Nasty mystery High Sierra 'connection' problem.

[boredandlonely]

11/01/23 updated with new error #4 test results, and added missed "I tried" items.
11/14/23 clarified testing for error 2.

I'm running a mid-2010 Macbook Pro 17", High Sierra 10.13.6, iTunes 12.8.3.1, iPhone 15 Pro Max on iOS 17.1.

HELP! In the last month, I've been getting a string of "network" or “server” related errors that seem to be caused by a single connection problem that I can't identify. I'm certain they are related because every system install/reinstall I try, that they occur in, they are present as a group. It's never just one or two of them.


Errors found so far, in no particular order:

1. App Store > Updates: won't talk to the server any more.
I get error: "An error has occurred / This operation couldn't be completed. / (NSURLErrorDomain error -1012.)"

2. When I plug in my new iPhone 15, I'm prompted to install updates to support the phone. I agree. I get a network error.
I get error "Installation failed / Can't download the software because of a network problem."
Note: Make sure you have the latest iTunes for High Sierra, 12.8.3 if you want to test for this issue. You have to install it manually, as it never appeared in the App Store "Updates" for many users. Otherwise your results may be inaccurate. Download iTunes 12.8.3 for Mac

3. System Preferences > Internet Accounts > *adding a Google or Yahoo* account pops up a perpetually loading empty window, and an error popup on top of that.
I get error: "Connection Insecure / Failed to verify the server certificate. This could be because your network configuration or your proxy settings."

4. When I run the [small] High Sierra installer from the Mac App Store (attempt to reinstall), it fails talking to the server.
I get error: "The recovery server could not be contacted."


More errors I suspect, but can not be easily tested.

5. I tried Apple Support, but then Screen Sharing fails. It worked fine about a month ago. Now it shows a successful connection on my end, but the Apple Support rep never gets the video. Sorry, no error for this one.
-I would need Apple Support to test.

6. Recovery Mode (to reinstall High Sierra) can't contact server.
I get error: "The recovery server could not be contacted."
-I think it's failing nearly the same connection as #4 above, but I thought this was OS independent, so I'm unsure if related.


Solutions for workaround, but not the fix:

A. I have installed fresh copies of High Sierra onto thumb drives with latest compatible iTunes, and errors 1, 2, 3, 4 all go away completely. Obviously, I can't run off a thumb drives. I tried installing fresh High Sierras onto regular drives, but on the first boot up, they already have errors 1, 2, 3, 4. I can't explain it.. I’m NOT importing ANYTHING from the original problem system.

B. I installed fresh copies of unsupported Mojave systems onto regular drives and errors 1, 2, 3 all go away completely. Error 4 can't be tested on Mojave because High Sierra installers aren't allowed to run on higher OS versions. However, this system was unsupported on my hardware and prohibitively slow. I can't use it as a long term.


Things to Note

-I have no VPN
-I have no anti-virus
-I made no system changes to be suspect.
-Migration Assistant (everything selected) will NOT migrate the errors from a bad High Sierra system to a fresh Mojave system. Thumb drive High Sierras too slow to test the same way.


Things I Tried

-I’ve lost track of how many High Sierra fresh installs I have tried on internal and external drives = exact same errors.
-The error systems and the working systems are all using the same laptop, same router, and same internet connection. Just to make everybody happy, I still tried all the errors on under a secondary WIFI router, and secondary internet connection, and = exact same errors.
-I tried error systems over a cellular personal hotspot = exact same errors.
-I tried error systems with a VPN (via cell personal hotspot) = exact same error.
-I had Little Snitch but disabled it = exact same errors.
-I disabled the system Firewall = exact same errors.
-I restarted in Safe Mode = exact same errors.
-I cleared NVRAM = exact same errors.
-Apple Support suggested I reinstall High Sierra on top of itself = exact same errors.
-On the error systems, I tested alternate admin user accounts, existing and new = exact same errors.
-I tried to clone a working thumb drive High Sierra to a hard drive instead, but it refused to boot.
-I've also tried troubleshooting each error individually, and so far all solutions fail except my workarounds above.11/01/23 updated with new error #4 test results, and added missed "I tried" items.

 

[DarkPremiumCho]

Very likely expired TLS certificates and/or TLS components in High Sierra. Apple refused your connection because a secured connection couldn't be established.

You see, Mojave is old but not that obsolete so you didn't get those errors.

