#42718: certsync fails to verify macports.org certificate --------------------------+----------------------- Reporter: ryandesign@… | Owner: landonf@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.2.1 Keywords: | Port: certsync --------------------------+----------------------- We recently got a new SSL certificate for macports.org, from a different organization, and certsync fails to verify it confirmed on multiple machines and OS X versions: {{{ $ sudo port -v sync ---> Updating the ports tree Synchronizing local ports tree from file:///Users/rschmidt/macports/dports Updating '/Users/rschmidt/macports/dports': svn: E230001: Unable to connect to a repository at URL 'https://svn.macports.org/repository/macports/trunk' svn: E230001: Server SSL certificate verification failed: certificate has expired Command failed: /opt/local/bin/svn update --non-interactive /Users/rschmidt/macports/dports Exit code: 1 }}} {{{ $ curl https://www.macports.org/ curl: (60) SSL certificate problem: certificate has expired More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. }}} {{{ $ openssl s_client -connect www.macports.org:443 -CAfile /opt/local/etc/openssl/cert.pem CONNECTED(00000004) depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA verify error:num=10:certificate has expired notAfter=Jan 28 12:00:00 2014 GMT verify return:0 }}} Using curl-ca-bundle instead of certsync, there is no problem. Analysis from Rainer:
I see in Keychain there are two certificates named "GlobalSign Root CA", and the one used here expired in January 2014, while the other one would be valid until January 2028. It's certainly using the wrong certificate, but I don't know yet why that happens.
Maybe certsync compares them by name in a dictionary instead of using a unique key identifier and that mixes them up?
-- Ticket URL: <https://trac.macports.org/ticket/42718> MacPorts <http://www.macports.org/> Ports system for OS X