SSL certificate problem: certificate has expire in macOS

Question

when I using this command to pull code:

➜  rt-analysis-multibranch_zhuolian git:(zhuolian) git pull
fatal: unable to access 'https://gitlab.example.com/development/soa-report-analysis.git/': SSL certificate problem: certificate has expired

I am sure the certificate not expired because on other macOS PC I could pull code from the same url. The server side certificate was generate by Let's Encrypt. The macOS Catalina openssl version is:

➜  ~ openssl version
LibreSSL 2.6.5

I tried to using curl, error like this:

➜  rt-analysis-multibranch_zhuolian git:(zhuolian) curl https://gitlab.example.com/development/soa-report-analysis.git
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.

why would this happen? what should I do to fix it? I can access the repo from Google Chrome browser by using the same url.

I finnaly found out that my last time renew the let's encrypt certificate using ISRG Root X1 root certificate by default. the ISRG Root X1 only compatible with macOS 10.12.1. But why the curl command seems to verify the old certificate. why would this happen?

Answer 1

As @rassoh commented (below the accpeted answer), the suggested solution also didn't work for me. After following the steps, curl still complained about an expired certificate. So I used the dtruss utility to show all files opened by curl...

$ sudo dtruss curl https://www.example.com 2>dtruss.out
$ grep open dtruss.out
...
open_nocancel("/usr/local/php5/ssl/openssl.cnf\0", 0x0, 0x1B6)       = 3 0
...
open_nocancel("/Users/babola/.curlrc\0", 0x0, 0x1B6)         = -1 Err#2
...
open("/usr/local/php5/bin/curl\0", 0x8004, 0x6DF212BA)       = 5 0
...
open_nocancel("/usr/local/php5/ssl/cert.pem\0", 0x0, 0x1B6)      = 6 0

Aha! On my particular computer, with my versions of the OS and/or curl, the cert file is in the /usr/local/php5/ssl directory, not in /etc/ssl. Once I copied the cert.pem file to /usr/local/php5/ssl curl stopped complaining about an expired certificate.

Answer 2

See this answer from Ask Different, shamelessly reposted below:

OpenSSL on macOS does not use the system keychain (which makes sense as it's a cross platform library) but rather has its own .pem file containing its root certificates. Even though my systems have a newer version of OpenSSL installed using homebrew and/or MacPorts, the system-wide OpenSSL pem file located at /etc/ssl/cert.pem was out of date and did not include the ISRG Root X1 certificate.

The solution:

1. Rename /etc/ssl/cert.pem to something else. (I suggest /etc/ssl/cert.pem.org)
2. Download the latest cacert.pem from https://curl.se/docs/caextract.html
3. Rename it to cert.pem
4. Copy it to /etc/ssl/cert.pem

Now curl and any other app using OpenSSL can access websites signed using current Let's Encrypt certificates.

Alternatively, the MacPorts package curl-ca-bundle installs a .pem file containing ISRG Root X1 to /opt/local/etc/openssl/cert.pem which can be used as well.

Other possible solutions:

• Manually add the ISRG Root X1 certificate to /etc/ssl/cert.pem
• Configure OpenSSL to use a different .pem file for its root certificates, such as /opt/local/etc/openssl/cert.pem

(Another possible solution is to use curl's -k/--insecure flag.