OS X El Capitan (10.11.6) Fix SSL Certificate Errors (in 2022)

[AphoticD]

In El Capitan, I am seeing some apps not connecting to servers due to outdated / expired SSL Certificates. This has been seen in Safari and when attempting to update select apps - Sublime Text and VSCodium in my experience.

This issue can be resolved by upgrading the System Roots certificates in Keychain Access.app, which will require access to a more recent Mac system (macOS Catalina 10.15.7 in my usage).

1. Terminal: Install the MacPorts script and bundle; `sudo port install apple-pki-bundle coreutils`
2. Terminal: Backup your existing System Keychain: `sudo cp /Library/Keychains/System.keychain /Library/Keychains/SystemElCap.keychain`
3. Terminal: Edit the pem install script to enable usage:`sudo vi /opt/local/share/apple-pki-bundle/bin/pems_add_to_macOS_System_Keychain.sh` (or pico, if preferred)
4. Terminal: At line 6, change: `if false; then` to `if true; then` and save.
_____
(Optional to install the pem keys included in this bundle)
5. Terminal: `sudo /opt/local/share/apple-pki-bundle/bin/pems_add_to_macOS_System_Keychain.sh /opt/local/share/apple-pki-bundle/apple-pki-bundle.pem`
_____
Go to your more recent Mac:
6. On your more recent system, open Keychain Access.app (/Applications/Utilities/)
7. Click System Roots in left pane
8. Click into Certificates pane and Select All (Cmd-A)
9. Right-click and Export X Items (or File > Export...)
10. Save as `catalina-rootkeys.pem` (or similar)
_____
Back on your El Capitan Mac:
11. Copy the saved pem key bundle to your El Capitan Mac. (copy into Home > Downloads or similar)
12. Terminal:`sudo /opt/local/share/apple-pki-bundle/bin/pems_add_to_macOS_System_Keychain.sh /Users/<username>/Downloads/catalina-rootkeys.pem` (replace `<username>` as needed)
13. Launch Keychain Access.app to verify installation OK.

You should now see no more expired dates in the System Roots certificates list. If there are expired certs, you'll need to repeat again from a more recent OS (Big Sur or later).

Example of an error caused by the expired System Root certificates (Sublime Text shown) on OS X El Capitan.



NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9814) error exceptions logged in Console.app



Keychain Access.app on a more recent OS (macOS Catalina 10.15.7 shown)​

Welcome back El Capitan

 

[AphoticD]

For anyone not using MacPorts:

1. Save the below script as `pems_add_to_macOS_System_Keychain.sh`
2. Terminal: `chmod 755 pems_add_to_macOS_System_Keychain.sh` to allow exec
3. Terminal:`sudo ./pems_add_to_macOS_System_Keychain.sh <path_to_pem>`

#!/usr/bin/env bash

# Usage: pems_add_to_macOS_System_Keychain.sh trustedroot.pem

# change to true to add the trusted certicates
if true; then
    DIR="${TMPDIR}/trustedroot.$$"

    mkdir -p "${DIR}"
    trap "rm -rf '${DIR}'" EXIT
    ( cd "${DIR}" && split -p '^-----BEGIN CERTIFICATE-----$' - cert- ) < "$1"

    for c in "${DIR}"/cert-* ; do
        # use the pem if its expiration is more than a week away
        if openssl x509 -checkend 604800 -noout -in "${c}" 1> /dev/null 2>&1; then
            security -v add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "${c}"
        fi
    done
else
    cat <<'INSTRUCTIONS'
Edit this script to add certificates from a trusted PEM file
to the macOS System Keychain /Library/Keychains/System.keychain.
Please make sure that you have a reliable backup of this file
before running the script.
INSTRUCTIONS
fi

rm -rf "${DIR}"

 

[knutsen]

For anyone not using MacPorts:

1. Save the below script as `pems_add_to_macOS_System_Keychain.sh`
2. Terminal: `chmod 755 pems_add_to_macOS_System_Keychain.sh` to allow exec
3. Terminal:`./pems_add_to_macOS_System_Keychain.sh <path_to_pem>`

#!/usr/bin/env bash

# Usage: pems_add_to_macOS_System_Keychain.sh trustedroot.pem

# change to true to add the trusted certicates
if true; then
    DIR="${TMPDIR}/trustedroot.$$"

    mkdir -p "${DIR}"
    trap "rm -rf '${DIR}'" EXIT
    ( cd "${DIR}" && gcsplit -f cert- -b '%03x' -s -z - '/^-----END CERTIFICATE-----$/+1' '{*}' ) < "$1"

    for c in "${DIR}"/cert-* ; do
        # use the pem if its expiration is more than a week away
        if openssl x509 -checkend 604800 -noout -in "${c}" 1> /dev/null 2>&1; then
            security -v add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "${c}"
        fi
    done
else
    cat <<'INSTRUCTIONS'
Edit this script to add certificates from a trusted PEM file
to the macOS System Keychain /Library/Keychains/System.keychain.
Please make sure that you have a reliable backup of this file
before running the script.
INSTRUCTIONS
fi

rm -rf "${DIR}"

This did not work for me, because I don't have GNU coreutils installed.