For troubleshooting, what's the output when you run these 2 commands in Terminal?

curl -vvv -X HEAD https://amp-api.apps.apple.com

curl -vvvk -X HEAD https://amp-api.apps.apple.com

I assumed you have the skill since you're using Little Snitch. Test more Apple-related hosts with and without the -k if you could.

 

[boredandlonely]

For troubleshooting, what's the output when you run these 2 commands in Terminal?

curl -vvv -X HEAD https://amp-api.apps.apple.com

curl -vvvk -X HEAD https://amp-api.apps.apple.com

I assumed you have the skill since you're using Little Snitch. Test more Apple-related hosts with and without the -k if you could.

just those 2 for the moment, from an affected High Sierra system. what other apple hosts should I try?


curl -vvv -X HEAD https://amp-api.apps.apple.com

Warning: Setting custom HTTP method to HEAD with -X/--request may not work the


Warning: way you want. Consider using -I/--head instead.


* Rebuilt URL to: https://amp-api.apps.apple.com/


* Trying 2600:1406:6c00:19c::f55...


* TCP_NODELAY set


* Trying 23.208.8.122...


* TCP_NODELAY set


* Connected to amp-api.apps.apple.com (2600:1406:6c00:19c::f55) port 443 (#0)


* ALPN, offering h2


* ALPN, offering http/1.1


* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4STRENGTH


* successfully set certificate verify locations:


* CAfile: /etc/ssl/cert.pem


CApath: none


* TLSv1.2 (OUT), TLS handshake, Client hello (1):


* TLSv1.2 (IN), TLS handshake, Server hello (2):


* TLSv1.2 (IN), TLS handshake, Certificate (11):


* TLSv1.2 (IN), TLS handshake, Server key exchange (12):


* TLSv1.2 (IN), TLS handshake, Server finished (14):


* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):


* TLSv1.2 (OUT), TLS change cipher, Client hello (1):


* TLSv1.2 (OUT), TLS handshake, Finished (20):


* TLSv1.2 (IN), TLS change cipher, Client hello (1):


* TLSv1.2 (IN), TLS handshake, Finished (20):


* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384


* ALPN, server accepted to use h2


* Server certificate:


* subject: businessCategory=Private Organization; 1.3.6.1.4.1.311.60.2.1.3=US; 1.3.6.1.4.1.311.60.2.1.2=California; serialNumber=C0806592; C=US; ST=California; L=Cupertino; O=Apple Inc.; CN=amp-api.music.apple.com


* start date: Sep 6 18:47:02 2023 GMT


* expire date: Dec 5 18:57:02 2023 GMT


* subjectAltName: host "amp-api.apps.apple.com" matched cert's "amp-api.apps.apple.com"


* issuer: C=US; O=Apple Inc.; CN=Apple Public EV Server RSA CA 2 - G1


* SSL certificate verify ok.


* Using HTTP2, server supports multi-use


* Connection state changed (HTTP/2 confirmed)


* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0


* Using Stream ID: 1 (easy handle 0x7fa1a600f800)


> HEAD / HTTP/2


> Host: amp-api.apps.apple.com


> User-Agent: curl/7.54.0


> Accept: */*


>


* Connection state changed (MAX_CONCURRENT_STREAMS updated)!


< HTTP/2 404


< server: 4.0.0


< content-type: text/html


< content-length: 548


< x-apple-jingle-correlation-key: IUX2DNNNJ2D5NJ2GOHJ7LITI64


< x-daiquiri-instance: daiquiri:12282001:mr47p00it-qujn06080702:7987:23RELEASE169:daiquiri-amp-store-l7shared-ext-001-mr


< expires: Tue, 31 Oct 2023 14:25:12 GMT


< cache-control: max-age=0, no-cache, no-store


< pragma: no-cache


< date: Tue, 31 Oct 2023 14:25:12 GMT


< x-cache: TCP_MISS from a23-45-12-23.deploy.akamaitechnologies.com (AkamaiGHost/11.3.0.1-51931778) (-)


<


* transfer closed with 548 bytes remaining to read


* Closing connection 0


* TLSv1.2 (OUT), TLS alert, Client hello (1):


curl: (18) transfer closed with 548 bytes remaining to read

curl -vvvk -X HEAD https://amp-api.apps.apple.com

Warning: Setting custom HTTP method to HEAD with -X/--request may not work the


Warning: way you want. Consider using -I/--head instead.


* Rebuilt URL to: https://amp-api.apps.apple.com/


* Trying 2600:1406:bc00:195::f55...


