macOS + Safari certificate weirdness

This isn’t directly a Let’s Encrypt issue, but I’m hoping this audience can help me resolve it as it’s obviously deeply related to SSL certificates. (If this is deemed too off-topic, please accept my apologies and let me know.)

On macOS (10.14.6), using Safari (13.1), Safari is telling me that it “can’t establish a secure connection to the server”. But only sometimes:

  • The majority of sites work fine.
  • It works fine after a reboot.
  • Last time it went 27 hours after the reboot before re-occurring. ¯\_(ツ)_/¯

It’s weirder than that:

  • OmniFocus, which establishes an SSL connection to https://sync3.omnigroup.com, also fails.
  • Plenty of other sync services on my Mac do not fail. OF must be using the system certificates?
  • Some sites which use the Let’s Encrypt Authority X3 certificate keep working (e.g. https://coruscade.com).
  • Other sites which use the same certificate chain fail (e.g. https://bum-man.com.au).
  • That last site is actually hosted at https://bumman2020.netlify.com. When accessed via that URL, the certificate is DigiCert SHA2 Secure Server CA and works A-OK.
  • Firefox always works. So how does its certificate behaviour differ from Safari? Does it manage its own, and not use the system keychain?
  • Brave fails but in a really weird way. It tells me that the cert is invalid (NET::ERR_CERT_INVALID) but when I inspect the certificates they’re all valid! Here’s an example of that, using another certificate that fails. (https://theage.com.au is a large newspaper – this site works fine in Firefox.)

  • When this issue occurs, it’s always the same certificates that fail. Repeatable, predictable.
  • I have re-created my keychain. Made no difference – I assume that just deleted my personal stuff but didn’t touch the system root certificates?

I have a question open on StackExchange which has some more detail. This is driving me bananas.

Please someone here tell me how macOS certificate management works, and help me fix this. Thank you.

Yes, I think Firefox uses its own root store unless you configure it not to.

:frowning: ERR_CERT_INVALID is a catch-all, I think. Usually the error code is more specific, and you can click on the error code for more information about the certificate. But I don't think it'll help in this case.

I don't have a solution for you other than to tell you that my sister experienced a similar thing on macOS some weeks ago. Except hers also had problems with some certificates from Amazon CA, until she rebooted her laptop.

e: One idea - on that screenshot, you are showing that the leaf certificate is valid. If you select the intermediate, or the root, do they also have the same "This certificate is valid" text?

Thanks, I’ll go digging around in Firefox and see if I can come up with anything interesting.

Yeah, Brave reports all 3 certificates in that screenshot as valid. Told you this was weird!

Stranger still: if I open a private window in Safari and browse to one of the broken sites, Safari warns me that “this connection is not private” and gives me the chance to “visit this website” as long as I authenticate to confirm that it is safe to do so.

When in a non-private window, I am not given this option. It’s just a flat-out “can’t establish a secure connection”.

If you're referring to your bumman site, it'd be because it's setup with an HSTS header. Browsers will omit the option to bypass the warning screen for HSTS-protected sites (that it's seen before, or are in the HSTS preload list).

When you browse the site in private mode, the HSTS cache isn't used, so the browser lets you through.

Don't think it explains your issue, though.

This recent thread is similar:

In that thread, the issue seemed to be that macOS didn't recognize a newer Certificate Transparency log that should have been supported since early December.

The OP said yesterday that it was fixed after installing a recent update.

1 Like

If it works for OP after a reboot, it might be what made it “work” for me after applying the the update (since it rebooted). I’ll have to wait and see, I guess.

OP, you say all updates are installed, does that also imply the 002 security update from end of March?

1 Like

OK, the issue is back on my Mac now, so it seems we have the same issue, and that it’s solved temporarily by rebooting. The latest security update (https://support.apple.com/en-gb/HT211100) did not solve it.

@jen729w, are you by any chance using Little Snitch?

@jockek Sibling! You have it too. I’m not alone.

I do use Little Snitch, yes. Always have, config hasn’t changed in however long. These servers ping just fine and I’ve tried this with the network filter off, no change.

I recall a recent security update, yes. They pop up I do them as soon as I see them.

Have you and @jockek tried to see if those websites work in safe mode? (e.g. disabled all extensions and other potential softwares). Other networks? Have you submit any reports to Apple Support?

The problem with safe mode is that the issue is fine immediately after a reboot. I’d need to operate in safe mode for ~24h until it occurs, which I can’t afford to do. This is my main work machine.

I have tried other networks, yes. The network is not the issue.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.