What _did_ work was to replace line 11 with this:

( cd "${DIR}" && split -p '^-----BEGIN CERTIFICATE-----$' - cert- ) < "$1"

In addition, I had to run the script with sudo:

sudo ./pems_add_to_macOS_System_Keychain.sh <path_to_pem>

 

[jackerin]

What also worked for me (if you're inclined to trust selected parts of the internet) was installing isrgrootx1.pem from https://letsencrypt.org/certificates/ to the keychain. YMMV.

 

[AphoticD]

This did not work for me, because I don't have GNU coreutils installed.

What _did_ work was to replace line 11 with this:

*SNIP*

Perfect. Thanks for the contribution. I've updated the 2nd post with the edited shell script and sudo command. Working as expected on an El Cap system sans-macports.

 

[feelslikefriday]

Perfect. Thanks for the contribution. I've updated the 2nd post with the edited shell script and sudo command. Working as expected on an El Cap system sans-macports.

When I tried to run that script I got

-bash: syntax error near unexpected token `newline'

Any ideas as to why?
Thanks.

 

[feelslikefriday]

What also worked for me (if you're inclined to trust selected parts of the internet) was installing isrgrootx1.pem from https://letsencrypt.org/certificates/ to the keychain. YMMV.

I would totally go for that, but unfortunately:

 

[knutsen]

When I tried to run that script I got

-bash: syntax error near unexpected token `newline'

Any ideas as to why?
Thanks.

a) I'm not sure, but it's worth asking if you're aware that "<path_to_pem>" is not to be taken literally? Rather, substitute the full name of the *.pem file that you transferred over from a newer Mac. Likewise, you are not meant to type the backticks (``), merely what's inside them.

b) Failing that, please show us the output of `ls -al` and of `cat pems_add_to_macOS_System_Keychain.sh`

 

[feelslikefriday]

Hahaha. Thank for pointing out the obvious knutsen. I was panicking while trying to fix my wife's laptop (as she was panicking trying to finish an assessment, it rubbed off on me). I *did* took that <...> serisously (or more accurately wasn't reading your post properly). Had another go and all good now. Thanks soo much for your original post and setting me straight

 

[JesterMasque]

In El Capitan, I am seeing some apps not connecting to servers due to outdated / expired SSL Certificates. This has been seen in Safari and when attempting to update select apps - Sublime Text and VSCodium in my experience.

This issue can be resolved by upgrading the System Roots certificates in Keychain Access.app, which will require access to a more recent Mac system (macOS Catalina 10.15.7 in my usage).

1. Terminal: Install the MacPorts script and bundle; `sudo port install apple-pki-bundle coreutils`
2. Terminal: Backup your existing System Keychain: `sudo cp /Library/Keychains/System.keychain /Library/Keychains/SystemElCap.keychain`
3. Terminal: Edit the pem install script to enable usage:`sudo vi /opt/local/share/apple-pki-bundle/bin/pems_add_to_macOS_System_Keychain.sh` (or pico, if preferred)
4. Terminal: At line 6, change: `if false; then` to `if true; then` and save.
_____
(Optional to install the pem keys included in this bundle)
5. Terminal: `sudo /opt/local/share/apple-pki-bundle/bin/pems_add_to_macOS_System_Keychain.sh /opt/local/share/apple-pki-bundle/apple-pki-bundle.pem`
_____
Go to your more recent Mac:
6. On your more recent system, open Keychain Access.app (/Applications/Utilities/)
7. Click System Roots in left pane
8. Click into Certificates pane and Select All (Cmd-A)
9. Right-click and Export X Items (or File > Export...)
10. Save as `catalina-rootkeys.pem` (or similar)
_____
Back on your El Capitan Mac:
11. Copy the saved pem key bundle to your El Capitan Mac. (copy into Home > Downloads or similar)
12. Terminal:`sudo /opt/local/share/apple-pki-bundle/bin/pems_add_to_macOS_System_Keychain.sh /Users/<username>/Downloads/catalina-rootkeys.pem` (replace `<username>` as needed)
13. Launch Keychain Access.app to verify installation OK.

You should now see no more expired dates in the System Roots certificates list. If there are expired certs, you'll need to repeat again from a more recent OS (Big Sur or later).

View attachment 1967653
Example of an error caused by the expired System Root certificates (Sublime Text shown) on OS X El Capitan.


