#42718: certsync fails to verify macports.org certificate ---------------------------+----------------------- Reporter: ryandesign@… | Owner: landonf@… Type: defect | Status: assigned Priority: High | Milestone: Component: ports | Version: 2.2.1 Resolution: | Keywords: Port: certsync | ---------------------------+----------------------- Comment (by raimue@…): The valid "GlobalSign Root CA" is actually a re-signed certificate with a longer lifetime using the same modulus/exponent from the older one that expired end of January 2014. They both have the '''identical''' public key. After some more analysis, the curl-ca-bundle only contains the "GlobalSign Root CA" certificate that is valid throughout 2028, while certsync includes them both into the same bundle. It seems like OpenSSL cannot handle the same certificate twice in a bundle. ''Side note: I will attach a small perl helper script which I used to split the certificate bundle into the original certificates, so they can be examined using `openssl x509 -text -noout -in <file>.pem`.'' With experiments I got it to work when switching the order of the certificates, but it's not working again when adding another one. I guess it's up to some hash algorithm which one gets used, so a different order is not a reliable fix. It seems like the only fix would be to leave out that expired certificate... I see two solutions: ==== Don't export any expired certificate Which means using this CA in a chain would be reported as "untrusted" instead of "expired". That solves this immediate problem because the older "GlobalSign Root CA" certificate is expired now. It might not work in other cases. This is relatively easy to accomplish as we only need to check the expiry date against the current date. ==== Only export one valid/non-expired certificate per public key This means certsync needs a special case to check for duplicates and decide for the one with the later expiry date. Needs a hash/dictionary with the key being the public key of the cert and some more checking. -- Ticket URL: <https://trac.macports.org/ticket/42718#comment:4> MacPorts <http://www.macports.org/> Ports system for OS X