OS X Montery certs untrusted

The certs installed fine, but they are untrusted. How do I get them to be trusted?

My domain is: j3iss.com

I ran this command:
openssl pkey -in privkey.pem -out j3iss.pem

openssl x509 -outform der -in fullchain.pem -out j3iss_pub.crt

It produced this output:
-rw-r--r-- 1 root admin 1704 Aug 20 09:14 j3iss.pem
-rw-r--r-- 1 root admin 1309 Aug 20 09:28 j3iss_pub.crt

My web server is (include version): Not applicable. This is for mail and DNS. postfix, dovecot, bind9. I used "certbot certonly --standalone" to get the certs.

The operating system my web server runs on is (include version): OS X Monterey 12.5.1

My hosting provider, if applicable, is: None

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.29.0

1 Like

Is this step really necessary? Postfix and Dovecot accept a PEM perfectly. I also doubt that this command will convert all the certificates in fullchain.pem, so I'm guessing your services are only providing the end leaf certificate without an intermediate.

I'm guessing because I can't reach your services from my point of view: nothing is listening on port 25 (with STARTTLS), 143 (with STARTTLS), 993 or 995.

6 Likes

This step:

equals:
cp privkey.pem j3iss.pem

3 Likes

Until I ran that command, they wouldn't import into OS X. FWIW, lets encrypt.org doesn't have any problem with sending mail to me. The goal, however is to move mail from the current server to the new server. I was trying to get the certs set up first.

1 Like

How old is that software?
Di you read the man pages?

3 Likes

It's the current operating system. Last update was a week ago. And yes, I read the docs and related man pages.

1 Like

Is there no way to use the .pem files directly (without conversion)?

4 Likes

Your OS has the "ISRG Root X1" in the trust store. See List of available trusted root certificates in iOS 15.1, iPadOS 15.1, macOS 12.1, tvOS 15.1, and watchOS 8.1 - Apple Support

What may be happening... is that your operating system might not like the default chain - which goes to the expired DST Root CA X3 chain.

Some things that might work:

  1. Find the Trust Store, copy it, and delete the expired DST X3 root from it. This works for a lot of commandline tools (e.g. git, curl, etc), however those use an openssl trust store that are not the same as the OS trust store. Also, it is possible that some apps will be referencing the OS trust store (which should be handled by the keychain manager) while others will be referencing the openssl trust store.

  2. Try using the alternate chain. You don't need to get a new certificate, but you need to alter the fullchain file to not use the cross-signed cert to DST, and instead use R3 and ISRG-Root-X1.

If I understand the problem correctly, those solutions should work. There could be something else going on.

7 Likes

The private key worked once I changed the name. The full chain pem file needed conversion.

1 Like

Can you automate the conversion (and use)?

3 Likes

It's been at least ten years since I did any certificate installation and it wasn't on OS X (in fact it was IRIX and Solaris).

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.