* TCP_NODELAY set


* Connected to amp-api.apps.apple.com (2600:1406:bc00:195::f55) port 443 (#0)


* ALPN, offering h2


* ALPN, offering http/1.1


* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4STRENGTH


* successfully set certificate verify locations:


* CAfile: /etc/ssl/cert.pem


CApath: none


* TLSv1.2 (OUT), TLS handshake, Client hello (1):


* TLSv1.2 (IN), TLS handshake, Server hello (2):


* TLSv1.2 (IN), TLS handshake, Certificate (11):


* TLSv1.2 (IN), TLS handshake, Server key exchange (12):


* TLSv1.2 (IN), TLS handshake, Server finished (14):


* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):


* TLSv1.2 (OUT), TLS change cipher, Client hello (1):


* TLSv1.2 (OUT), TLS handshake, Finished (20):


* TLSv1.2 (IN), TLS change cipher, Client hello (1):


* TLSv1.2 (IN), TLS handshake, Finished (20):


* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384


* ALPN, server accepted to use h2


* Server certificate:


* subject: businessCategory=Private Organization; 1.3.6.1.4.1.311.60.2.1.3=US; 1.3.6.1.4.1.311.60.2.1.2=California; serialNumber=C0806592; C=US; ST=California; L=Cupertino; O=Apple Inc.; CN=amp-api.music.apple.com


* start date: Sep 6 18:47:02 2023 GMT


* expire date: Dec 5 18:57:02 2023 GMT


* issuer: C=US; O=Apple Inc.; CN=Apple Public EV Server RSA CA 2 - G1


* SSL certificate verify ok.


* Using HTTP2, server supports multi-use


* Connection state changed (HTTP/2 confirmed)


* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0


* Using Stream ID: 1 (easy handle 0x7fda3a00f800)


> HEAD / HTTP/2


> Host: amp-api.apps.apple.com


> User-Agent: curl/7.54.0


> Accept: */*


>


* Connection state changed (MAX_CONCURRENT_STREAMS updated)!


< HTTP/2 404


< server: 4.0.0


< content-type: text/html


< content-length: 548


< x-apple-jingle-correlation-key: OR6QBS6LTYCH5JMDX6F6OEPXR4


< x-daiquiri-instance: daiquiri:42282002:st53p00it-qujn13050102:7987:23RELEASE169:daiquiri-amp-store-l7shared-ext-001-st


< expires: Tue, 31 Oct 2023 14:35:47 GMT


< cache-control: max-age=0, no-cache, no-store


< pragma: no-cache


< date: Tue, 31 Oct 2023 14:35:47 GMT


< x-cache: TCP_MISS from a23-45-44-61.deploy.akamaitechnologies.com (AkamaiGHost/11.3.0.1-51931778) (-)


<


* transfer closed with 548 bytes remaining to read


* Closing connection 0


* TLSv1.2 (OUT), TLS alert, Client hello (1):


curl: (18) transfer closed with 548 bytes remaining to read

You see, Mojave is old but not that obsolete so you didn't get those errors.

But the thumb drive High Sierras are fine... See why I am so confused?

 

[DarkPremiumCho]

Apologizes. I misread your Solution A.

From your test results, High Sierra did not have problems talking to amp-api.apps.apple.com. That's a host for part of the App Store function.

But all of the error messages indicate that High Sierra couldn't establish a secure connection to Apple's server.

It might be necessary to test other Apple hosts to find the culprit. If you don't mind the tediousness:

In Terminal, run:

curl -vvv -X HEAD https://gil.apple.com/

curl -vvv -X HEAD https://swscan.apple.com/

softwareupdate -l

Also run these 3 commands in your thumb drive High Sierra.

---

In Safari, visit these websites:

https://gil.apple.com/

https://swscan.apple.com/

See if you get any error. Also click the padlock icon on address bar, show the certificate, make a screenshot of that.

Also install Firefox browser and repeat.

If possible, repeat in your thumb drive High Sierra.

---

My speculation is something went wrong when connecting to swscan.apple.com. This domain is responsible for software updates.

gil.apple.com is the one relating to Internet Accounts. We test that for the Error 3.

 

[MBAir2010]

Catalina is experiencing these icloud cant connect issues since last week as well
macbook pro 2012

 

[boredandlonely]

Apologizes. I misread your Solution A.

no worries, it's a complicated post

In Terminal, run:

curl -vvv -X HEAD https://gil.apple.com/

curl -vvv -X HEAD https://swscan.apple.com/

softwareupdate -l

All results on this post are from the "error" High Sierra system:
I will do a second post for the working system.

curl -vvv -X HEAD https://gil.apple.com/

$ curl -vvv -X HEAD https://gil.apple.com/


Warning: Setting custom HTTP method to HEAD with -X/--request may not work the


Warning: way you want. Consider using -I/--head instead.


