
269
Minnesota
Fair warning, this is long but hopefully comprehensive. Please ask any questions you think might help. I am desperate for a solution at this point.

I did find these two threads on Let's Encrypt's community indicating that others are having this problem with the exact symptoms that I am (random sites affected but Chrome says certs are valid, reboot fixes it temporarily, etc). At least I know I am not alone, but nothing there helps to resolve it.

Let's Encrypt thread 1
Let's Encrypt thread 2


As of approximately June 13, 2020, some secure sites that I try to visit in Google Chrome are showing a Privacy error, specifically NET::ERR_CERT_AUTHORITY_INVALID. I am using Google Chrome Version 83.0.4103.116 (Official Build) (64-bit) on macOS 10.14.6. After further testing I am having this problem in Microsoft Edge (which is built on top of Chromium) and Safari, too (though not Firefox).

This includes google.com, docs.google.com, googlevideo.com, youtube.com, and gmail.com, as well as status.discordapp.com, cdn.superonefoods.com (though their site countymarketifalls.com works fine), worldmarket.com, and boardgamegeekstore.com. Sites that work fine include torn.com, abc.com, superuser.com, and this site.

I found an answer somewhere on one of the Stack Exchange sites (sorry, didn't save the URL) that suggested I drag-and-drop the image of the certificate onto my desktop, which copies the certificate, then add it to Keychain Access and manually trust it. I tried it for Google and that solved it for Google-related sites (except googlevideo.com). I have not done that for the other sites as there is clearly something wrong here and I am not doing that manually for every site.

When I click on the "Not Secure" bit before the URL, it says "Certificate (invalid)". Clicking on the words "Certificate (invalid)" shows me a chain of certificates, all of which say they are "valid". See screenshot for boardgamegeekstore.com. (Paradoxically, that site uses the same chain of certificates that superuser.com uses, and boardgamegeekstore.com doesn't work while superuser.com does.)

8CdD67Q.png


I am having a similar problem when my email client, Airmail Version 4.1 (618), tries to connect to imap.gmail.com (but not to imappro.zoho.com). This screenshot is rather long and cobbled together because it wouldn't let me expand the window, but this is the only place I see an error message regarding a certificate--Chrome shows "This certificate is valid," as seen above, for all certificates, even while simultaneously telling me the certificate is invalid on the error page.

3sXIvxQ.png


I am not using a VPN or proxy. I do use Little Snitch, but I disabled it entirely and the problem persisted.

Besides what is built into the system as far as PHP, Python, etc., I do have the following installed via Homebrew:

Code:
$ brew list
bchunk      openssl@1.1 readline    telnet      youtube-dl
gdbm        python      sqlite      xz

openssl@1.1 is a dependency of Python 3, per brew info python. It is possible that is causing problems, but I don't know why that would have just now started causing problems, as it has been installed since February.

To my knowledge nothing changed recently before the issue occurred.

This is also impacting the Discord app, but as far as I can tell, no other applications on my user account are having this problem. No other devices on my network are having any problems. As noted below, another user account on my computer is not exhibiting the problem in limited testing.

Rebooting sometimes seems to resolve the problem for a while, between several and 24 hours, before it starts occurring again.

Things I have tried in order to fix it:
* Incognito windows in Chrome. The problem persists. (I can bypass the warning for sites using HSTS in Incognito whereas I can't outside of Incognito, because of the way Incognito functions, but this does not resolve the underlying problem.)

* using Firefox. All of the sites in question, including Google before I "fixed" it, did and continue to work correctly in Firefox with no errors or warnings. (Firefox has been installed since before this problem started. My understanding is it has its own certificate store and does not use the system's, which would explain why it works fine.)

* temporarily disabling my firewall. It had no effect.

* updating Chrome. It updated to Version 83.0.4103.106 (Official Build) (64-bit), but did not fix anything. Sorry I forgot to note the before version, but I keep it up-to-date, so it would have been whatever the last Stable version was. Since then it has updated itself to 83.0.4103.116.

* cleared browsing data for "Download history" and "Cached images and files". It had no effect.

* disabled all extensions in Chrome. It had no effect.

