Chrome, Safari, and Airmail have stopped trusting random certificates, including Google- and Let's Encrypt-issued

This is something of a continuation of two prior threads, located here and here. I am having the same problems that those two folks are having. I have also found two other people that are having this problem through posts I made on Super User (though that person is using Windows) and the MacRumors forums.

I don’t know if it would be helpful to copy/paste my post from there to here, so I will put it at the end of this post after some new details I’ve just found.

The short version is after some undetermined amount of time (usually 3-5 hours) after rebooting, I begin having problems accessing some secure websites and services. Some of them are using Let’s Encrypt (such as boardgamegeekstore.com), but there’s also problems with some Google sites (such as imap.gmail.com and youtube.com) and others. The fact that my email client is having problems with Gmail’s IMAP server shows it is not just a browser problem, but seems to be deeper in the system.

One interesting thing that has happened since this problem began back in June is that one site that was previously working has stopped working, superuser.com, and another site vice-versa, worldmarket.com. superuser.com’s certificate now shows “Not valid before Friday, August 7, 2020 at 8:01:00 AM Central Daylight Time,” which lines up with when it stopped working. Similarly, worldmarket.com now consistently works, and its certificate is not valid before July 20, 2020, which is about when it started working. I’m not sure if there’s a way to trace back what changed with the new certificates that caused this flip-flop? I believe cdn.superonefoods.com is now also working (certificate not valid before August 6, 2020).

Any help is very much appreciated. This is driving me insane.


This is my original post from MacRumors with all the details of my problem and steps I have tried to resolve it.

As of approximately June 13, 2020, some secure sites that I try to visit in Google Chrome are showing a Privacy error, specifically NET::ERR_CERT_AUTHORITY_INVALID. I am using Google Chrome Version 83.0.4103.116 (Official Build) (64-bit) on macOS 10.14.6. After further testing I am having this problem in Microsoft Edge (which is built on top of Chromium) and Safari, too (though not Firefox).

This includes google.com, docs.google.com, googlevideo.com, youtube.com, and gmail.com, as well as status.discordapp.com, cdn.superonefoods.com (though their site countymarketifalls.com works fine), worldmarket.com (now works), and boardgamegeekstore.com. Sites that work fine include torn.com, abc.com, superuser.com (no longer works), and this site.

I found an answer somewhere on one of the Stack Exchange sites (sorry, didn’t save the URL) that suggested I drag-and-drop the image of the certificate onto my desktop, which copies the certificate, then add it to Keychain Access and manually trust it. I tried it for Google and that solved it for Google-related sites (except googlevideo.com). I have not done that for the other sites as there is clearly something wrong here and I am not doing that manually for every site.

In Chrome, when I click on the “Not Secure” bit before the URL, it says “Certificate (invalid)”. Clicking on the words “Certificate (invalid)” shows me a chain of certificates, all of which say they are “valid”.

I am having a similar problem when my email client, Airmail Version 4.1 (618), tries to connect to imap.gmail.com (but not to imappro.zoho.com). This screenshot is rather long and cobbled together because it wouldn’t let me expand the window, but this is the only place I see an error message regarding a certificate–Chrome shows “This certificate is valid,” as seen above, for all certificates, even while simultaneously telling me the certificate is invalid on the error page.

I am not using a VPN or proxy. I do use Little Snitch, but I disabled it entirely and the problem persisted.

Besides what is built into the system as far as PHP, Python, etc., I do have the following installed via Homebrew:

$ brew list
bchunk      openssl@1.1 readline    telnet      youtube-dl
gdbm        python      sqlite      xz

openssl@1.1 is a dependency of Python 3, per brew info python. It is possible that is causing problems, but I don’t know why that would have just now started causing problems, as it has been installed since February.

To my knowledge nothing changed recently before the issue occurred.

This is also impacting the Discord app, but as far as I can tell, no other applications on my user account are having this problem. No other devices on my network are having any problems. As noted below, another user account on my computer is not exhibiting the problem in limited testing.

Rebooting sometimes seems to resolve the problem for a while, between several and 24 hours, before it starts occurring again.

Things I have tried in order to fix it:

  • Incognito windows in Chrome. The problem persists. (I can bypass the warning for sites using HSTS in Incognito whereas I can’t outside of Incognito, because of the way Incognito functions, but this does not resolve the underlying problem.)

  • using Firefox. All of the sites in question, including Google before I “fixed” it, did and continue to work correctly in Firefox with no errors or warnings. (Firefox has been installed since before this problem started. My understanding is it has its own certificate store and does not use the system’s, which would explain why it works fine.)

  • temporarily disabling my firewall. It had no effect.

  • updating Chrome. It updated to Version 83.0.4103.106 (Official Build) (64-bit), but did not fix anything. Sorry I forgot to note the before version, but I keep it up-to-date, so it would have been whatever the last Stable version was. Since then it has updated itself to 83.0.4103.116 and then to 84.0.4147.125.

  • cleared browsing data for “Download history” and “Cached images and files”. It had no effect.

  • disabled all extensions in Chrome. It had no effect.

  • installed Security Update 2020-003 and macOS Mojave 10.14.6 Supplemental Update 2. During this process the computer rebooted and the problem was resolved for the remainder of the evening. The problem returned the next day.

  • deleted /var/db/crls/crlcache2.db and rebooted. This resolved it for over 24 hours, at which point the issue started again.

  • ran openssl s_client -connect docs.google.com:443 from the command line. It returned no errors, which I think means the problem seems to be limited to browsers and my email client.

  • logged into another account on my computer which has been setup for a while, well before these problems started, and was able to browse in Chrome and Safari without problem to the sites noted above. I have re-checked this from time to time and the other account is still working fine. This seems to indicate it’s something with my user account, but see next item.

  • disabled iCloud Keychain and deleted my login keychain in Keychain Access, so it was recreated on next login. Theoretically this puts it on par with the other user account but my user account is still having the problems.

  • installed Security Update 2020-004 Mojave. Again, the reboot resolved it for a short period of time and then the issue resumed.

Yeah, I’ve seen this happen in person as well on a macOS computer. As you mention, a reboot fixes it. I’m praying that it is happening to Apple employees as well and that it bubbles its way to the top of queue eventually …

Edit: I should mention, the times I’ve seen it happen, it’s affected Amazon CA as well. I think it’s just an OS bug, sadly.

I had this problem (I’m OP of one of the linked threads). I upgraded from High Sierra to Catalina earlier this summer, and have not had this problem since then.

I did an inline upgrade, so any potential “junk” I might’ve had that could interfere, should theoretically still be present. However, it still works, showing that this clearly is a problem with MacOS and how it handles CTs (somewhat described here)

I’ve been putting off upgrading to Catalina for a number of reasons (build quality and 32-bit compatibility/the majority of my Steam games going kaput being the primary two) and I’m not sure I’m ready to take that step, especially since I would need to have a working copy of Mojave for playing most games, and my mini only has 256GB of internal storage. But I appreciate knowing it seems to be resolved in Catalina.

The fact it’s happening to somebody on a Windows box, as well, gives me a little more pause about it being purely an OS bug, but I am certainly willing to believe that Apple is at least partially responsible.

I am curious if Safari in Catalina shows you two SCTs for the sites you were previously having problems with–or for any sites, for that matter. I have been looking at various websites in Safari this evening and none of them show two SCTs, not even ones that I am able to access normally while the problem is occurring. I’m wondering if that is demonstrating the problem with Mojave, or if the macOS certificate viewer just never actually shows multiple SCTs.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.