* Trying 17.122.192.32...


* TCP_NODELAY set


* Connected to gil.apple.com (17.122.192.32) port 443 (#0)


* ALPN, offering h2


* ALPN, offering http/1.1


* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4STRENGTH


* successfully set certificate verify locations:


* CAfile: /etc/ssl/cert.pem


CApath: none


* TLSv1.2 (OUT), TLS handshake, Client hello (1):


* TLSv1.2 (IN), TLS handshake, Server hello (2):


* TLSv1.2 (IN), TLS handshake, Certificate (11):


* TLSv1.2 (IN), TLS handshake, Server finished (14):


* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):


* TLSv1.2 (OUT), TLS change cipher, Client hello (1):


* TLSv1.2 (OUT), TLS handshake, Finished (20):


* TLSv1.2 (IN), TLS change cipher, Client hello (1):


* TLSv1.2 (IN), TLS handshake, Finished (20):


* SSL connection using TLSv1.2 / AES256-SHA


* ALPN, server accepted to use http/1.1


* Server certificate:


* subject: businessCategory=Private Organization; 1.3.6.1.4.1.311.60.2.1.3=US; 1.3.6.1.4.1.311.60.2.1.2=California; serialNumber=C0806592; C=US; ST=California; L=Cupertino; O=Apple Inc.; CN=gil.apple.com


* start date: Oct 5 21:11:05 2023 GMT


* expire date: Nov 3 21:11:04 2024 GMT


* subjectAltName: host "gil.apple.com" matched cert's "gil.apple.com"


* issuer: C=US; O=Apple Inc.; CN=Apple Public EV Server RSA CA 1 - G1


* SSL certificate verify ok.


> HEAD / HTTP/1.1


> Host: gil.apple.com


> User-Agent: curl/7.54.0


> Accept: */*


>


< HTTP/1.1 403 Forbidden


* no chunk, no close, no size. Assume close to signal end


<


* TLSv1.2 (IN), TLS alert, Client hello (1):


* Closing connection 0


* TLSv1.2 (OUT), TLS alert, Client hello (1):

curl -vvv -X HEAD https://swscan.apple.com/

$ curl -vvv -X HEAD https://swscan.apple.com/


Warning: Setting custom HTTP method to HEAD with -X/--request may not work the


Warning: way you want. Consider using -I/--head instead.


* Trying 2600:1406:3400:3a2::1759...


* TCP_NODELAY set


* Connected to swscan.apple.com (2600:1406:3400:3a2::1759) port 443 (#0)


* ALPN, offering h2


* ALPN, offering http/1.1


* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4STRENGTH


* successfully set certificate verify locations:


* CAfile: /etc/ssl/cert.pem


CApath: none


* TLSv1.2 (OUT), TLS handshake, Client hello (1):


* TLSv1.2 (IN), TLS handshake, Server hello (2):


* TLSv1.2 (IN), TLS handshake, Certificate (11):


* TLSv1.2 (IN), TLS handshake, Server key exchange (12):


* TLSv1.2 (IN), TLS handshake, Server finished (14):


* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):


* TLSv1.2 (OUT), TLS change cipher, Client hello (1):


* TLSv1.2 (OUT), TLS handshake, Finished (20):


* TLSv1.2 (IN), TLS change cipher, Client hello (1):


* TLSv1.2 (IN), TLS handshake, Finished (20):


* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384


* ALPN, server accepted to use http/1.1


* Server certificate:


* subject: businessCategory=Private Organization; 1.3.6.1.4.1.311.60.2.1.3=US; 1.3.6.1.4.1.311.60.2.1.2=California; serialNumber=C0806592; C=US; ST=California; L=Cupertino; O=Apple Inc.; CN=swdist.apple.com


* start date: Sep 18 21:10:34 2023 GMT


* expire date: Dec 17 21:20:34 2023 GMT


* subjectAltName: host "swscan.apple.com" matched cert's "swscan.apple.com"


* issuer: C=US; O=Apple Inc.; CN=Apple Public EV Server RSA CA 2 - G1


* SSL certificate verify ok.