* installed Security Update 2020-003 and macOS Mojave 10.14.6 Supplemental Update 2. During this process the computer rebooted and the problem was resolved for the remainder of the evening. Today the problem has returned.

* deleted /var/db/crls/crlcache2.db and rebooted. This resolved it for over 24 hours, at which point the issue started again.

* ran openssl s_client -connect docs.google.com:443 from the command line. It returned no errors, which I think means the problem seems to be limited to browsers and my email client.

* logged into another account on my computer which has been setup for a while, well before these problems started, and was able to browse in Chrome and Safari without problem to the sites noted above. I have re-checked this from time to time and the other account is still working fine. This seems to indicate it's something with my user account, but see next item.

* disabled iCloud Keychain and deleted my login keychain in Keychain Access, so it was recreated on next login. Theoretically this puts it on par with the other user account but my user account is still having the problems.

* installed Security Update 2020-004 Mojave. Again, the reboot resolved it for a short period of time and then the issue resumed.

* compared certificates for superuser.com and boardgamegeekstore.com. The site-level certificates are identical except for the bits pertaining to each site. The intermediate- and root-level certificates are identical for each.
 
  • Like
Reactions: levanid

levanid

macrumors newbie
Nov 14, 2013
19
4
I have the same issue here and it started few months ago, even before Mojave Security update 2020-004 and persisted after update. Google sites become invalid together with any sites with Let's encrypt issued certificates.

I also have little snitch installed and openssl@1.1 in my brew list overall that list is pretty long for me
1597339582947.png



What helps me is logging into another account (even without admin privileges), opening keychain and then just logging off to move back to my main account.

Then it works for a few days until being randomly broken afterwards. I have to log off and re-login back to "clean account" to fix all of it. Maybe we should check console messages to understand what leads to this behavior, but I don't what leads to that problem. I believe few months ago apple silently enforced https certificate security making it broken for some devices :(
 
Last edited:
  • Like
Reactions: tubedogg

tubedogg

macrumors regular
Original poster
Dec 18, 2003
248
269
Minnesota
Thanks for the reply!

I'm having problems now with superuser.com (though they do use Let's Encrypt), which had been working when I originally posted. Their certificate now says "Not valid before: Friday, August 7, 2020 at 8:01:00 AM Central Daylight Time," which would be right about when that site stopped working.

Google sites become invalid together with any sites with Let's encrypt issued certificates.

In my case, it's a lot more varied than just Google and Let's Encrypt certificates. Also, for example, worldmarket.com is working despite using Let's Encrypt.

What helps me is logging into another account (even without admin privileges), opening keychain and then just logging off to move back to my main account.

When you log into a second account, do you completely log out of your main account first? If so, I think you are triggering the same "reset" that occurs when I reboot my machine and then everything works for a few hours. Though in your case it's interesting that it works for a few days. I think the longest I've ever gone is about 27 hours.

If you don't log completely out of your main account first, I have no idea what's going on.

I tried these steps just now and it did not work:
Use Fast User Switching to go to the login screen *without* logging out of my main account.
Log into a second account.
Open Keychain Access.
Log out of second account.
Log back into main account.

I believe few months ago apple silently enforced https certificate security making it broken for some devices

I don't think this is something that Apple intentionally did, because if it was, there would be a heck of a lot more people having problems. As it is, I can only find five people on the internet saying they're having the problem, and one of them is running Windows.
 
  • Like
Reactions: levanid

levanid

macrumors newbie
Nov 14, 2013
19
4
In my case, it's a lot more varied than just Google and Let's Encrypt certificates. Also, for example, worldmarket.com is working despite using Let's Encrypt.

Well, you might be right. I didn't check lot's of the sites for certificates I just know when I'm unable to open google docs and some of the Let's encrypt certified sites (like mrmacintosh.com) then it's broken again
When you log into a second account, do you completely log out of your main account first? If so, I think you are triggering the same "reset" that occurs when I reboot my machine and then everything works for a few hours.
In my case reboots don't help.
Yes I have to log out and log into another account, open keychain there and log off from that account to login to my personal one for everything to start working again.
This way it works without rebooting machine (despite logging off being kinda like almost rebooting in terms of activity on device)

I don't think this is something that Apple intentionally did, because if it was, there would be a heck of a lot more people having problems. As it is, I can only find five people on the internet saying they're having the problem, and one of them is running Windows.
Have you tired removing openssl@1.1 from brew?
 