View attachment 1967654
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9814) error exceptions logged in Console.app


View attachment 1967657
Keychain Access.app on a more recent OS (macOS Catalina 10.15.7 shown)​

Welcome back El Capitan

I just made this account to THANK YOU SO MUCH, because this was so easy, and just brought three of my old machines back to life! I run a recording studio, and have a lot of friends & clients with legacy equipment. I can't wait to bring this method to their attention.

You guys are amazing, I really appreciate this kind of community & support <3

 

[AphoticD]

I just made this account to THANK YOU SO MUCH, because this was so easy, and just brought three of my old machines back to life! I run a recording studio, and have a lot of friends & clients with legacy equipment. I can't wait to bring this method to their attention.

You guys are amazing, I really appreciate this kind of community & support <3

You’re welcome. Well done on keeping those old machines ticking along!

I’ve also got my El Capitan Macs setup for audio production use (a Mac Pro 2008, MacBook 2008, and Mac mini 2009). Still doing great in 2023 with Ableton, and a host of NI plugins.

I just need to make more time to play with music ideas

 

[aonez]

Thanks a lot! Works in 10.11, does not in 10.10.

 

[sdfox7]

Thanks a lot! Works in 10.11, does not in 10.10.

Hi, are you sure you installed the updated certificate? I've tested this on my systems going back to Snow Leopard 10.6. Here's Yosemite which you specifically mentioned:

These screenshots should help, you just have to follow them in the order I've provided. You will be prompted a couple times to update the Keychain, which I've shown below.

Once you've downloaded the isrgrootx1.pem, double-click on it. Then,

1) Change from "login" to "System":

2) If you have a password you will be prompted to authenticate. If not proceed to Step 3.

3) Navigate to "System" in the far left bar and double-click on the certificate with the "X":

4) In the window that opens, click on the dropdown for "Trust" and select "Always Trust":

5) If you have a password you will be prompted to authenticate again. If not proceed to Step 6.

6) Once you've done this, you will see blue X. You can now quit Keychain.

 

[aonez]

Hi, are you sure you installed the updated certificate?...

Thanks a lot for your reply sdfox7 and sorry, I should have been more descriptive. I've used the method to export and import the Keychain certificates from an updated version of macOS, did not used the downloaded pem file.

Anyway the result appears to be the same, since updated versions of macOS have those valid certificates and they were properly imported, specially the "ISRG Root X1". Safari works, I can browse almost any https without issue but one address I needed (https://www.kernel.org/) is not working.

The same procedure worked on Mac OS X 10.11, and since it was enough for me I did not investigated more.

Working on Mac OS X 10.11:

Same certificate, not working on Mac OS X 10.10. Trusted for all cases:

 

[sdfox7]

Thanks a lot for your reply sdfox7 and sorry, I should have been more descriptive. I've used the method to export and import the Keychain certificates from an updated version of macOS, did not used the downloaded pem file.

Anyway the result appears to be the same, since updated versions of macOS have those valid certificates and they were properly imported, specially the "ISRG Root X1". Safari works, I can browse almost any https without issue but one address I needed (https://www.kernel.org/) is not working.

The same procedure worked on Mac OS X 10.11, and since it was enough for me I did not investigated more.

Working on Mac OS X 10.11:

View attachment 2281653

Same certificate, not working on Mac OS X 10.10. Trusted for all cases:

View attachment 2281658

Safari 10 is too old for most websites. Google would probably work though, it even works in my old Windows 95 with Internet Explorer 3.02!

 

[aonez]

To be fair I was trying to install some packages using brew, so really just used Safari to show you the issue.

 

[sdfox7]

Many websites now block browsers that are older than a certain version.

Kernel.org (and every other website) loads in Chrome 87, the final supported version for Yosemite.

Also try Chromium Legacy for up to date versions of Chrome.

https://github.com/blueboxd/chromium-legacy/discussions/25

 

[LinkStormer]

I followed up your post and now App Store shows up this error:

 

[sdfox7]

I followed up your post and now App Store shows up this error:

Can you please be more specific? Which OS are you running? 10.13? This thread hasn't been posted to in almost a year.

You can probably correct the issue by confirming you have the latest updates installed.

El Capitan 10.11.6 (download the combo update, install, and then do the rest of the updates through App Store):

https://support.apple.com/en-us/106389

Sierra 10.12.6: https://support.apple.com/en-us/106425

High Sierra 10.13.6: https://support.apple.com/en-us/106398

 

[sdfox7]

PS El Capitan 10.11 updates perfectly in the App Store as of today, so if you are running that or anything older/newer you need to install the combo updates above, and make sure you have the updated ISRG Root X1 certificates file (right-click to download): isrgrootx1.pem