> HEAD / HTTP/1.1


> Host: swscan.apple.com


> User-Agent: curl/7.54.0


> Accept: */*


>


< HTTP/1.1 404 Not Found


< Server: dlb/1.0.2


< Content-Length: 0


< Strict-Transport-Security: max-age=31536000; includeSubDomains;


< CDNUUID: 31d223b7-df05-4f1f-ad7d-7b8dbe7ec618-634409400


< Strict-Transport-Security: max-age=31536000; includeSubDomains


< Expires: Tue, 31 Oct 2023 20:57:57 GMT


< Date: Tue, 31 Oct 2023 20:56:58 GMT


< Connection: keep-alive


<


* Connection #0 to host swscan.apple.com left intact

softwareupdate -l

$ softwareupdate -l


Software Update Tool





Finding available software


The operation couldn’t be completed. (NSURLErrorDomain error -1012.)

In Safari, visit these websites:

https://gil.apple.com/

https://swscan.apple.com/

See if you get any error. Also click the padlock icon on address bar, show the certificate, make a screenshot of that.

Also install Firefox browser and repeat.

Where exactly am I looking for errors?

using Safari 11.1.2 (latest in High Sierra)
https://gil.apple.com = blank
https://swscan.apple.com/ = blank

using Firefox 115.4.0esr
https://gil.apple.com = blank
https://swscan.apple.com/ = blank

How much certificate do you want to see? Looks like it would take 3 screenshots for full length in Safari, and 7 or more in Firefox (has 2 more tabs worth of info also).

gil.apple.com is the one relating to Internet Accounts. We test that for the Error 3.

Here are photos of #3, error, and working I thought the failure was getting remote Google/Yahoo data, but you would know better than me.

error:

working (google and yahoo):
image uploading not fast enough here. I"ll have to come back from a non_thumb drive system.

 

[boredandlonely]

In Terminal, run:

curl -vvv -X HEAD https://gil.apple.com/

curl -vvv -X HEAD https://swscan.apple.com/

softwareupdate -l

All results on this post are from the "working" High Sierra system:
See previous post for the error system.

curl -vvv -X HEAD https://gil.apple.com/

$ curl -vvv -X HEAD https://gil.apple.com/


Warning: Setting custom HTTP method to HEAD with -X/--request may not work the


Warning: way you want. Consider using -I/--head instead.


* Trying 17.122.192.32...


* TCP_NODELAY set


* Connected to gil.apple.com (17.122.192.32) port 443 (#0)


* ALPN, offering h2


* ALPN, offering http/1.1


* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4STRENGTH


* successfully set certificate verify locations:


* CAfile: /etc/ssl/cert.pem


CApath: none


* TLSv1.2 (OUT), TLS handshake, Client hello (1):


* TLSv1.2 (IN), TLS handshake, Server hello (2):


* TLSv1.2 (IN), TLS handshake, Certificate (11):


* TLSv1.2 (IN), TLS handshake, Server finished (14):


* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):


* TLSv1.2 (OUT), TLS change cipher, Client hello (1):


* TLSv1.2 (OUT), TLS handshake, Finished (20):


* TLSv1.2 (IN), TLS change cipher, Client hello (1):


* TLSv1.2 (IN), TLS handshake, Finished (20):


* SSL connection using TLSv1.2 / AES256-SHA


* ALPN, server accepted to use http/1.1


* Server certificate:


* subject: businessCategory=Private Organization; 1.3.6.1.4.1.311.60.2.1.3=US; 1.3.6.1.4.1.311.60.2.1.2=California; serialNumber=C0806592; C=US; ST=California; L=Cupertino; O=Apple Inc.; CN=gil.apple.com


* start date: Oct 5 21:11:05 2023 GMT


* expire date: Nov 3 21:11:04 2024 GMT


* subjectAltName: host "gil.apple.com" matched cert's "gil.apple.com"


* issuer: C=US; O=Apple Inc.; CN=Apple Public EV Server RSA CA 1 - G1


* SSL certificate verify ok.


> HEAD / HTTP/1.1


> Host: gil.apple.com


> User-Agent: curl/7.54.0


> Accept: */*


>


< HTTP/1.1 403 Forbidden


* no chunk, no close, no size. Assume close to signal end


<


* TLSv1.2 (IN), TLS alert, Client hello (1):


* Closing connection 0


* TLSv1.2 (OUT), TLS alert, Client hello (1):

curl -vvv -X HEAD https://swscan.apple.com/

$ curl -vvv -X HEAD https://swscan.apple.com/


Warning: Setting custom HTTP method to HEAD with -X/--request may not work the


Warning: way you want. Consider using -I/--head instead.


* Trying 2600:1406:d400:1a9::1759...