Last edited:

levanid

macrumors newbie
Nov 14, 2013
19
4
I've completely removed all brew apps but it hasn't helped.
1598357419766.png


@tubedog Any clues how can I debug that situation? What leads to some certificates being not standards compliant?

1598357517978.png
 

levanid

macrumors newbie
Nov 14, 2013
19
4
Could please someone assist me with that case?
when I'm trying to connect to the host and receiving the:

Here's console error and fails log:

JSON:
error    13:03:04.075179 +0300    dasd    Activity <private> not tracked as being started, ignoring it
error    13:03:05.632622 +0300    com.apple.WebKit.Networking    Strict Trust Evaluation yielded status(-9802) for [1028:0x7feede350fd0]
error    13:03:05.632673 +0300    com.apple.WebKit.Networking    TIC SSL Trust Error [1028:0x7feede350fd0]: 3:0
error    13:03:05.738772 +0300    com.apple.WebKit.Networking    Strict Trust Evaluation yielded status(-9802) for [1029:0x7feede235350]
error    13:03:05.738827 +0300    com.apple.WebKit.Networking    TIC SSL Trust Error [1029:0x7feede235350]: 3:0
error    13:03:05.869343 +0300    com.apple.WebKit.Networking    boringssl_context_alert_callback_handler(3817) <private>[0x7feede4f6100] Alert level: fatal, description: inappropriate fallback
error    13:03:05.869457 +0300    com.apple.WebKit.Networking    boringssl_session_errorlog(224) <private>[0x7feede4f6100] [boringssl_session_handshake_incomplete] SSL_ERROR_SSL(1): operation failed within the library
error    13:03:05.869537 +0300    com.apple.WebKit.Networking    boringssl_session_handshake_error_print(205) <private>[0x7feede4f6100] <private>
error    13:03:05.869604 +0300    com.apple.WebKit.Networking    boringssl_context_get_error_code(3710) <private>[0x7feede4f6100] SSL_AD_INAPPROPRIATE_FALLBACK
error    13:03:05.872909 +0300    com.apple.WebKit.Networking    TIC TCP Conn Failed [1030:0x7feede3d94e0]: 3:-9860 Err(-9860)
error    13:03:05.875596 +0300    com.apple.WebKit.Networking    Task <10772895-25C5-4005-8AA3-ECFF0ED77B6F>.<5> HTTP load failed (error code: -1200 [3:-9860])
error    13:03:05.875706 +0300    com.apple.WebKit.Networking    Task <10772895-25C5-4005-8AA3-ECFF0ED77B6F>.<5> finished with error - code: -1200
error    13:03:05.875977 +0300    com.apple.WebKit.Networking    Task <10772895-25C5-4005-8AA3-ECFF0ED77B6F>.<5> load failed with error Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSErrorFailingURLStringKey=<private>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _NSURLErrorFailingURLSessionTaskErrorKey=<private>, _NSURLErrorRelatedURLSessionTaskErrorKey=<private>, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=<private>, NSUnderlyingError=0x7feede4f6010 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9860, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9860}}, _kCFStreamErrorCodeKey=-9860} [-1200]
error    13:03:06.029551 +0300    com.apple.WebKit.Networking    Strict Trust Evaluation yielded status(-9802) for [1031:0x7feede540560]
error    13:03:06.029607 +0300    com.apple.WebKit.Networking    TIC SSL Trust Error [1031:0x7feede540560]: 3:0
error    13:03:06.089110 +0300    dasd    Activity <private> not tracked as being started, ignoring it
error    13:03:06.187042 +0300    com.apple.WebKit.Networking    Strict Trust Evaluation yielded status(-9802) for [1032:0x7feede3d94e0]
error    13:03:06.187098 +0300    com.apple.WebKit.Networking    TIC SSL Trust Error [1032:0x7feede3d94e0]: 3:0
error    13:03:06.812496 +0300    com.apple.WebKit.Networking    boringssl_context_alert_callback_handler(3817) <private>[0x7feede3389e0] Alert level: fatal, description: inappropriate fallback
error    13:03:06.812589 +0300    com.apple.WebKit.Networking    boringssl_session_errorlog(224) <private>[0x7feede3389e0] [boringssl_session_handshake_incomplete] SSL_ERROR_SSL(1): operation failed within the library
