Fair warning, this is long but hopefully comprehensive. Please ask any questions you think might help. I am desperate for a solution at this point.
I did find these two threads on Let's Encrypt's community indicating that others are having this problem with the exact symptoms that I am (random sites affected but Chrome says certs are valid, reboot fixes it temporarily, etc). At least I know I am not alone, but nothing there helps to resolve it.
Let's Encrypt thread 1
Let's Encrypt thread 2
As of approximately June 13, 2020, some secure sites that I try to visit in Google Chrome are showing a Privacy error, specifically
This includes google.com, docs.google.com, googlevideo.com, youtube.com, and gmail.com, as well as status.discordapp.com, cdn.superonefoods.com (though their site countymarketifalls.com works fine), worldmarket.com, and boardgamegeekstore.com. Sites that work fine include torn.com, abc.com, superuser.com, and this site.
I found an answer somewhere on one of the Stack Exchange sites (sorry, didn't save the URL) that suggested I drag-and-drop the image of the certificate onto my desktop, which copies the certificate, then add it to Keychain Access and manually trust it. I tried it for Google and that solved it for Google-related sites (except googlevideo.com). I have not done that for the other sites as there is clearly something wrong here and I am not doing that manually for every site.
When I click on the "Not Secure" bit before the URL, it says "Certificate (invalid)". Clicking on the words "Certificate (invalid)" shows me a chain of certificates, all of which say they are "valid". See screenshot for boardgamegeekstore.com. (Paradoxically, that site uses the same chain of certificates that superuser.com uses, and boardgamegeekstore.com doesn't work while superuser.com does.)
I am having a similar problem when my email client, Airmail Version 4.1 (618), tries to connect to imap.gmail.com (but not to imappro.zoho.com). This screenshot is rather long and cobbled together because it wouldn't let me expand the window, but this is the only place I see an error message regarding a certificate--Chrome shows "This certificate is valid," as seen above, for all certificates, even while simultaneously telling me the certificate is invalid on the error page.
I am not using a VPN or proxy. I do use Little Snitch, but I disabled it entirely and the problem persisted.
Besides what is built into the system as far as PHP, Python, etc., I do have the following installed via Homebrew:
To my knowledge nothing changed recently before the issue occurred.
This is also impacting the Discord app, but as far as I can tell, no other applications on my user account are having this problem. No other devices on my network are having any problems. As noted below, another user account on my computer is not exhibiting the problem in limited testing.
Rebooting sometimes seems to resolve the problem for a while, between several and 24 hours, before it starts occurring again.
Things I have tried in order to fix it:
* Incognito windows in Chrome. The problem persists. (I can bypass the warning for sites using HSTS in Incognito whereas I can't outside of Incognito, because of the way Incognito functions, but this does not resolve the underlying problem.)
* using Firefox. All of the sites in question, including Google before I "fixed" it, did and continue to work correctly in Firefox with no errors or warnings. (Firefox has been installed since before this problem started. My understanding is it has its own certificate store and does not use the system's, which would explain why it works fine.)
* temporarily disabling my firewall. It had no effect.
* updating Chrome. It updated to Version 83.0.4103.106 (Official Build) (64-bit), but did not fix anything. Sorry I forgot to note the before version, but I keep it up-to-date, so it would have been whatever the last Stable version was. Since then it has updated itself to 83.0.4103.116.
* cleared browsing data for "Download history" and "Cached images and files". It had no effect.
* disabled all extensions in Chrome. It had no effect.
* installed Security Update 2020-003 and macOS Mojave 10.14.6 Supplemental Update 2. During this process the computer rebooted and the problem was resolved for the remainder of the evening. Today the problem has returned.
* deleted
* ran
* logged into another account on my computer which has been setup for a while, well before these problems started, and was able to browse in Chrome and Safari without problem to the sites noted above. I have re-checked this from time to time and the other account is still working fine. This seems to indicate it's something with my user account, but see next item.
* disabled iCloud Keychain and deleted my login keychain in Keychain Access, so it was recreated on next login. Theoretically this puts it on par with the other user account but my user account is still having the problems.
* installed Security Update 2020-004 Mojave. Again, the reboot resolved it for a short period of time and then the issue resumed.
* compared certificates for superuser.com and boardgamegeekstore.com. The site-level certificates are identical except for the bits pertaining to each site. The intermediate- and root-level certificates are identical for each.
I did find these two threads on Let's Encrypt's community indicating that others are having this problem with the exact symptoms that I am (random sites affected but Chrome says certs are valid, reboot fixes it temporarily, etc). At least I know I am not alone, but nothing there helps to resolve it.