* TCP_NODELAY set


* Connected to swscan.apple.com (2600:1406:d400:1a9::1759) port 443 (#0)


* ALPN, offering h2


* ALPN, offering http/1.1


* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4STRENGTH


* successfully set certificate verify locations:


* CAfile: /etc/ssl/cert.pem


CApath: none


* TLSv1.2 (OUT), TLS handshake, Client hello (1):


* TLSv1.2 (IN), TLS handshake, Server hello (2):


* TLSv1.2 (IN), TLS handshake, Certificate (11):


* TLSv1.2 (IN), TLS handshake, Server key exchange (12):


* TLSv1.2 (IN), TLS handshake, Server finished (14):


* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):


* TLSv1.2 (OUT), TLS change cipher, Client hello (1):


* TLSv1.2 (OUT), TLS handshake, Finished (20):


* TLSv1.2 (IN), TLS change cipher, Client hello (1):


* TLSv1.2 (IN), TLS handshake, Finished (20):


* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384


* ALPN, server accepted to use http/1.1


* Server certificate:


* subject: businessCategory=Private Organization; 1.3.6.1.4.1.311.60.2.1.3=US; 1.3.6.1.4.1.311.60.2.1.2=California; serialNumber=C0806592; C=US; ST=California; L=Cupertino; O=Apple Inc.; CN=swdist.apple.com


* start date: Sep 18 21:10:34 2023 GMT


* expire date: Dec 17 21:20:34 2023 GMT


* subjectAltName: host "swscan.apple.com" matched cert's "swscan.apple.com"


* issuer: C=US; O=Apple Inc.; CN=Apple Public EV Server RSA CA 2 - G1


* SSL certificate verify ok.


> HEAD / HTTP/1.1


> Host: swscan.apple.com


> User-Agent: curl/7.54.0


> Accept: */*


>


< HTTP/1.1 404 Not Found


< Server: dlb/1.0.2


< Content-Length: 0


< Strict-Transport-Security: max-age=31536000; includeSubDomains;


< CDNUUID: 31d223b7-df05-4f1f-ad7d-7b8dbe7ec618-637830338


< Strict-Transport-Security: max-age=31536000; includeSubDomains


< Expires: Tue, 31 Oct 2023 23:35:32 GMT


< Date: Tue, 31 Oct 2023 23:33:52 GMT


< Connection: keep-alive


<


* Connection #0 to host swscan.apple.com left intact

softwareupdate -l

$ softwareupdate -l


Software Update Tool





Finding available software


No new software available.

In Safari, visit these websites:

https://gil.apple.com/

https://swscan.apple.com/

See if you get any error. Also click the padlock icon on address bar, show the certificate, make a screenshot of that.

Also install Firefox browser and repeat.

using Safari 13.1.2 (latest in High Sierra)
https://gil.apple.com = blank
https://swscan.apple.com/ = blank

using Firefox 115.4.0esr
https://gil.apple.com = blank
https://swscan.apple.com/ = blank

 

[DarkPremiumCho]

Ok from current info It’s about swscan.apple.com

I am outside typing this on my phone, will edit with more information later. We’ll see if we can find the culprit.

 

[boredandlonely]

Ok from current info It’s about swscan.apple.com

I am outside typing this on my phone, will edit with more information later. We’ll see if we can find the culprit.

I just now added the missing pics to the end of the "error" system test results post, and added the certificate pics to the "working" system test results post as well.

Sidenote, despite running a fully updated High Sierra system (I THOUGHT), I discovered Safari is v11.1.2, but the freshly installed thumb High Sierra system is running Safari v13.1.2. Whaaaaat?

 

[DarkPremiumCho]

Sidenote, despite running a fully updated High Sierra system (I THOUGHT), I discovered Safari is v11.1.2, but the freshly installed thumb High Sierra system is running Safari v13.1.2. Whaaaaat?

v11 is the version shipped with High Sierra. v13 is a 2-years-later newer release available for upgrading. Perhaps your thumb drive OS is somehow newer than the one on your regular drive, thus the Solution A works?

---

To summarize:

• No problems using curl and browsers.
  • Conclusion: the built-in/standalone trusted certificates are ok.
• No problems using softwareupdate -l on thumb drive, but got the -1012 error on regular drive.
  • Speculation 1: one or more function working on thumb drive but not on regular drive, preventing the Mac talking to swscan.apple.com, resulting the Error 1, 2 and perhaps 3. And it's not about the trusted certificates.
  • Speculation 2: Perhaps it's the OCSP or certificate pinning or other security features. Unfortunately these are beyond my knowledge.
  • Speculation 3: Something controls your Internet connection is automatically configuring some settings, and it treats your thumb drive OS and regular drive OS differently.