error    13:03:06.812624 +0300    com.apple.WebKit.Networking    boringssl_session_handshake_error_print(205) <private>[0x7feede3389e0] <private>
error    13:03:06.812656 +0300    com.apple.WebKit.Networking    boringssl_context_get_error_code(3710) <private>[0x7feede3389e0] SSL_AD_INAPPROPRIATE_FALLBACK
error    13:03:06.820693 +0300    com.apple.WebKit.Networking    TIC TCP Conn Failed [1033:0x7feede509410]: 3:-9860 Err(-9860)
error    13:03:06.835044 +0300    com.apple.WebKit.Networking    Task <8842A367-30D4-4055-8226-957D5CD5B1CA>.<6> HTTP load failed (error code: -1200 [3:-9860])
error    13:03:06.835141 +0300    com.apple.WebKit.Networking    Task <8842A367-30D4-4055-8226-957D5CD5B1CA>.<6> finished with error - code: -1200
error    13:03:06.835408 +0300    com.apple.WebKit.Networking    Task <8842A367-30D4-4055-8226-957D5CD5B1CA>.<6> load failed with error Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSErrorFailingURLStringKey=<private>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _NSURLErrorFailingURLSessionTaskErrorKey=<private>, _NSURLErrorRelatedURLSessionTaskErrorKey=<private>, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=<private>, NSUnderlyingError=0x7feede444f90 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9860, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9860}}, _kCFStreamErrorCodeKey=-9860} [-1200]
error    13:03:06.849217 +0300    Safari    Web view (pid: 19127) did fail provisional navigation (Error Domain=NSURLErrorDomain Code=-1200)
error    13:03:06.849364 +0300    Safari    Displaying webpage loading error to user: Error Domain=NSURLErrorDomain Code=-1200, networkTaskDescription: LocalDataTask <8842A367-30D4-4055-8226-957D5CD5B1CA>.<6>.
error    13:03:07.041705 +0300    com.apple.WebKit.WebContent    flock failed to lock maps file: errno = 35
error    13:03:07.041871 +0300    com.apple.WebKit.WebContent    flock failed to lock maps file: errno = 35
error    13:03:07.042133 +0300    com.apple.WebKit.WebContent    flock failed to lock maps file: errno = 35
error    13:03:07.042365 +0300    com.apple.WebKit.WebContent    flock failed to lock maps file: errno = 35
error    13:03:07.042625 +0300    com.apple.WebKit.WebContent    flock failed to lock maps file: errno = 35
error    13:03:07.043890 +0300    com.apple.WebKit.WebContent    flock failed to lock maps file: errno = 35
error    13:03:07.044083 +0300    com.apple.WebKit.WebContent    flock failed to lock maps file: errno = 35
error    13:03:07.044424 +0300    com.apple.WebKit.WebContent    flock failed to lock maps file: errno = 35
error    13:03:07.044589 +0300    com.apple.WebKit.WebContent    flock failed to lock maps file: errno = 35
error    13:03:07.044761 +0300    com.apple.WebKit.WebContent    flock failed to lock maps file: errno = 35
fault    13:03:07.361110 +0300    com.apple.WebKit.WebContent    NSSecureCoding allowed classes list contains [NSObject class], which bypasses security by allowing any Objective-C class to be implicitly decoded. Consider reducing the scope of allowed classes during decoding by listing only the classes you expect to decode, or a more specific base class than NSObject.
error    13:03:07.552306 +0300    deleted    unable to create CacheDeleteDaemonVolume for <private>
error    13:03:07.927574 +0300    dasd    Activity <private> not tracked as being started, ignoring it
 
Last edited:

levanid

macrumors newbie
Nov 14, 2013
19
4
Today I had to reinstall Mojave to properly update to 2020-005 security update with safari 14. Quoted this in other thread here
However I'm still facing the same issue with some certificates. Maybe @ClassicII might help (I asked you on twitter, but got no response).

1601408539757.png


I'm completely confused on what to do and what my next steps should be here?
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.