Let's Encrypt thread 1
Let's Encrypt thread 2
As of approximately June 13, 2020, some secure sites that I try to visit in Google Chrome are showing a Privacy error, specifically
NET::ERR_CERT_AUTHORITY_INVALID
. I am using Google Chrome Version 83.0.4103.116 (Official Build) (64-bit) on macOS 10.14.6. After further testing I am having this problem in Microsoft Edge (which is built on top of Chromium) and Safari, too (though not Firefox).This includes google.com, docs.google.com, googlevideo.com, youtube.com, and gmail.com, as well as status.discordapp.com, cdn.superonefoods.com (though their site countymarketifalls.com works fine), worldmarket.com, and boardgamegeekstore.com. Sites that work fine include torn.com, abc.com, superuser.com, and this site.
I found an answer somewhere on one of the Stack Exchange sites (sorry, didn't save the URL) that suggested I drag-and-drop the image of the certificate onto my desktop, which copies the certificate, then add it to Keychain Access and manually trust it. I tried it for Google and that solved it for Google-related sites (except googlevideo.com). I have not done that for the other sites as there is clearly something wrong here and I am not doing that manually for every site.
When I click on the "Not Secure" bit before the URL, it says "Certificate (invalid)". Clicking on the words "Certificate (invalid)" shows me a chain of certificates, all of which say they are "valid". See screenshot for boardgamegeekstore.com. (Paradoxically, that site uses the same chain of certificates that superuser.com uses, and boardgamegeekstore.com doesn't work while superuser.com does.)
I am having a similar problem when my email client, Airmail Version 4.1 (618), tries to connect to imap.gmail.com (but not to imappro.zoho.com). This screenshot is rather long and cobbled together because it wouldn't let me expand the window, but this is the only place I see an error message regarding a certificate--Chrome shows "This certificate is valid," as seen above, for all certificates, even while simultaneously telling me the certificate is invalid on the error page.
I am not using a VPN or proxy. I do use Little Snitch, but I disabled it entirely and the problem persisted.
Besides what is built into the system as far as PHP, Python, etc., I do have the following installed via Homebrew:
Code:
$ brew list
bchunk openssl@1.1 readline telnet youtube-dl
gdbm python sqlite xz
openssl@1.1
is a dependency of Python 3, per brew info python
. It is possible that is causing problems, but I don't know why that would have just now started causing problems, as it has been installed since February.To my knowledge nothing changed recently before the issue occurred.
This is also impacting the Discord app, but as far as I can tell, no other applications on my user account are having this problem. No other devices on my network are having any problems. As noted below, another user account on my computer is not exhibiting the problem in limited testing.
Rebooting sometimes seems to resolve the problem for a while, between several and 24 hours, before it starts occurring again.
Things I have tried in order to fix it:
* Incognito windows in Chrome. The problem persists. (I can bypass the warning for sites using HSTS in Incognito whereas I can't outside of Incognito, because of the way Incognito functions, but this does not resolve the underlying problem.)
* using Firefox. All of the sites in question, including Google before I "fixed" it, did and continue to work correctly in Firefox with no errors or warnings. (Firefox has been installed since before this problem started. My understanding is it has its own certificate store and does not use the system's, which would explain why it works fine.)
* temporarily disabling my firewall. It had no effect.
* updating Chrome. It updated to Version 83.0.4103.106 (Official Build) (64-bit), but did not fix anything. Sorry I forgot to note the before version, but I keep it up-to-date, so it would have been whatever the last Stable version was. Since then it has updated itself to 83.0.4103.116.
* cleared browsing data for "Download history" and "Cached images and files". It had no effect.
* disabled all extensions in Chrome. It had no effect.
* installed Security Update 2020-003 and macOS Mojave 10.14.6 Supplemental Update 2. During this process the computer rebooted and the problem was resolved for the remainder of the evening. Today the problem has returned.
* deleted
/var/db/crls/crlcache2.db
and rebooted. This resolved it for over 24 hours, at which point the issue started again.* ran
openssl s_client -connect docs.google.com:443
from the command line. It returned no errors, which I think means the problem seems to be limited to browsers and my email client.* logged into another account on my computer which has been setup for a while, well before these problems started, and was able to browse in Chrome and Safari without problem to the sites noted above. I have re-checked this from time to time and the other account is still working fine. This seems to indicate it's something with my user account, but see next item.
* disabled iCloud Keychain and deleted my login keychain in Keychain Access, so it was recreated on next login. Theoretically this puts it on par with the other user account but my user account is still having the problems.
* installed Security Update 2020-004 Mojave. Again, the reboot resolved it for a short period of time and then the issue resumed.
* compared certificates for superuser.com and boardgamegeekstore.com. The site-level certificates are identical except for the bits pertaining to each site. The intermediate- and root-level certificates are identical for each.