---

My suggestions:

• clear NVRAM
• try more different Internet connection settings:
  • changing DNS to 1.0.0.1 or 8.8.4.4
  • disabling IPv6
  • using a VPN service
  • using a SOCKS proxy
  • using a personal hotspot
• Use a network debugger to do more troubleshooting.

 

[boredandlonely]

v11 is the version shipped with High Sierra. v13 is a 2-years-later newer release available for upgrading. Perhaps your thumb drive OS is somehow newer than the one on your regular drive, thus the Solution A works?

I coped v13 over and it runs funny, It won't display the URL section or buttons. It won't open preferences either. It's funny because one of my troubleshooting steps was to reinstall High Sierra on top of itself (using the installer that has v13 Safari) and it ddn't install the newer Safari.

Anyway...

Perhaps it's the OCSP or certificate pinning or other security features. Unfortunately these are beyond my knowledge.

Beyond me as well.

Something controls your Internet connection is automatically configuring some settings, and it treats your thumb drive OS and regular drive OS differently.

Would this mean it's hardware based somehow? Since nothing had been installed or imported into any of the fresh High Sierra installations?

clear NVRAM

My bad, I did that too, but forgot to note it.

• changing DNS to 1.0.0.1 or 8.8.4.4
• disabling IPv6

I can try DNS. Do I need to restart or anything before testing results?

How do I disable IPv6?

• using a VPN service
• using a personal hotspot

I've tried connecting to internet over my mobile hotspot, both with and without VPN enabled, Does that count? There was no change.

• using a SOCKS proxy

Where can I learn to do this?

• Use a network debugger to do more troubleshooting.

Would need to learn this as well.

 

[DarkPremiumCho]

I coped v13 over and it runs funny

For system apps like Safari, copying is not a proper way to install. That's why you see malfunctioning components.

IIRC, even the latest High Sierra installer does not include Safari 13. The user has to update it via the App Store - Updates.

Would this mean it's hardware based somehow?

It's complicated. The gateway, be it your router or your hotspot-enabled phone, won't know you've changed a boot drive. Other possibilities are boot loader mod, network interface priorities or DHCP settings. We could dive into that later.

I can try DNS. Do I need to restart or anything before testing results?

Usually we don't need to restart. But just in case, run sudo killall -HUP mDNSResponder in Terminal to clear DNS cache.

As for the testing, we can now just use the softwareupdate -l command.

How do I disable IPv6?

I don't remember the verbatim text in High Sierra. It's in System Preferences - Networks - Your main interface (with a green dot) - details or advanced - TCP/IP - Configure IPv6 - set it to "link local only"

I've tried connecting to internet over my mobile hotspot, both with and without VPN enabled, Does that count? There was no change.

Sorry, I'm not a native English speaker. This is ambiguous for me. Is the VPN on your phone or on your Mac?

VPN on the phone does not affect hotspot clients like the Mac.

If you have the VPN set on the Mac and connected, make sure to set the VPN to handle all the traffics, then do the testing.

Where can I learn to do this?

We only take this way if all the previous attempts failed. Using a network debugger, we might see what's wrong with the connection. This involves software like Squid Cache, Fiddler, Charles, Proxyman, etc.

---

This is indeed a mystery I must say.

 

[boredandlonely]

I'm a little short on time right now, but I'll address a few of these.

IIRC, even the latest High Sierra installer does not include Safari 13. The user has to update it via the App Store - Updates.

Safari 13 actually DID come from the latest High Sierra installer. It's never appeared in my updates. I'm looking for a way to install now.

I don't remember the verbatim text in High Sierra. It's in System Preferences - Networks - Your main interface (with a green dot) - details or advanced - TCP/IP - Configure IPv6 - set it to "link local only"

Correct, found it.

Sorry, I'm not a native English speaker. This is ambiguous for me. Is the VPN on your phone or on your Mac?

VPN on the phone does not affect hotspot clients like the Mac.

If you have the VPN set on the Mac and connected, make sure to set the VPN to handle all the traffics, then do the testing.

---

This is indeed a mystery I must say.

Your English sounds perfect to me.

VPN app is on phone only. "1.1.1.1" by Cloudfare.

Know a free VPN for Mac I can try for testing?

Mystery is driving me nuts.

 

[boredandlonely]

Totally forgot. I updated the original post. I was able to verify error #4 *IS* related as well. I finally got another copy of the small installer to try on the working thumb drive High Sierra. I couldn't test on Mojave because the installer OS is "too old".

