On Mon, Nov 01, 2021 at 06:37:08AM -0400, "Richard L. Hamilton" <rlha...@smart.net> wrote:
> > > > On Nov 1, 2021, at 03:12, raf <macpo...@raf.org> wrote: > > > > On Sat, Oct 30, 2021 at 05:49:11AM -0700, Al Varnell via macports-users > > <macports-users@lists.macports.org> wrote: > > > >> I see that I already have the latest ISRG Root X1 certificate in the > >> System Roots keychain, so not sure why I would need to add it to my > >> System keychain. > > > > It doesn't sound sensible, does it? I followed those instructions, > > then added it to System Roots because it hadn't changed anything, > > only to discover (on 10.6) that only TLSv1.0 was supported by the > > system-supplied software so things wouldn't work anyway. > > > > I still don't understand why /usr/bin/curl isn't working for me on > > 10.14 but Safari is. > > /usr/bin/curl (also?) uses /etc/ssl/cert.pem file. Copy that file to > /etc/ssl/cert.pem.orig as a backup and look around line 1130 for the > following: > > ### Digital Signature Trust Co. > > === /O=Digital Signature Trust Co./CN=DST Root CA X3 > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > 44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b > Signature Algorithm: sha1WithRSAEncryption > Validity > Not Before: Sep 30 21:12:19 2000 GMT > Not After : Sep 30 14:01:15 2021 GMT > Subject: O=Digital Signature Trust Co., CN=DST Root CA X3 > X509v3 extensions: > X509v3 Basic Constraints: critical > CA:TRUE > X509v3 Key Usage: critical > Certificate Sign, CRL Sign > X509v3 Subject Key Identifier: > C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10 > SHA1 Fingerprint=DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13 > SHA256 > Fingerprint=06:87:26:03:31:A7:24:03:D9:09:F1:05:E6:9B:CF:0D:32:E1:BD:24:93:FF:C6:D9:20:6D:11:BC:D6:77:07:39 > -----BEGIN CERTIFICATE----- > > > Remove from there (if it is line 1130) to the matching > -----END CERTIFICATE----- > line in /etc/ssl/cert.pem (around 1171) and that gets rid of the > expired X3 cert that doesn't really need to be in the certificate > chain. After that, > /opt/local/libexec/mpstats submit > works for me on 10.14. Still doesn't help with what's presumably the > TLS problem on older versions (10.6.8 being the only older version I > have available, so I don't know just what version is the cutoff for > that problem). Thanks! That worked on 10.14. I couldn't find the equivalent cert.pem file for /usr/bin/curl on 10.6.8 (not that the same thing would have worked there anyway), so I did this instead: cd /usr/bin mv curl curl.orig ln -s /opt/local/bin/curl curl After that, "/usr/bin/curl https://ports.macports.org" worked but "/opt/local/libexec/mpstats submit" still fails with the same error. cheers, raf