 

[DarkPremiumCho]

Know a free VPN for Mac I can try for testing?

1.1.1.1 supports macOS.

I finally got another copy of the small installer

Maybe I miss something? I don't know too much about small installers. I always download the full installer and use createinstallmedia to make a bootable thumb drive.

 

[boredandlonely]

1.1.1.1 supports macOS.



Maybe I miss something? I don't know too much about small installers. I always download the full installer and use createinstallmedia to make a bootable thumb drive.

1.1.1.1:
I was totally unaware. It's now installed, but I had to go backward about a year to get a version that would run on High Sierra. Running on default settings now.

High Sierra small installer:
That link is correct, but for unknown reasons, the app store sometimes gives people a small (22mb) installer instead of the full installer, and it downloads whatever else it needs as you attempt each installation. I don't believe it ever becomes a full installer. It stays small. According to multiple posts on Discussions.Apple.com, nobody knows why who gets the small or the full installer.

When Apple Support told me to try reinstalling High Sierra (the first time), on top of the error High Sierra, the app store would only give me the small installer, and the small installer always failed and produced the error I documented in the first post.

 

[boredandlonely]

try more different Internet connection settings:

• changing DNS to 1.0.0.1 or 8.8.4.4
• disabling IPv6

Internet provider is down for now, and I'm on iPhone wifi hotspot.

1.0.0.1: same errors
8.8.4.4: same errors
disabled IPv6 disabled: same errors.

 

[boredandlonely]

11/04/23 revised with new info

Well, I got an error-free High Sierra installed on my internal SSD!
I was also able to use Migration Assistant to import all my data/settings/etc. from my original problem High Sierra, and it DIDN'T migrate the errors with it! 🎉🎂🎈🍾

I DON'T want to call this "solved", because we couldn't find the original problem to fix it. Clean installing High Sierra and migrating your setup in is more of a workaround. I'm keeping the original OS in case anybody/I have more ideas to hunt the original problem down and actually fix it.


Important Clean Install High Sierra Notes:

1. BEFORE doing a Clean Install, log into your current system, go to SystemPreferences>Users&Groups, unlock the padlock, and Control-Click on each user's name in the left of the window, to get "Advanced Options". DO NOT MAKE ANY CHANGES, but write down each user's "User ID". You need these later to correctly import your current setup into the Clean Install.

2. DO NOT test Clean Installs for the errors. It will mess up how your current accounts migrate into the new Clean Install.

3. During your Clean Installation/Setup, use "Setup Assistant" to import ONLY the user account that has User ID "501" (or next lowest if no 501), plus "Applications", "Other Files & Folders", and "Computer and Network Settings" (I recommend all 3 options). Again, don't do the other users yet. It's best to do those later with "Migration Assistant". Click to start migration.
During import, you may get a warning popup that there are two different versions of iTunes. I just hit "skip" and dealt with it afterwards.

4. Don't worry yet about any of the original errors we are doing this to get away from.

5. After "Setup Assistant" finishes and your new system finishes starting up, if you want to import additional user accounts, go to Applications>Utilities>MigrationAssistant and run it. Select the next user account in order of User ID again, likely "502" (or next lowest if no 502), and migrate that account only. DO NOT select the "Applications", "Other Files & Folders", and "Computer and Network Settings", as you ALREADY did these. DO NOT select any other users yet. Click to start migration.

6. After "Migration Assistant" finishes, repeat #5 above as needed for additional accounts, still one at a time, and still in order of User ID (503, 504, 505.. etc.).

7. To fix the iPhone/iTunes connection error (thread post 1, error 2, way up there), you still need to manually update iTunes. The new High Sierra Clean Install you just finished, installed an OLDER iTunes. Get iTunes 12.8.3 here: https://support.apple.com/kb/dl1977?locale=en_US

8. DON'T FREAK OUT if you still have the original errors. I discovered that the Clean Installation requires 1 restart to make them go away. Seriously. You probably restarted already during the "Setup Assistant" and/or the "Migration Assistant". If not, go ahead and restart now to make them go away..

9. Enjoy your fresh system!

 

[boredandlonely]

Revisions made on previous post!

I discovered that ALL Clean Installs still have the errors... until you restart them 1 time. There's no need to test Clean Installs before using them (as I was doing), and that will actually cause problems when you go to migrate into the Clean Install (as I learned personally).

That new info still doesn't explain the thumb drives, but oh well.

That's probably another clue to finding the main problem, but it's over my head.